What is AS-REP Roasting?

Updated on September 11, 2025

AS-REP Roasting is a credential-dumping attack targeting Active Directory by exploiting accounts with “Do not require Kerberos preauthentication” enabled. It leverages weaknesses in Kerberos implementation and operates silently, making it hard to detect. This technique is popular in penetration testing and real-world attacks due to its low detection rate and ability to extract domain-level credentials with minimal privileges.

How to Modernize Your AD Instance

The IT Professional’s Roadmap to Augmenting or Replacing AD

Download Today

Definition and Core Concepts

AS-REP Roasting is a credential-dumping attack that targets user accounts with disabled Kerberos pre-authentication. The attack extracts encrypted password hashes from Authentication Server Response (AS-REP) messages, which are then cracked offline using password-cracking tools.

The attack’s foundation rests on four critical Kerberos concepts that security professionals must understand.

Kerberos Pre-Authentication

Kerberos pre-authentication serves as the first line of defense in the authentication process. This security feature requires users to prove their identity by encrypting a timestamp with their password hash before the Key Distribution Center (KDC) issues a Ticket-Granting Ticket (TGT).

When pre-authentication is enabled, the client must demonstrate knowledge of the user’s password before receiving any encrypted material from the domain controller. This prevents attackers from obtaining encrypted data without first proving legitimate access.

The pre-authentication process creates a cryptographic proof that the requesting party knows the user’s credentials, effectively blocking offline password attacks against arbitrary users.

Authentication Server Request (AS-REQ)

The AS-REQ represents the initial message clients send to the KDC when requesting authentication. This message contains the username and, when pre-authentication is enabled, includes an encrypted timestamp proving the client knows the user’s password.

In normal operations, the AS-REQ with pre-authentication data prevents the KDC from responding with encrypted material unless the client demonstrates legitimate credential knowledge. However, when pre-authentication is disabled, the AS-REQ bypasses this security check entirely.

The structure of AS-REQ messages varies significantly based on pre-authentication settings, directly impacting the security posture of the authentication exchange.

Authentication Server Response (AS-REP)

The AS-REP message contains the requested TGT encrypted with a key derived from the user’s password hash. Under normal circumstances, this message is only sent after successful pre-authentication validation.

When pre-authentication is disabled, the domain controller immediately responds with an AS-REP message containing the encrypted TGT. This encrypted data becomes the target for offline password cracking attempts.

The AS-REP structure includes multiple encrypted components, but attackers specifically target the portion encrypted with the user’s password-derived key for hash extraction and cracking.

Offline Brute-Force Attack

Offline brute-force attacks operate independently of the target system, eliminating detection risks associated with repeated login attempts. Attackers extract encrypted hashes and use computational resources to test password combinations without network interaction.

This attack method bypasses account lockout policies, rate limiting, and real-time monitoring systems that typically detect brute-force attempts. The offline nature allows attackers to use powerful hardware and optimized cracking tools without time constraints.

The effectiveness of offline attacks depends primarily on password complexity and the computational resources available to attackers.

How It Works

The AS-REP Roasting attack follows a systematic four-step process that exploits the absence of pre-authentication requirements.

Vulnerable Account Identification

Attackers begin by enumerating user accounts within the target domain to identify those with the “Do not require Kerberos preauthentication” flag enabled. This enumeration can be performed using standard AD query tools or specialized reconnaissance scripts.

The identification process typically involves querying the userAccountControl attribute for accounts with the DONT_REQ_PREAUTH flag (0x400000) set. Attackers can perform this enumeration with minimal privileges, often using standard domain user credentials.

Legacy applications and service accounts frequently have this setting enabled, making them prime targets for AS-REP Roasting attacks. Organizations often overlook these configurations during security audits.

AS-REQ Without Pre-Authentication

Once vulnerable accounts are identified, attackers craft AS-REQ messages on behalf of these users without including pre-authentication data. The requests appear as legitimate authentication attempts to the domain controller.

The AS-REQ packets are sent directly to the domain controller using standard Kerberos protocols on port 88. These requests do not trigger failed login events because no password validation occurs at this stage.

