Open in app

Sign in

Write

Sign in

Hacking Kerberos With AS-REP Roasting

Trevor Cohen
3 min readMay 11, 2021

What Is Kerberos?

Kerberos, developed by MIT, is a network authentication protocol used in Active Directory most commonly running on port 88 with password management on port 464.

The Kerberos protocol enables a client/user to identify itself to a server (and vice versa) across a network — thus providing strong authentication. However, Kerberos does not Authorize which services the client/user can access (this is normally done by LDAP).

Required OS / Software

  1. Kali Linux (OS)
  2. impacket (Grab the latest stable release, unpack it and run ‘pip install .’ from the directory in which you placed it)

Target Susceptible to AS-REP Roasting?

AS-REP Roasting is an attack targeted to users who have the “Do not require Kerberos preauthentication” Account option enabled (pictured below).

We also require some information in order to run the attack:

  • Username(s) — In the photo below we show a username of “RoastMe”
  • Domain Name — In the photo below we show a Domain Name of Kerberos.inernal
  • Target IP — Our target IP in this case is 10.0.2.15

Running The Attack

Using the GetNPUsers.py script from impacket we provide: Domain Name Kerberos.internal, Username RoastMe, and Target IP using the -dc-ip flag.

./GetNPUsers.py Kerberos.internal/RoastMe -dc-ip 10.0.2.15

If prompted for a password DON’T TYPE ANYTHING and hit enter

What we see outlined in red is an AS_REP message from Kerberos’ Key Distribution Center. The AS_REP message contains data encrypted with the user key which is derived from the users password. Therefore we can use hashcat to crack the hash and provide us with the the password for our user RoastMe.

we’ll use hash-type -m 18200, our hash from earlier (in single quotes), wordlist rockyou.txt which is already installed with Kali Linux but a zipped up tarball can be found HERE, and --force to ignore warnings

hashcat -m 18200 ‘HASH’ /location/of/rockyou.txt –force

Lucky for us our password was contained in the rockyou.txt dictionary! Once hashcat cracks the password you can find it next to the hash!

Cybersecurity
Kerberos
Hacking
Infosec
Hacker

--

--

Trevor Cohen

Written by Trevor Cohen

11 Followers

Cybersecurity Consultant. Month-to-Month Hobbyist. General “Doer” of Stuff

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams