AS-REP Roasting
What is AS-REP Roasting?
AS-REP RoastingAn Active Directory attack that requests Kerberos AS-REP messages for accounts with pre-authentication disabled, then cracks the returned encrypted blob offline to recover the user's password.
AS-REP Roasting is an offline password-cracking attack against Active Directory accounts that have Kerberos pre-authentication disabled (the "Do not require Kerberos preauthentication" flag, DONT_REQ_PREAUTH). Normally, pre-authentication forces a client to prove knowledge of its password before the Key Distribution Center (KDC) issues an authentication ticket. When it is turned off, any unauthenticated attacker can ask the KDC for an AS-REP for that account; part of the reply is encrypted with a key derived from the user's password hash. The attacker captures this blob and runs it through tools such as Hashcat (mode 18200) or John the Ripper to recover weak passwords offline, without triggering account lockouts. Unlike Kerberoasting, it does not even require a valid domain account to enumerate vulnerable users. Defenses include avoiding the pre-auth-disabled flag, enforcing strong passwords, and monitoring for AS-REQ activity lacking pre-authentication.
● Examples
- 01
A penetration tester runs Rubeus asreproast to list domain accounts with pre-authentication disabled and exports the hashes for offline cracking.
- 02
Impacket's GetNPUsers.py retrieves AS-REP hashes for vulnerable users, which are then cracked with Hashcat mode 18200.
● Frequently asked questions
What is AS-REP Roasting?
An Active Directory attack that requests Kerberos AS-REP messages for accounts with pre-authentication disabled, then cracks the returned encrypted blob offline to recover the user's password. It belongs to the Attacks & Threats category of cybersecurity.
What does AS-REP Roasting mean?
An Active Directory attack that requests Kerberos AS-REP messages for accounts with pre-authentication disabled, then cracks the returned encrypted blob offline to recover the user's password.
How does AS-REP Roasting work?
AS-REP Roasting is an offline password-cracking attack against Active Directory accounts that have Kerberos pre-authentication disabled (the "Do not require Kerberos preauthentication" flag, DONT_REQ_PREAUTH). Normally, pre-authentication forces a client to prove knowledge of its password before the Key Distribution Center (KDC) issues an authentication ticket. When it is turned off, any unauthenticated attacker can ask the KDC for an AS-REP for that account; part of the reply is encrypted with a key derived from the user's password hash. The attacker captures this blob and runs it through tools such as Hashcat (mode 18200) or John the Ripper to recover weak passwords offline, without triggering account lockouts. Unlike Kerberoasting, it does not even require a valid domain account to enumerate vulnerable users. Defenses include avoiding the pre-auth-disabled flag, enforcing strong passwords, and monitoring for AS-REQ activity lacking pre-authentication.
How do you defend against AS-REP Roasting?
Defences for AS-REP Roasting typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for AS-REP Roasting?
Common alternative names include: ASREP Roasting, AS-REP Roast.
● Related terms
- attacks№ 654
Kerberoasting
An offline password attack that requests Kerberos service tickets for service accounts and cracks the encrypted portion to recover their cleartext passwords.
- identity-access№ 655
Kerberos
A ticket-based network authentication protocol that uses symmetric cryptography and a trusted Key Distribution Center to enable secure single sign-on across services.
- identity-access№ 014
Active Directory
Microsoft's enterprise directory service for Windows networks, providing centralized authentication, authorization, and policy management for users, computers, and resources.
- defense-ops№ 255
Credential Access
The MITRE ATT&CK tactic (TA0006) that covers techniques used to steal account names, passwords, tokens, and other secrets.
- attacks№ 888
Pass-the-Hash
A credential-reuse attack that authenticates to Windows systems using a stolen NTLM password hash instead of the cleartext password.
- attacks№ 500
Golden Ticket
A forged Kerberos Ticket-Granting Ticket signed with the krbtgt account hash that lets attackers impersonate any principal in a domain.