ExplainTheHack
← Back to AS-REP Roasting

AS-REP Roasting Brief

What It Is

AS-REP Roasting targets accounts with Kerberos pre-authentication disabled (DONT_REQ_PREAUTH flag). When pre-auth is off, the KDC responds to any AS-REQ with encrypted material derived from the account's password hash — without verifying the requester's identity. The attacker cracks this material offline.

Preconditions

At least one account with the DONT_REQ_PREAUTH flag set. Network access to a DC on port 88. Unlike Kerberoasting, domain credentials are not strictly required — the attacker can request AS-REPs with only a username and network access.

Attacker Gain

The plaintext password of accounts with pre-auth disabled. Impact depends on the account's privilege level. The technique is especially valuable early in an engagement because it can work without domain credentials, and cracking is entirely offline.

Key Distinctions from Kerberoasting

  • Protocol stage — AS-REP Roasting targets AS exchange responses; Kerberoasting targets TGS exchange responses
  • Precondition — disabled pre-authentication flag vs registered SPN
  • Target set — any account type vs service accounts specifically
  • Credential requirement — can work without domain credentials vs requires any domain user
  • Encrypted material — AS-REP uses the account's own password hash; TGS uses the service account's hash

Stakeholder Explanation

A specific account setting removes a security check from the login process. When enabled, anyone on the network can request encrypted password material for that account without credentials, then crack it offline. The setting exists for legacy compatibility. The fix is re-enabling the check on every affected account.

Common Pitfalls

  • Describing it as 'like Kerberoasting but different' without explaining what is actually different — protocol stage, precondition, and target set all differ
  • Not explaining what pre-authentication is or why disabling it creates the vulnerability
  • Claiming it always leads to high-impact compromise — impact depends on which accounts have the flag set
  • Treating AS-REP Roasting and Kerberoasting as interchangeable techniques