July 3, 2026 · 3 min read · concepts
AS-REP roasting is an attack on Active Directory accounts that have Kerberos pre-authentication disabled. For such an account you request the first message from the KDC, the AS-REP, and crack an encrypted part of it offline to recover the password. You do not need a valid password for it, only the username of an account with pre-authentication disabled.
The attack was described in 2017 by Will Schroeder (harmj0y) as the counterpart to Kerberoasting. MITRE ATT&CK categorizes it under T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting.
Normally Kerberos requires pre-authentication. When logging in, the client encrypts a timestamp with a key derived from the password, and the KDC only returns an AS-REP once that timestamp checks out. Someone who does not know the password gets nothing usable this way.
If pre-authentication is disabled on an account, that check falls away. The KDC sends the AS-REP to anyone who asks, without proof of the password. That AS-REP contains an encrypted part, the enc-part, which is encrypted with the password-derived key of the user. You crack that part offline with Hashcat. An RC4-encrypted AS-REP (etype 23) goes into hashcat as mode 18200, and a weak password falls quickly there. AES-encrypted variants are a lot heavier to crack.
To know which accounts are vulnerable, you search Active Directory for the flag “Do not require Kerberos preauthentication”. That is a bit in the userAccountControl attribute (DONT_REQ_PREAUTH, value 0x400000). For that LDAP query you do need a valid domain account. Requesting the AS-REP itself can be done afterwards without a password, as long as you know the username.
In an Active Directory pentest we check as standard whether there are accounts with pre-authentication disabled. We do that with NetExec on the ldap protocol. If we already have a valid account, NetExec finds the vulnerable accounts and pulls the hashes right away. If we only know a username or a list of names, it also works without a password.
# With a valid account: find vulnerable accounts and pull the hashes
nxc ldap 10.0.0.1 -u jdoe -p Password --asreproast asreproast.txt
# Without a password, with a list of usernames
nxc ldap 10.0.0.1 -u users.txt -p '' --asreproast asreproast.txt
We then crack the captured hashes offline with hashcat.
# Crack RC4 AS-REP hashes against a wordlist
hashcat -m 18200 asreproast.txt /usr/share/wordlists/rockyou.txt
Only run this kind of test on systems for which you have explicit, written permission. Without that permission it is a criminal offense.
(userAccountControl:1.2.840.113556.1.4.803:=4194304), which returns exactly the accounts that have the option.Kerberos is the authentication protocol of Active Directory, based on tickets and a central KDC. We show how it works and where attackers abuse it.
Credential Guard uses Virtualization-Based Security to isolate the credentials in LSASS in a separate process. Key to a secure AD network.
LAPS gives every Windows machine a unique, random local admin password and rotates it automatically. Key to a secure AD network.