AS-REP Roasting is an attack against Kerberos authentication that targets accounts configured with the "Do not require Kerberos preauthentication" flag in Active Directory. When preauthentication is disabled, anyone can request an Authentication Service Response (AS-REP) for that account. The response contains encrypted data that can be cracked offline to recover the account's plaintext password.
The attacker first enumerates Active Directory accounts that have Kerberos preauthentication disabled. This can be done using tools like PowerView, ldapsearch, or Rubeus. The attacker then sends AS-REQ messages to the KDC for each identified account without providing proof of identity. The KDC responds with an AS-REP containing a portion encrypted with the target account's password hash. The attacker extracts this encrypted blob and uses offline cracking tools like Hashcat to recover the password. Unlike Kerberoasting, AS-REP Roasting does not require the attacker to have any domain credentials, making it viable from an unauthenticated position if account names are known.
AS-REP Roasting represents a significant risk because it can be performed without any authentication to the domain. Accounts with preauthentication disabled are often legacy or misconfigured service accounts that may hold elevated privileges. The attack generates minimal network noise and is difficult to detect without specific Kerberos event monitoring. Organizations must audit accounts for the preauthentication flag, enforce strong passwords on any accounts that require this setting, and implement detection rules for AS-REP requests targeting multiple accounts.