Skip to content

ASREP Roasting

links: SPA TOC - Kerberos - Index


ASREP Roasting

  • Attack to extract account credential hashes from AD for offline cracking
  • Attacker only interacts with KDC (DC)
  • Attack: With Pre-Authentication disabled for a user, anyone can request a TGT for this user
    • The TGT is encrypted with the users password hash \(\rightarrow\) brute force, same situation as Kerberoasting
  • Requirements
    • Pre-authentication is disabled for the target account
    • Connection to KDC

Countermeasures

  • Do not disable pre-authentication
  • Strong password policy
  • Train users
  • Restrict privileges
  • Actively check for ASREP-roastable accounts
  • Implement monitoring to look for TGT requests for ASREP-roastable accounts

links: SPA TOC - Kerberos - Index