Monthly vulnerability scanning: first month free! Learn more →
Hero

WE ARE

HACKIFY

AS-REP Roasting

AS-REP Roasting

July 3, 2026 · 3 min read · concepts

active-directory credentials

What is AS-REP roasting?

AS-REP roasting is an attack on Active Directory accounts that have Kerberos pre-authentication disabled. For such an account you request the first message from the KDC, the AS-REP, and crack an encrypted part of it offline to recover the password. You do not need a valid password for it, only the username of an account with pre-authentication disabled.

The attack was described in 2017 by Will Schroeder (harmj0y) as the counterpart to Kerberoasting. MITRE ATT&CK categorizes it under T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting.

How does AS-REP roasting work?

Normally Kerberos requires pre-authentication. When logging in, the client encrypts a timestamp with a key derived from the password, and the KDC only returns an AS-REP once that timestamp checks out. Someone who does not know the password gets nothing usable this way.

If pre-authentication is disabled on an account, that check falls away. The KDC sends the AS-REP to anyone who asks, without proof of the password. That AS-REP contains an encrypted part, the enc-part, which is encrypted with the password-derived key of the user. You crack that part offline with Hashcat. An RC4-encrypted AS-REP (etype 23) goes into hashcat as mode 18200, and a weak password falls quickly there. AES-encrypted variants are a lot heavier to crack.

To know which accounts are vulnerable, you search Active Directory for the flag “Do not require Kerberos preauthentication”. That is a bit in the userAccountControl attribute (DONT_REQ_PREAUTH, value 0x400000). For that LDAP query you do need a valid domain account. Requesting the AS-REP itself can be done afterwards without a password, as long as you know the username.

AS-REP roasting in a pentest

In an Active Directory pentest we check as standard whether there are accounts with pre-authentication disabled. We do that with NetExec on the ldap protocol. If we already have a valid account, NetExec finds the vulnerable accounts and pulls the hashes right away. If we only know a username or a list of names, it also works without a password.

# With a valid account: find vulnerable accounts and pull the hashes
nxc ldap 10.0.0.1 -u jdoe -p Password --asreproast asreproast.txt

# Without a password, with a list of usernames
nxc ldap 10.0.0.1 -u users.txt -p '' --asreproast asreproast.txt

We then crack the captured hashes offline with hashcat.

# Crack RC4 AS-REP hashes against a wordlist
hashcat -m 18200 asreproast.txt /usr/share/wordlists/rockyou.txt

Only run this kind of test on systems for which you have explicit, written permission. Without that permission it is a criminal offense.

Preventing AS-REP roasting

  • Turn pre-authentication on for every account, in other words remove the option “Do not require Kerberos preauthentication” everywhere. Check this regularly with the LDAP filter (userAccountControl:1.2.840.113556.1.4.803:=4194304), which returns exactly the accounts that have the option.
  • If an account really has to keep the option for an old integration, give it a long, random password. Then offline cracking stays without result.
  • Enforce AES instead of RC4. An AES-encrypted AS-REP cracks far more slowly than an RC4 variant.
  • Put sensitive accounts in the Protected Users group. They may only authenticate with AES, but that does not fix an account with pre-authentication disabled. The flag still has to go.
  • Monitor event 4768 (TGT request) with pre-authentication type 0. That type means a TGT was requested without pre-authentication, exactly what happens with AS-REP roasting.

Frequently asked questions about AS-REP roasting

Do you need credentials for AS-REP roasting?

Not for requesting the AS-REP itself, as long as you already know the username of a vulnerable account. The KDC sends it to anyone who asks. To find out beforehand which accounts have pre-authentication disabled, you search Active Directory over LDAP, and for that you do need a valid domain account.

What is the difference with Kerberoasting?

Both crack an encrypted Kerberos message offline, but the condition differs. Kerberoasting works on accounts with an SPN, requires a valid domain account, and cracks a service ticket encrypted with the key of the service account. AS-REP roasting works on accounts with pre-authentication disabled, can be done without credentials if you know the username, and cracks the encrypted part of the AS-REP, which is encrypted with the key of the user themselves.

Why is pre-authentication disabled on some accounts?

Usually because of legacy. Some older applications and integrations with UNIX or Java Kerberos do not support pre-authentication, so the option was turned on at some point. After that it often stays on for years without anyone looking at it again. Occasionally it is enabled by accident.

How do you stop AS-REP roasting?

Turn pre-authentication on for every account, in other words remove the option ‘Do not require Kerberos preauthentication’ everywhere. Check regularly that no account has it. If an account really has to keep the option, give it a long, random password so that offline cracking gets nowhere.

Related articles