Kerberoasting and AS-REP Roasting Flashcards
What is Kerberoasting?
An attack that steals encrypted TGS tickets for service accounts (SPNs) to crack their passwords offline.
What encryption types are vulnerable in Kerberoasting?
RC4-HMAC (weak) or AES (stronger, but still crackable if passwords are weak).
What accounts are targeted in Kerberoasting?
Service accounts (accounts with SPNs, like SQL/server1).
What tool is commonly used for Kerberoasting?
Tools like Rubeus, Impacket’s GetUserSPNs, or Mimikatz.
How do you detect Kerberoasting?
Look for:
Many TGS-REQ requests (Event ID 4769).
Use of RC4 encryption in tickets.
Unusual service account ticket requests.
How do you mitigate Kerberoasting?
Use AES encryption (disable RC4).
Assign long, complex passwords to service accounts.
Monitor for excessive TGS requests.
What is AS-REP Roasting?
An attack that steals encrypted AS-REP tickets from user accounts with pre-authentication disabled to crack passwords offline.
What setting enables AS-REP Roasting?
“Do not require Kerberos pre-authentication” enabled on a user account.
What tool is used for AS-REP Roasting?
Tools like Rubeus or Impacket’s GetNPUsers.
How do you detect AS-REP Roasting?
Look for AS-REQ requests without pre-authentication (Event ID 4768).
How do you mitigate AS-REP Roasting?
Enable Kerberos pre-authentication for all accounts.
Use strong passwords (harder to crack).
What’s the difference between Kerberoasting and AS-REP Roasting?
Kerberoasting targets service accounts (TGS tickets).
AS-REP Roasting targets user accounts with pre-auth disabled (AS-REP tickets).
Which part of Kerberos does each attack exploit?
Kerberoasting → TGS-REQ/TGS-REP (Ticket Granting Service).
AS-REP Roasting → AS-REQ/AS-REP (Authentication Service).
What’s the common goal of both attacks?
Steal encrypted tickets, crack them offline, and reveal plaintext passwords.
Example Rubeus command for Kerberoasting:
Rubeus.exe kerberoast /outfile:hashes.txt
Example Impacket command for AS-REP Roasting:
GetNPUsers.py DOMAIN/user -no-pass -dc-ip <IP> -outputfile hashes.txt</IP>
How to protect against both attacks?
Use AES encryption (not RC4).
Enforce strong passwords for all accounts.
Enable pre-authentication for all users.
Monitor logs for suspicious TGS/AS-REQ activity.
What Event ID tracks TGS requests (Kerberoasting)?
4769 (A Kerberos service ticket was requested).
What Event ID tracks AS-REQ requests (AS-REP Roasting)?
4768 (A Kerberos authentication ticket was requested).
What’s the #1 rule to prevent these attacks?
Strong passwords make offline cracking nearly impossible!
