HackFixLearn Logo
Skip to main content

AS-REP Roasting

Ehsan Ebadi profile picture by Ehsan Ebadi
January 05, 2026 3 min read

Understanding Kerberos Pre-Authentication

In an Active Directory environment, Kerberos is the primary authentication protocol.
The authentication process begins when a client sends an AS-REQ (Authentication Service Request) to the Domain Controller (DC). If everything is correct, the DC responds with an AS-REP (Authentication Service Reply) containing two critical items:

  • A session key
  • A Ticket Granting Ticket (TGT)

Before issuing this response, Kerberos normally performs pre-authentication. In simple terms, the user must prove knowledge of their password before the DC sends back any encrypted material. This design prevents attackers from capturing Kerberos responses and performing offline password guessing attacks.

Pre-authentication is one of the key defensive controls in Kerberos.

What Is AS-REP Roasting?

AS-REP Roasting becomes possible when Kerberos pre-authentication is disabled for a user account.

If a user has the “Do not require Kerberos preauthentication” flag enabled, the Domain Controller will respond to an AS-REQ without validating the user first. This means:

  1. An attacker can send an AS-REQ on behalf of that user.
  2. The DC replies with an AS-REP containing data encrypted with the user’s password.
  3. The attacker captures this encrypted response.
  4. The password can then be cracked offline, without further interaction with the domain.

This attack is known as AS-REP Roasting.

By default, this risky setting is disabled for all Active Directory users. However, if it is manually enabled for any account, that account becomes vulnerable.

AS-REP Roasting can be performed from both Linux and Windows systems. Below, we explore both approaches from a red team operator’s point of view.

Scenario 1: AS-REP Roasting from Kali Linux

On Kali Linux, we typically use Impacket, a popular toolkit for interacting with Windows protocols.

Step 1: Request the AS-REP Hash

The GetNPUsers.py tool allows us to request AS-REP responses for users who do not require pre-authentication.

Key parameters:

  • -dc-ip: IP address of the Domain Controller
  • -request: Actively request a TGT
  • -outputfile: Save the extracted hash
  • Target format: domain/username

Example command:

impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete

If the attack is successful, Impacket will return user information and store the AS-REP hash in the specified file. This confirms that the “Do not require Kerberos preauthentication” option is enabled for that user.

Step 2: Identify the Correct Hashcat Mode

Before cracking the hash, we need the correct Hashcat mode. Searching for Kerberos AS-REP support reveals:

18200 | Kerberos 5, etype 23, AS-REP

This is the mode used for classic AS-REP Roasting hashes.

Step 3: Crack the Hash Offline

Using Hashcat with a wordlist:

hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r best64.rule --force

If the password is weak, it will eventually be recovered. In this example, the cracked password is:

Flowers1

At this point, the attacker has obtained valid domain credentials without ever authenticating to the DC as that user.

AS-REP Roasting from Windows

From a Windows system, especially one already joined to the domain, Rubeus is the tool of choice. Rubeus provides low-level, raw interaction with Kerberos.

Step 1: Run Rubeus

After transferring Rubeus to a domain-joined machine (for example, via RDP access), run:

.\Rubeus.exe asreproast /nowrap

What happens here:

  • Rubeus automatically builds AS-REQ messages without pre-authentication.
  • The /nowrap flag ensures clean output suitable for cracking.
  • No extra parameters are required if the current session is already authenticated to the domain.

If successful, Rubeus outputs the AS-REP hash directly in the terminal.

Step 2: Crack the Hash

The extracted hash can be cracked using Hashcat, exactly as in the Linux scenario, using mode 18200.

Enumerating Vulnerable Accounts

Sometimes, the goal is not immediate exploitation but finding vulnerable users.

Linux Enumeration

Using Impacket without requesting a TGT:

impacket-GetNPUsers corp.com/ -dc-ip 192.168.50.70

This lists users who have Kerberos pre-authentication disabled.

Windows Enumeration

From a Windows attack host, PowerView can be used:

  • Get-DomainUser -PreauthNotRequired

This command identifies accounts where the dangerous setting is enabled.

Targeted AS-REP Roasting (Privilege Abuse)

What if no users have pre-authentication disabled?

During enumeration, you might discover that you have GenericWrite or GenericAll permissions over another user account. These permissions allow modification of the account’s User Account Control (UAC) attributes.

From a red team perspective, this opens a powerful option:

  1. Temporarily disable Kerberos pre-authentication for the target user.
  2. Perform AS-REP Roasting to extract the Kerberos hash.
  3. Crack the hash offline.
  4. Restore the original UAC settings to avoid leaving suspicious changes behind.

This technique is known as Targeted AS-REP Roasting and is especially valuable in lateral movement and privilege escalation chains.

Module Progress: 5. Active Directory Authentication

  1. 1 NTLM Authentication
  2. 2 Kerberos Authentication
  3. 3 Cached AD Credentials
  4. 4 Password Attacks
  5. 5 AS-REP Roasting (Currently Reading)
    Reading Now
  6. 6 Kerberoasting
  7. 7 Silver Tickets
  8. 8 Domain Controller Synchronization