AS-REP Roasting: A Stealthy Active Directory Attack Explained

December 21, 2025 • 7 min read

What is AS-REP Roasting

AS-REP roasting is a Kerberos-based attack that allows an attacker to obtain a user's password hash without authenticating to the domain.

This attack targets Active Directory accounts that have Kerberos pre-authentication disabled. When pre-authentication is not required, an attacker can request an Authentication Server Response (AS-REP) for the target account without providing valid credentials. The returned response contains encrypted data derived from the user's password, which can be extracted and cracked offline.

Because no authentication attempt is made, AS-REP roasting does not trigger account lockouts, making it a stealthy and effective attack technique.

Understanding Kerberos Authentication

To understand the vulnerability, let's first look at how normal Kerberos authentication works:

AS-REQ: The client requests a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC)
Pre-authentication: The client encrypts a timestamp with their password hash to prove they know the password
AS-REP: The KDC validates the pre-authentication and returns an encrypted TGT
TGT Usage: The client uses the TGT to request service tickets for specific resources

This pre-authentication step is crucial—it prevents attackers from simply requesting TGTs for any account they want.

The Vulnerability

When pre-authentication is disabled, the security model breaks down:

The KDC will return the AS-REP without verifying the client's identity first
The AS-REP contains the user's password hash encrypted with their password
An attacker can request AS-REPs for any account with pre-auth disabled
The attacker can then crack these hashes offline without any network interaction or risk of detection

This is particularly dangerous because many organizations disable pre-authentication for service accounts or legacy systems, creating a perfect attack surface.

How the Attack Works

The attack process is straightforward and can be broken down into three main steps.

Step 1: Identify Vulnerable Accounts

First, the attacker needs to find accounts with pre-authentication disabled. This can be done using several tools:

# Using Impacket's GetNPUsers
GetNPUsers.py -dc-ip <DC_IP> <DOMAIN>/ -usersfile users.txt -format hashcat -outputfile hashes.txt

# Using Rubeus
Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt

These tools will query the domain controller and identify any accounts that don't require pre-authentication.

Step 2: Extract AS-REP Hashes

Once vulnerable accounts are identified, the tools automatically extract their AS-REP hashes in a format ready for password cracking. This happens without any authentication—the attacker doesn't need valid credentials to perform this step.

Step 3: Crack the Hashes Offline

With the hashes in hand, the attacker can crack them offline using powerful tools like hashcat or John the Ripper:

# Using hashcat
hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt

# Using John the Ripper
john --format=krb5asrep hashes.txt

Modern GPUs can crack weak passwords in minutes or even seconds, making this attack highly effective against organizations with poor password policies.

Why This Attack is So Dangerous

AS-REP roasting is particularly insidious for several reasons:

No Authentication Required: Attackers don't need valid credentials to perform the attack. They can do it from any machine on the network, even without domain access.
Stealthy: The attack doesn't trigger account lockouts or failed login alerts. It looks like normal Kerberos traffic, making it difficult to detect.
Offline Cracking: Once hashes are extracted, they can be cracked offline without any further network interaction, reducing the risk of detection.
High Success Rate: Weak passwords are easily cracked with modern hardware. Even moderately complex passwords can fall to dictionary attacks or rule-based cracking.
No Rate Limiting: Unlike brute-force attacks, there's no rate limiting on AS-REP requests, allowing attackers to enumerate all vulnerable accounts quickly.

Real-World Impact

The consequences of a successful AS-REP roasting attack can be severe:

Lateral Movement: Compromised accounts can be used to move through the network, accessing additional systems and resources.
Privilege Escalation: Service accounts or admin accounts with pre-auth disabled are prime targets. A single compromised service account can lead to domain-wide compromise.
Persistence: Attackers can maintain access using legitimate credentials, making detection even more difficult.
Data Exfiltration: With valid credentials, attackers can access sensitive data without triggering security alerts.

Defense Strategies

The good news is that AS-REP roasting is easily preventable. Here are the key defense strategies:

1. Enable Pre-Authentication for All Accounts

This is the most critical step. Every account in your Active Directory should have pre-authentication enabled. Here's a PowerShell script to check and fix this:

# Find accounts with pre-auth disabled
Get-ADUser -Filter * -Properties DoesNotRequirePreAuth | 
    Where-Object {$_.DoesNotRequirePreAuth -eq $true} | 
    Select-Object Name, SamAccountName

# Enable pre-auth for a specific account
Set-ADAccountControl -Identity <username> -DoesNotRequirePreAuth $false

Run this regularly to identify and fix any accounts that have pre-authentication disabled.

