Skip to main content
Support
IntermediateT1558.004

AS-REP Roasting

Accounts configured with "Do not require Kerberos pre-authentication" hand out password-encrypted data to anyone who asks -- no valid credentials needed.

When you log in to a Windows network using Kerberos, the domain controller first checks that you know your password before sending you a ticket. This is called "pre-authentication." But some accounts have a setting called "Do not require Kerberos pre-authentication" enabled. For these accounts, the domain controller skips the password check and sends back encrypted data immediately -- to anyone who asks. The encrypted data contains information locked with the account's password hash. An attacker can take this data offline and use cracking tools to discover the password. Unlike Kerberoasting, the attacker does not even need a valid domain account to perform this attack -- they just need to know the username.

Most mailboxes require a key to open -- you must prove you own the mailbox before retrieving mail. But some mailboxes are left unlocked: anyone walking by can reach in and grab a letter. The letter itself is sealed (encrypted), but you can take it home and try to open it at your leisure. AS-REP Roasting targets AD accounts where Kerberos pre-authentication is disabled -- the "mailbox is unlocked." The attacker sends an authentication request and receives encrypted data back without proving any identity. They then crack the encryption offline to recover the account's password.

AS-REP Roasting Simulator

Walk through this attack step-by-step in an interactive terminal

Key Takeaways

  1. Accounts without pre-auth give attackers encrypted data without any credentials.
  2. The attack can be performed from outside the domain -- no authenticated access needed.
  3. LDAP filter (userAccountControl:1.2.840.113556.1.4.803:=4194304) finds all vulnerable accounts.
  4. The fix is simple: remove the "Do not require Kerberos pre-authentication" flag.
  5. Monitor Event ID 4768 with PreAuthType 0 for detection.
Why Should I Care?

AS-REP Roasting is dangerous because it requires no credentials at all to execute. Even a single misconfigured account can provide an attacker with an initial foothold in the domain.

Defense Recommendations

Remove the pre-authentication exemption from all accounts and monitor for attempts.

  1. 1Audit all accounts: Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth.
  2. 2Remove the flag: Set-ADAccountControl -Identity $user -DoesNotRequirePreAuth $false.
  3. 3If an application requires no pre-auth, set a 25+ character random password on that account.
  4. 4Monitor Event ID 4768 for requests with PreAuthType 0 from unexpected sources.
  5. 5Consider network monitoring on port 88 for AS-REQ packets lacking PA-ENC-TIMESTAMP.

Related Topics

Kerberoasting Deep DiveAuthentication ProtocolsAD Enumeration Without Admin Rights
Sources
Kerberoasting Deep Dive
Pass-the-Hash & Pass-the-Ticket
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org