Skip to main content
Support

AS-REP Roasting

Exploiting Accounts Without Pre-Authentication

Accounts with Kerberos pre-authentication disabled give attackers encrypted material to crack offline — no domain credentials needed.

Intermediate~5 minT1558.004
Prerequisites:Network access to a domain controller (port 88)A list of valid domain usernames (from OSINT or prior enumeration)Impacket or Rubeus for ticket extraction
1

Enumerate Vulnerable Accounts

AS-REP Roasting — Step 1/4
PS C:\Tools>

Click or press Enter to skip

Step 1: Find Accounts Without Pre-Auth

Query AD for user accounts that have the "Do not require Kerberos pre-authentication" flag set. These accounts will hand out encrypted data to anyone who asks.

We are finding accounts where the domain controller skips password verification before sending back encrypted data. Think of it as finding unlocked mailboxes.

Detection Events
4662LDAP query for accounts without preauth
Attack Flow
LDAP Enum
Attacker
KDC (DC)
App Server
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org