2. Implement Strong Password Policies

Even if an attacker extracts hashes, strong passwords make them much harder to crack:

Enforce complex passwords (minimum 14+ characters recommended)
Require password history to prevent reuse
Implement account lockout policies to detect brute-force attempts
Consider password complexity requirements (uppercase, lowercase, numbers, symbols)
For service accounts, use extremely long, randomly generated passwords

3. Monitor for AS-REP Requests

Set up monitoring in your SIEM to detect suspicious AS-REP activity:

Monitor for multiple AS-REP requests from the same source IP
Alert on AS-REP requests for accounts that should have pre-auth enabled
Track failed authentication attempts that occur shortly after AS-REP extraction
Baseline normal Kerberos traffic and alert on anomalies

4. Regular Security Audits

Automate regular audits to catch misconfigurations before attackers do:

# Regular audit script
$vulnerable = Get-ADUser -Filter * -Properties DoesNotRequirePreAuth | 
    Where-Object {$_.DoesNotRequirePreAuth -eq $true}

if ($vulnerable) {
    Write-Warning "Found $($vulnerable.Count) accounts with pre-auth disabled!"
    $vulnerable | Export-Csv -Path "vulnerable_accounts.csv"
    # Send alert to security team
}

Schedule this script to run weekly or monthly and review the results.

5. Least Privilege Principle

Reduce the attack surface by following the principle of least privilege:

Ensure service accounts have minimal required permissions
Regularly review and audit service account usage
Use Group Managed Service Accounts (gMSA) when possible, as they automatically manage passwords and have better security properties
Document why each service account exists and what it needs access to

Detection and Response

If you suspect an AS-REP roasting attack, here's what to look for and how to respond.

Indicators of Compromise (IoC)

Watch for these signs of an AS-REP roasting attack:

Unusual AS-REP requests from non-domain machines or unknown IP addresses
Multiple AS-REP requests for different accounts from the same source
Failed login attempts that occur shortly after AS-REP extraction
Unusual account activity from previously dormant accounts
Accounts that should have pre-auth enabled but are receiving AS-REP requests

Incident Response Steps

If you detect an AS-REP roasting attack, follow these steps:

Identify Compromised Accounts: Review logs to identify all accounts that had AS-REPs extracted. Don't assume only one account was targeted.
Reset Passwords: Immediately reset passwords for all potentially compromised accounts. Use strong, randomly generated passwords.
Review Access: Check for any unauthorized access or privilege escalation. Review recent logon events and file access logs.
Enable Pre-Auth: Ensure all accounts have pre-authentication enabled, especially any that were targeted.
Investigate: Determine how the attacker gained initial access to your network. AS-REP roasting requires network access, so there may be other security issues.
Monitor: Increase monitoring on the affected accounts and watch for any suspicious activity.

Tools and Resources

Attack Tools (for Testing and Education)

Understanding the tools attackers use helps you defend against them:

Impacket: GetNPUsers.py - Python-based tool for AS-REP roasting
Rubeus: C# tool for various Kerberos attacks, including AS-REP roasting
hashcat: High-performance password recovery tool used for cracking extracted hashes
John the Ripper: Another popular password cracking tool

Defense Tools

These tools can help you identify and fix vulnerabilities:

BloodHound: Identify attack paths and misconfigurations in your Active Directory environment
PowerShell AD Module: Native Windows tool for Active Directory management and auditing
SIEM Solutions: Splunk, ELK Stack, Azure Sentinel, or other SIEM solutions for monitoring and alerting
ADRecon: PowerShell script for Active Directory security assessment

Conclusion

AS-REP roasting is a serious threat to Active Directory environments, but it's also easily preventable. The attack exploits a simple misconfiguration that can be fixed with a single PowerShell command. By ensuring all accounts have pre-authentication enabled and implementing strong password policies, organizations can significantly reduce their attack surface.

Regular security audits, proper monitoring, and following the principle of least privilege are essential components of a robust defense strategy. Don't wait until you're compromised—audit your environment today and fix any accounts with pre-authentication disabled.

Remember: the best defense is a proactive one. Stay secure, stay vigilant.