AS-REP Roasting
AS-REP Roasting targets Active Directory accounts with Kerberos preauthentication disabled, allowing attackers to request and crack authentication responses offline without credentials.
AS-REP Roasting targets Active Directory accounts with Kerberos preauthentication disabled, allowing attackers to request and crack authentication responses offline without credentials.
Continue your mission
AS-REP Roasting is an attack against Kerberos authentication that targets accounts configured with the "Do not require Kerberos preauthentication" flag in Active Directory. When preauthentication is disabled, anyone can request an Authentication Service Response (AS-REP) for that account. The response contains encrypted data that can be cracked offline to recover the account's plaintext password.
The attacker first enumerates Active Directory accounts that have Kerberos preauthentication disabled. This can be done using tools like PowerView, ldapsearch, or Rubeus. The attacker then sends AS-REQ messages to the KDC for each identified account without providing proof of identity. The KDC responds with an AS-REP containing a portion encrypted with the target account's password hash. The attacker extracts this encrypted blob and uses offline cracking tools like Hashcat to recover the password. Unlike Kerberoasting, AS-REP Roasting does not require the attacker to have any domain credentials, making it viable from an unauthenticated position if account names are known.
AS-REP Roasting represents a significant risk because it can be performed without any authentication to the domain. Accounts with preauthentication disabled are often legacy or misconfigured service accounts that may hold elevated privileges. The attack generates minimal network noise and is difficult to detect without specific Kerberos event monitoring. Organizations must audit accounts for the preauthentication flag, enforce strong passwords on any accounts that require this setting, and implement detection rules for AS-REP requests targeting multiple accounts.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.