Active Directory is a prime target for attackers as it is used by 95% of Fortune 500 companies. The exploitation of this type of directory can easily expose sensitive data such as usernames and passwords.
Kerberos is a key component of Microsoft Active Directory. Unfortunately, it is often the subject of attacks by hackers. One of those is AS-REP Roasting.
Kerberos is a protocol that was originally built by the MIT to establish trust. Later, Microsoft has enhanced Kerberos with its protocol specifications and several extensions and added it to Active Directory.
Kerberos is the default authentication protocol for Microsoft Active Directory. It is used for authenticating users to a Windows machine part of an Active Directory domain.
Even though Kerberos is very secure, it has its own set of vulnerabilities. Some of these issues can be exploited by attackers when there are certain account settings in Active Directory.
Before a Kerberos account can be authenticated, it must be pre-authenticated. When pre-authentication is disabled by the user, this may present a vulnerability when a hacker can request authentication data for any user. This data can be used to break a password in an offline environment.
AS-REP Roasting is the technique that allows retrieving password hashes for users who turned pre-authentication off.
An attacker can find accounts that do not require pre-authentication by extracting the ticket-granting ticket (TGT) data. It is possible to do this with a tool like Rubeus.
Data can be turned into a format that can be cracked using, for example, Hashcat, an offline tool that can use brute-force password cracking.
An important step to prevent this kind of attack is to audit your Active Directory environment. And there should be no accounts with Kerberos pre-authentication off.
Aside from ensuring that your Active Directory settings are properly configured, you also want to make sure that all users have strong, complex passwords.
Also, it is important to prevent passwords from being found in a breached database. This is because compromised password hashes are used to crack passwords that were extracted using the AS-REP Roasting attack.