Multiple AS-REQ messages can be sent simultaneously for different vulnerable accounts, allowing attackers to harvest credentials from multiple users in a single operation.

Encrypted AS-REP Response

The domain controller processes the AS-REQ and, finding no pre-authentication requirement, immediately responds with an AS-REP message containing the encrypted TGT. This response includes the critical encrypted data needed for offline cracking.

The AS-REP message structure includes a portion encrypted with a key derived from the target user’s password hash. This encrypted component becomes the foundation for the offline attack phase.

Domain controllers log these exchanges as successful Kerberos events, making detection challenging without specific monitoring for pre-authentication anomalies.

Offline Password Cracking

Attackers extract the encrypted portion from captured AS-REP messages and format it for use with password-cracking tools like Hashcat or John the Ripper. The extracted hash represents the user’s password encrypted using the account’s password-derived key.

The offline cracking process tests millions of password combinations per second, depending on available computational resources. Modern graphics processing units (GPUs) can significantly accelerate this process.

Successful password recovery provides attackers with plaintext credentials that can be used for lateral movement, privilege escalation, or persistent access to the target environment.

Key Features and Components

AS-REP Roasting attacks possess distinct characteristics that differentiate them from other credential-harvesting techniques.

Exploitation of Misconfiguration

The attack’s success depends entirely on the target account having the “Do not require Kerberos preauthentication” setting enabled. This misconfiguration effectively removes the primary security control protecting against offline password attacks.

Organizations often enable this setting for legacy systems or applications that cannot support modern pre-authentication protocols. However, many organizations fail to implement compensating controls for these vulnerable accounts.

The misconfiguration creates a permanent vulnerability that persists until administratively corrected, providing attackers with a reliable attack vector.

Low Privilege Requirements

AS-REP Roasting requires minimal privileges to execute the initial reconnaissance and AS-REQ phases. Standard domain user credentials are sufficient to enumerate vulnerable accounts and request authentication tickets.

This low barrier to entry makes the attack accessible to attackers with limited initial access to the target environment. The attack can serve as an effective privilege escalation technique when combined with other compromise methods.

The minimal privilege requirement also makes AS-REP Roasting attractive for insider threats and compromised low-privilege accounts.

Stealthy Offline Operation

The offline nature of the password cracking phase provides significant stealth advantages. Once AS-REP messages are captured, attackers can perform password cracking without generating additional network traffic or authentication logs.

This stealth characteristic bypasses traditional security monitoring focused on repeated failed login attempts or suspicious network activity. The attack generates minimal forensic evidence during the critical cracking phase.

Detection requires specialized monitoring of Kerberos pre-authentication events rather than conventional brute-force detection methods.

Legacy System Targeting

AS-REP Roasting frequently succeeds against legacy applications and services that require pre-authentication to be disabled for compatibility reasons. These systems often use weaker password policies or shared service accounts.

Legacy environments may lack modern security controls, making them particularly vulnerable to offline password attacks. Organizations frequently prioritize functionality over security for critical legacy systems.

The targeting of legacy systems can provide attackers with access to high-privilege service accounts or critical business applications.

Use Cases and Applications

AS-REP Roasting serves multiple purposes across both legitimate security testing and malicious attack scenarios.

Initial Access and Privilege Escalation

Attackers use AS-REP Roasting to gain initial authenticated access to target networks. Successfully cracked passwords provide legitimate credentials that bypass many security controls designed to detect unauthorized access.

The technique proves particularly effective for converting minimal network access into authenticated domain user credentials. These credentials enable lateral movement and further reconnaissance within the target environment.

Privilege escalation opportunities arise when AS-REP Roasting successfully compromises service accounts or users with elevated permissions within the domain.

Penetration Testing Applications

Ethical hackers and penetration testers employ AS-REP Roasting to evaluate Active Directory security postures. The technique effectively identifies weak password policies and dangerous misconfigurations in client environments.

Penetration testing frameworks like Impacket and Rubeus include AS-REP Roasting capabilities, making the technique accessible to security professionals conducting authorized assessments.

