Common Information
| Type | Value |
|---|---|
| Value |
AS-REP Roasting - T1558.004 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) Preauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014) For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-11 | 6 | Hacking Active Directory and Earn upto $30,000. | ||
| Details | Website | 2024-10-29 | 2 | ACTIVE DIRECTORY GÜVENLİĞİ | ||
| Details | Website | 2024-10-25 | 23 | GOAD Part 1 | ||
| Details | Website | 2024-10-20 | 8 | Krijo një laborator në Active Directory për të hackuar FALAS | ||
| Details | Website | 2024-10-08 | 3 | Vulnerable Active Directory | ||
| Details | Website | 2024-10-04 | 1 | HTB’s Certified Penetration Testing Specialist (CPTS) Review | ||
| Details | Website | 2024-10-03 | 7 | AS-REP Roasting in Active Directory | ||
| Details | Website | 2024-09-30 | 0 | Active Directory attack guidance issued by Five Eyes | ||
| Details | Website | 2024-09-27 | 4 | Cyber Briefing: 2024.09.27 | ||
| Details | Website | 2024-09-20 | 3 | Exploring the Depths of Kerberos Authentication | ||
| Details | Website | 2024-09-18 | 7 | DOMAIN ADMINS HATE THEM: DCSync Attacks | ||
| Details | Website | 2024-09-09 | 33 | Threat Intelligence Report 3rd September – 9th September 2024 | ||
| Details | Website | 2024-09-06 | 44 | 集权系列科普 | 想了解AD&攻击面?独家干货放送(下) | CTF导航 | ||
| Details | Website | 2024-09-02 | 456 | RST TI Report Digest: 02 Sep 2024 | ||
| Details | Website | 2024-09-02 | 28 | Threat Intelligence Report 27th August – 2nd September 2024 | ||
| Details | Website | 2024-08-30 | 1 | Kerberos Attacks in Windows Active Directory | TryHackMe Attacking Kerberos | ||
| Details | Website | 2024-08-22 | 1 | Service Account Abuse - ReliaQuest | ||
| Details | Website | 2024-07-29 | 0 | Microsoft Defender for Identity Recommended Actions: Set a honeytoken account | ||
| Details | Website | 2023-10-23 | 273 | Red Team Tools | ||
| Details | Website | 2023-09-28 | 5 | The Client/Server Relationship — A Match Made In Heaven | ||
| Details | Website | 2023-08-17 | 5 | The Client/Server Relationship — A Match Made In Heaven | Binary Defense | ||
| Details | Website | 2023-07-10 | 18 | HackTheBox: Forest Walkthrough | ||
| Details | Website | 2023-07-08 | 21 | HackTheBox: Sauna Walkthrough | ||
| Details | Website | 2023-07-08 | 5 | OSCP 2023 — Tips for success | ||
| Details | Website | 2023-06-24 | 16 | Attacking Kerberos — TryHackMe |