🎫AS-REP Roasting

AS-REP Roasting is a credential access attack against Microsoft Active Directory that targets a specific Kerberos misconfiguration where Kerberos pre-authentication is disabled for user accounts. When pre-authentication is disabled, the Domain Controller (DC) will return a Kerberos Authentication Service Response (AS-REP) containing encrypted data without first validating the password. Attackers can extract this encrypted part and crack it offline to recover the user’s plaintext password.

Why It Works:

In normal Kerberos authentication:

1. A client sends an Authentication Service Request (AS-REQ) to the KDC.

2. The AS-REQ must include a timestamp encrypted with the user’s password hash — this is pre-authentication.

3. The KDC decrypts the timestamp to verify the user knows the password.

4. If successful, the KDC returns an AS-REP containing the Ticket Granting Ticket (TGT) encrypted with the user’s secret

When pre-authentication is disabled for an account:

• The KDC does not require the encrypted timestamp.

• It immediately returns an AS-REP with encrypted data — including something protected by the user’s password hash.

• Since attackers don’t have the password yet, they capture this encrypted portion — essentially a hash — and then crack it offline using brute-force or dictionary attacks.

Without pre-authentication disabled, the attack does not work. Kerberos pre-authentication is enabled by default — meaning this is a rare misconfiguration but still present in many environments for legacy support or certain service accounts.

AS-REP Roasting vs Kerberoasting:

Example Attack:

We gonna use tool from Impacket collection:

After obtaining a hash, we can crack it with Hashcat:

You can use cheatsheet if you forgot the commands.

References & More About AS-REP Roasting:

Steal or Forge Kerberos Tickets: AS-REP Roasting, Sub-technique T1558.004 - Enterprise | MITRE ATT&CK®attack.mitre.org

Roasting AS-REPsMedium

Alike:

Kerberoasting