^.^;

AS-REP Roasting

Target accounts without Kerberos pre-authentication.
Request AS-REP responses.
Crack offline.
No prior credentials needed.

AdvancedPhase 2: Active DirectoryInteractive Dual Perspective

AS-REP Roasting

Active Directory Preauthentication Bypass Attack

Requires: No credentials (if anonymous LDAP enabled) • Difficulty: Low • Impact: Critical

💻 Desktop Experience Available

View this module on desktop for an interactive AS-REP Roasting simulation with hash extraction and cracking visualization.

AS-REP Roasting is an Active Directory attack that targets user accounts with the "Do not require Kerberos preauthentication" attribute enabled. Unlike Kerberoasting which requires domain authentication, AS-REP Roasting can extract password hashes without any credentials—making it even more dangerous.

How It Works:

  1. Query Active Directory for accounts with preauthentication disabled
  2. Request AS-REP (Authentication Service Response) tickets for those accounts
  3. Domain Controller returns encrypted ticket without password verification
  4. Extract the encrypted portion (contains password hash)
  5. Crack offline with hashcat/John the Ripper (mode 18200)
  6. Gain valid domain credentials without authentication attempts

Critical Difference from Kerberoasting: AS-REP Roasting requires ZERO domain credentials. You can request AS-REP tickets for any account with preauth disabled from an unauthenticated state. This makes it a powerful initial access technique.

Why Preauth Exists: Kerberos preauthentication (PA-ENC-TIMESTAMP) prevents offline password attacks by requiring the client to prove knowledge of the password before the KDC issues a ticket. Disabling it for compatibility reasons (legacy systems) creates this vulnerability.

Legal & Ethical Warning

AS-REP Roasting techniques should only be used in authorized penetration testing, red team engagements, or controlled lab environments. Unauthorized access to computer systems is illegal under CFAA and equivalent laws worldwide. Always obtain written permission before testing.

AS-REP Roasting Attack Simulator

Target accounts without Kerberos pre-authentication & crack offline

Attack Progress0%
DC01.CORP.LOCAL
Active Directory Domain Controller

Attack Console

Waiting to start...

Cracked Credentials

No passwords cracked yet...

🔴 RED TEAM: Attack Techniques

  • Account Enumeration:
    Use GetNPUsers.py (Impacket) or Rubeus.
    Query AD for accounts with DONT_REQ_PREAUTH flag.
    No domain credentials required to scan.
  • AS-REP Request:
    Request Kerberos AS-REP without pre-authentication.
    Response contains encrypted timestamp (AS-REP hash).
    Hash is encrypted with user's password.
  • Offline Cracking:
    Extract AS-REP hash (krb5asrep format).
    Crack offline with Hashcat or John the Ripper.
    Service accounts often have weak passwords.
  • Lateral Movement:
    Use cracked credentials to authenticate.
    Access services, file shares, databases.
    Pivot to other systems in the network.

🔵 BLUE TEAM: Detection & Defense

  • Enable Pre-Authentication:
    Audit all accounts for DONT_REQ_PREAUTH flag.
    Remove flag unless absolutely required.
    PowerShell: Set-ADUser -KerberosEncryptionType AES256
  • Strong Password Policy:
    Enforce 25+ character passwords for service accounts.
    Use passphrases or random generated passwords.
    Implement regular password rotation.
  • Monitoring & Detection:
    Alert on Event ID 4768 (TGT requests) without pre-auth.
    Monitor for mass AS-REP requests from single source.
    Use Azure ATP / Microsoft Defender for Identity.
  • Managed Service Accounts:
    Use Group Managed Service Accounts (gMSA).
    Passwords auto-rotate every 30 days.
    Eliminates manual password management.
Terms of ServiceLicense AgreementPrivacy Policy
Copyright © 2025 JMFG. All rights reserved.