Execution of Roost ASREP attack - ties2/Red-Team GitHub Wiki

ASREP Roasting or ASREP Roast attack is a technique used to exploit Kerberos authentication, which is an essential protocol used in Active Directory (AD) environments. This attack is designed to extract encrypted password hashes of user accounts that do not require pre-authentication. The Roost ASREP attack is one of the latest and most effective variations of the ASREP Roasting attack.

In this attack, the attacker sends a fake Authentication Service (AS) request to the Kerberos Key Distribution Center (KDC) for a user account that does not require pre-authentication. The KDC then responds with the encrypted hash of the user's password (AS-REP), which the attacker can then use to crack and gain access to the user's account.

The Roost ASREP attack was first introduced by a researcher named Dirk-jan Mollema in January 2019, and it works by exploiting a weakness in the Microsoft Windows implementation of the Kerberos protocol.

The attack is named Roost ASREP because it leverages the "roost" command in the Impacket toolset, which is a Python library used for manipulating network protocols. The Roost command sends a fake AS-REQ request with the "Do not require Kerberos preauthentication" flag set to the KDC to request the AS-REP response.

The Roost ASREP attack can be carried out using a variety of tools, including Impacket, Rubeus, and Mimikatz.

• Example:

The following is an example of how the Roost ASREP attack can be executed using the Impacket toolset:

The attacker uses the Impacket toolset to send a fake AS-REQ request with the "Do not require Kerberos preauthentication" flag set to the KDC for a user account that does not require pre-authentication.

The KDC responds with the encrypted hash of the user's password (AS-REP).

The attacker then uses a password cracking tool such as Hashcat or John the Ripper to crack the encrypted hash and obtain the user's password.

With the user's password, the attacker can then gain access to the user's account and potentially access sensitive information.

Sources:

• Mollema, D. (2019, January 23). Abusing Kerberos AS-REP Roasting. Retrieved from https://dirkjanm.io/abusing-kerberos-as-rep-roasting/
• Mudge, R. (2019, February 22). Detection Lab: Blue Team Training - Week 8. Retrieved from https://medium.com/@jorgeorchilles/detection-lab-blue-team-training-week-8-2d1e36a53212
• Impacket GitHub repository. (n.d.). Retrieved from https://github.com/SecureAuthCorp/impacket