This will automatically find all accounts that do not require preauthentication and extract their AS-REP hashes for offline cracking, as shown here: Using Rubeus, you can easily perform AS-REP Roasting to see how this attack would work in your environment. Simply issue the following command: Rubeus.exe asreproast Luckily, preauthentication is enabled by default in Active Directory. However, it can be disabled for a user account using the setting shown below: Since part of that message is encrypted using the user’s password, the attacker can then attempt to brute-force the user’s password offline.
However, if preauthentication is disabled, an attacker could request authentication data for any user and the DC would return an AS-REP message. If the DC can decrypt that timestamp using its own record of the user’s password hash, it will send back an Authentication Server Response (AS-REP) message that contains a Ticket Granting Ticket (TGT) issued by the Key Distribution Center (KDC), which is used for future access requests by the user.
The timestamp on that message is encrypted with the hash of the user’s password. When preauthentication is enabled, a user who needs access to a resource begins the Kerberos authentication process by sending an Authentication Server Request (AS-REQ) message to the domain controller (DC).
0 kommentar(er)
