H3-2021-0011

Kerberos Pre-Authentication Disabled

Description

AS-REP Roasting is an attacker technique that exploits a misconfiguration in Microsoft Active Directory. When Kerberos pre-authentication is disabled for an account, it allows an attacker to request authentication data for that account without proving knowledge of the account's password. The attacker can then capture the Authentication Server Response (AS-REP) message from the domain controller, which contains data encrypted with the user's password hash. The attacker can subsequently perform offline password-cracking attacks on this data to reveal the user's password.

Impact

By exploiting this misconfiguration, an attacker can potentially compromise the credentials for misconfigured domain user accounts and gain unauthorized access to those accounts. This access can lead to further attacks within the network, such as privilege escalation and lateral movement.

References

• Kerberos Pre-Authentication: Why It Should Not Be Disabled
• AS-REP Toasting Attack Example
• MITRE ATT&CK Technique: T1558.004: Steal or Forge Kerberos Tickets: AS-REP Roasting