AS-REP Roasting

AS‑REP Roasting is an attack in a Windows Active Directory domain that targets user accounts with Kerberos pre‑authentication disabled.

In Kerberos authentication, pre‑authentication requires a user to prove knowledge of their password before receiving a TGT (Ticket Granting Ticket). If pre‑authentication is disabled, an attacker can request authentication data for that user without providing a password.

The KDC (Key Distribution Center) responds with an AS‑REP (Authentication Service Response), which is encrypted using the user’s password hash. The attacker can extract this AS‑REP and perform offline password cracking.

If the user’s password is weak, the attacker can successfully recover it and gain unauthorized access to the domain account.

SUMMARY

AS‑REP Roasting = Exploiting accounts without Kerberos pre‑authentication to obtain encrypted authentication data and crack user passwords offline