The attack serves as an excellent demonstration of how seemingly minor configuration issues can create significant security vulnerabilities in enterprise environments.

Advanced Persistent Threat Operations

Sophisticated threat actors integrate AS-REP Roasting into broader attack campaigns targeting specific organizations or sectors. The technique provides a reliable method for establishing persistent access to target networks.

The attack aligns with MITRE ATT&CK technique T1558.004, representing a well-documented component of advanced attack methodologies. Threat intelligence reports frequently reference AS-REP Roasting in analysis of nation-state and criminal group operations.

The stealth characteristics make AS-REP Roasting particularly valuable for long-term compromise scenarios where detection avoidance is critical.

Advantages and Trade-offs

AS-REP Roasting offers distinct advantages and limitations that affect its effectiveness in different scenarios.

Attack Advantages

The primary advantage lies in the attack’s stealth profile. AS-REP Roasting does not generate failed authentication events in domain controller logs, avoiding detection by standard security monitoring systems.

Efficiency represents another significant advantage. Attackers can simultaneously target multiple vulnerable accounts, harvesting credentials from numerous users in a single operation without additional complexity.

The attack bypasses traditional password security controls including account lockout policies, rate limiting, and real-time brute-force detection systems. This bypass capability makes AS-REP Roasting effective even in well-monitored environments.

Operational Trade-offs

The attack’s dependency on specific misconfigurations limits its universal applicability. Organizations with properly configured pre-authentication settings are immune to AS-REP Roasting attacks.

Password strength directly impacts attack success rates. Organizations with robust password policies may render offline cracking attempts impractical, even when vulnerable accounts are identified.

The attack requires computational resources for effective password cracking. Weak passwords crack quickly, but complex passwords may require significant time and processing power to compromise successfully.

Troubleshooting and Considerations

Effective AS-REP Roasting mitigation requires understanding both technical controls and operational considerations.

Primary Mitigation Strategies

Enabling Kerberos pre-authentication for all user accounts represents the most effective mitigation strategy. Organizations should audit userAccountControl attributes to identify accounts with the DONT_REQ_PREAUTH flag and disable this setting unless absolutely necessary.

Strong password policies provide defense-in-depth protection against successful offline cracking attempts. Complex passwords with high entropy significantly increase the time and resources required for successful attacks.

Monitoring domain controller logs for Event ID 4768 entries with pre-authentication type ‘0’ enables detection of AS-REP Roasting attempts. Automated alerting on these events can provide early warning of active attacks.

Legacy System Considerations

Some legacy applications genuinely require pre-authentication to be disabled for proper functionality. These systems require special handling through compensating controls and enhanced monitoring.

Organizations should implement strong password requirements specifically for accounts with disabled pre-authentication. Consider using randomly generated complex passwords or certificate-based authentication where possible.

Network segmentation can limit the impact of compromised legacy accounts by restricting their access to critical systems and resources.

Implementation Guidelines

Apply the principle of least privilege to all accounts requiring disabled pre-authentication. Minimize the permissions and access rights for these vulnerable accounts.

Regular password rotation policies become critical for accounts with disabled pre-authentication, as these passwords may be targeted repeatedly by attackers.

Consider implementing privileged access management (PAM) solutions to control and monitor access for high-risk accounts that cannot use pre-authentication.

Key Terms Appendix

• Active Directory (AD): Microsoft’s directory service for Windows networks that manages users, computers, and resources in a domain environment.
• Authentication Server Request (AS-REQ): The initial Kerberos message sent by a client to request a Ticket-Granting Ticket from the Key Distribution Center.
• Kerberos Pre-Authentication: A security mechanism requiring clients to prove knowledge of their password before receiving encrypted authentication material from the domain controller.
• Ticket-Granting Ticket (TGT): A Kerberos ticket that authenticates a user to the Key Distribution Center and is used to request service tickets for specific resources.
• DONT_REQ_PREAUTH Flag: A userAccountControl attribute value (0x400000) that disables Kerberos pre-authentication requirements for a specific user account.