Obtaining AS-REP hashes through ARP poisoning
Table of Contents
Introduction
Note: The research and tooling covered in this post are not my original work,. All credit goes to Yaxxine7 for creating the ASRepCatcher tool and doing all the heavy lifting!
AS-REP roasting is a well-documented Kerberos attack where an attacker can obtain and crack hashes for accounts with preauthentication disabled.
However, instead of looking for accounts that manually have preauthentication disabled, ASRepCatcher performs a man-in-the-middle attack between clients and the domain controller, allowing an attacker to obtain AS-REP hashes from authenticating users regardless of whether preauthentication is normally required.
Kerberos Authentication
Before diving into how the attack works, it helps to understand the Kerberos authentication flow at a high level:
- Authentication Service Request (AS-REQ): The client requests authentication from the Key Distribution Center (KDC).
- Authentication Service Response (AS-REP): After validating the client’s preauthentication data, the KDC responds with an AS-REP containing a Ticket Granting Ticket (TGT).
- Ticket Granting Service Request (TGS-REQ): The client presents the TGT back to the KDC and requests a ticket for a service.
- Ticket Granting Service Response (TGS-REP): The KDC responds with a Service Ticket (ST) encrypted for the destination service.
- Service Authentication: The client presents the ST to the destination service and gains access.
For this post, I want to focus on the AS-REQ and AS-REP steps.
Preauthentication and AS-REP Roasting
When a client initially sends an AS-REQ message to the KDC, it typically does not provide any data in the PA-DATA section of the request.
Upon receiving the AS-REQ message, the KDC checks whether preauthentication is required for the requesting account. If it is, the KDC returns a KRB5KDC_ERR_PREAUTH_REQUIRED error, and the client must re-submit with a valid timestamp encrypted by the user’s password.
Image credit: mochabyte
If preauthentication is not required for the requesting account, the KDC sends an AS-REP message containing two key structures:
- ticket: The TGT encrypted with the KDC’s password (KRBTGT hash)
- enc-part: Encrypted with the user’s password. Contains the session key, among other things, for future use of the included TGT.
AS-REP Roasting specifically targets the enc-part of the AS-REP message.
ARP Poisoning
ARP (Address Resolution Protocol) is a layer 2 protocol that maps IP addresses to MAC addresses on a local network. Since ARP has no authentication, any host can broadcast a spoofed ARP reply claiming to own any IP, and clients will update their ARP cache accordingly. This is known as ARP poisoning, where an attacker can convince clients that their MAC address belongs to another host’s IP.
In this context, the attacker claims their own MAC address corresponds with the domain controller’s IP address. If successful, victim computers will send AS-REQ messages to the attacker machine, which is then captured and forwarded the actual domain controller to obtain an AS-REP hash.
Using ASRepCatcher
To perform an ARP poisoning attack and obtain AS-REP hashes from authenticating users, start ASRepCatcher in relay mode, as this downgrades Kerberos encryption to RC4, producing a crackable $krb5asrep$23$ hash that makes offline password cracking easier than modern AES-based Kerberos encryption.
ASRepCatcher relay -dc 10.0.1.40
Once a victim user authenticates via Kerberos, we will obtain and relay their AS-REQ message, relay it to the DC, and obtain their AS-REP hash.
We can additionally see that the downgrade to RC4 was successful, as the hash begins with $23$. This indicates the domain permits weaker encryption algorithms.
[email protected]:16d14c662e6bb69a2b5a38b37bc9cad4$fca3bfa9ac60cd8b1c4da2786b61ed6e4a44a97a0abfff4491aedcfa1d86d5e170cbc64714e51ccb22dff1598d1b39e5d5381e632dd78d631fec501b6da1b4d014b573a9bc6d0dffff216c5621056d0bcd37c24d0f3d254e7502ba8fdab0c6f511e4583068327681b2fda3ae94887fc69492e985b8d7846682b4cd2ce2090dcae74959575d96f0d0b787f3a1bedf3fb72aff7c795996a54d20425edf6662c39aa8e8501ae38319b5c6fab98f898d773a19e59a41d1b70d39b16c4b135e901639761878a9da20668a3d7fe05ecd4e41a849b67c3ed978c3b0b2f1a0778fb8e7359bb13fbd2e2eaea5771f9f021f87061ca6988bcd135257801c81c0e6e9dbd9027295ba76a1cc3941b6dda03d0251e1e2b914601a6b17cd8286a2b5787d5ca055ff0e8a035535930bd66f5ea6caf726996c
To crack the AS-REP hash and recover the victim’s password, we can use the following command:
hashcat -m 18200 asrep wordlist
Looking at Network Traffic
The following capture was taken during the attack, which nicely shows each stage in detail. Below is a list of the relevant information of the environment:
- Attacker:
- IP address:
10.0.1.30 - MAC address:
bc:24:11:e3:8c:8f
- IP address:
- Domain Controller:
- IP address:
10.0.1.40 - MAC address:
bc:24:11:c7:57:7e
- IP address:
- Victim Machine:
- IP address:
10.0.1.41
- IP address:
First, the attacker uses ARP to broadcast messages claiming that their MAC address, bc:24:11:e3:8c:8f, corresponds to the domain controller’s IP address, 10.0.1.40.
With the network poisoned, the victim 10.0.1.41 sends an AS-REQ message to 10.0.1.40, which now points to the attacker’s MAC address, and is relayed to the domain controller.
After receiving the second AS-REQ message with populated PA-DATA, the attacker downgrades the encryption to RC4 and forwards the request to the real domain controller.
The domain controller responds with a TGT and AS-REP hash, which completes the attack.
Once complete, the attacker restores the MAC address associated with the domain controller’s IP address.
Conclusion
Through performing a man-in-the-middle attack, ASRepCatcher demonstrates that AS-REP roasting is no longer limited to accounts that solely have preauthentication disabled. By intercepting and relaying Kerberos authentication, the tool then attempts to downgrade encryption to RC4 and obtain crackable AS-REP hashes from authenticating users, significantly expanding the opportunities for initial access.