AS-REP Roasting

An In-Depth Analysis of Attack Techniques and Mitigation Strategies

How to prevent active directory attack

In recent years, the cybersecurity landscape has witnessed a surge in novel attack techniques that target authentication mechanisms in Windows environments. Kerberos Authentication Service Response (AS-REP) Roasting, a technique similar to Kerberoasting, has gained prominence as a method for attackers to compromise Active Directory (AD) authentication systems. This article provides an in-depth analysis of AS-REP Roasting, the tools attackers commonly employ, and effective mitigation strategies to defend against this threat.

Table of Contents

Understanding AS-REP Roasting

AS-REP Roasting is an attack technique that targets the Kerberos authentication protocol, which is a fundamental component of Microsoft’s Active Directory. Kerberos is used to authenticate users and services within a Windows domain environment. AS-REP Roasting takes advantage of a vulnerability in how Kerberos processes certain types of authentication requests, enabling attackers to retrieve password hashes for user accounts with pre-authentication disabled.

Pre-authentication is a security feature in Kerberos that requires users to prove their identity before attempting to authenticate. However, certain accounts, such as service accounts, might have pre-authentication disabled for legitimate reasons. Attackers exploit this by sending a specific type of request to the domain controller, asking for a “ticket” for a specific user account. The domain controller responds with an encrypted ticket that contains the user’s password hash, which can then be decrypted offline by the attacker. A more technical breakdown in difference would be that a Kerberoasting attack has AS-REQ/AS-REP AND TGS-REQ/TGS-REP. AS-REP Roasting ONLY has AS-REQ/AS-REP. That is because Kerberoasting requests a Service Account Authorization Ticket, whereas AS-REP only requests a Kerberos Authentication Ticket.

Tools Employed by Attackers

Several tools are commonly used by attackers to perform AS-REP Roasting attacks:

  1. Rubeus: a powerful post-exploitation tool that attackers can use to interact with Kerberos tickets and perform AS-REP Roasting attacks. It allows attackers to request service tickets for accounts with pre-authentication disabled.
  2. Impacket: a collection of Python scripts that facilitate network protocol exploitation. The GetNPUsers.py script within Impacket can be used to perform AS-REP Roasting attacks and retrieve password hashes.
  3. CrackMapExec: scripts to automate various post-exploitation tasks, including AS-REP Roasting. It can request service tickets and crack the resulting password hashes.
  4. Mimikatz: Although primarily known for its credential dumping capabilities, Mimikatz can also be used to perform AS-REP Roasting attacks.

Example of AS-REP Roasting

There are two distinct methods by which the attack can be executed. In the scenario where the account’s username is known or guessed, the AS-REP Roasting technique can be leveraged by utilizing solely the account name. This approach empowers malicious entities to systematically probe widely-used names, employing brute-force strategies to potentially unveil usernames. A concrete representation of this concept can be observed in Figure 1, wherein the developers of CrackMapExec provide an example of an AS-REP Roasting attack.

How to Secure Active Directory
Figure 1: Unauthenticated AS-REP Roasting

Conversely, an alternative approach to executing the attack involves authentication. If active credentials are accessible within a specific domain, this avenue enables the acquisition of hash values for susceptible accounts, thereby laying bare their vulnerabilities. This process is demonstrated in Figure 2, depicting the outcome of an authentication-based attack.

How to Secure Active Directory
Figure 2: Authenticated AS-REP Roasting

Mitigation Techniques

To defend against AS-REP Roasting attacks and similar Kerberoasting techniques, organizations should implement a combination of proactive measures and monitoring practices:

  1. Enable Pre-Authentication: Enforce pre-authentication for all user accounts, especially service accounts. This prevents attackers from exploiting the vulnerability that AS-REP Roasting relies upon.
  2. Implement Credential Hygiene: Enforce strong password complexity and regularly rotate passwords for service accounts and privileged users. This reduces the window of opportunity for attackers to exploit password hashes.
  3. Monitor Event Logs: Monitor domain controller event logs for suspicious activity related to Kerberos ticket requests. Detecting and investigating abnormal patterns can help identify potential AS-REP Roasting attempts. The following criteria can be used to identify AS-REP Roasting within the Microsoft Windows Event Log.
  • Event ID = 4768 and 4625
  • Ticket Encryption Type = 0x17.
  • Ticket Options = 0x5080000.
  • Service Name = krbtgt
  1. Network Segmentation: Segmenting the network can limit lateral movement for attackers. Restricting access to sensitive systems reduces the potential impact of an AS-REP Roasting attack.
  2. Use Intrusion Detection Systems (IDS): Deploy IDS solutions that are capable of detecting Kerberoasting attempts. These systems can raise alerts when abnormal ticket requests are detected.

Conclusion

AS-REP Roasting is a sophisticated attack technique that targets weaknesses in the Kerberos authentication protocol, allowing attackers to compromise user account password hashes. Understanding the mechanics of AS-REP Roasting and the tools attackers use is crucial for building effective defenses. By implementing a combination of technical measures, security best practices, and proactive monitoring, organizations can significantly reduce the risk of falling victim to AS-REP Roasting and similar authentication-based attacks. Regular security assessments and staying informed about emerging threats are also essential components of a robust cybersecurity strategy.

More Information on Kerberos Authentication

Picture of Kyle Thompson, Sr. Penetration Tester at Redbot Security

Kyle Thompson, Sr. Penetration Tester at Redbot Security

Kyle brings over seven years of experience in cybersecurity focusing on network penetration testing, social engineering, and physical security assessments. Kyle attended Ferris State University, graduating with a bachelor's degree in "Information Security and Intelligence" and actively holds Security+ and Network+ certifications. Kyle was the fastest in his previous company's history to work up to go from a junior-level penetration tester to a senior.

Kyle helps clients uncover hidden exposures and gain fresh insights that improve their security posture by keeping up to date with cutting edge attacks.

REDBOT SECURITY

Deep-Dive Penetration Testing

Senior Level Hands-on-Keyboard

Manual Testing

Get a Project Quote

Related Articles

Network Pen Testing Companies

Attack Surface Management (ASM)

Today, cybercriminals have plenty of entry points to exploit. Therefore, it has become crucial for organizations to improve their attack surface visibility to have more effective protection. This is where attack surface management (ASM) comes into play. This article will explore all about attack surface management (ASM), including its importance, working principle, and benefits.

Read More »
2024 FBI IC3 Report Analysis

2024 FBI IC3 Report Analysis | Redbot Security’s Cyber Insights

The FBI released its FY 2024 IC3 Annual Report on April 24, 2025, detailing 859,532 complaints and a record $16.6 billion in losses. In this post, we highlight how phishing, BEC, and cryptocurrency fraud continue to surge, why ransomware remains a top threat to critical infrastructure, and which demographics are most at risk. Plus, discover Redbot Security’s proven strategies,from manual penetration testing to red teaming, that can help you turn IC3 data into actionable defenses.

Read More »
Common Attacks

Microsoft Windows Laptop Security

Malicious actors prey on weak configurations like locusts. Microsoft, despite knowing that their operating systems, have inherent weaknesses have done little to enhance their initial security outside of remediation for publicly known vulnerabilities.

Read More »
Ransomware Nightmare

Android Malware

The likelihood of a cyber attack on a mobile platform is significantly high, but how difficult is it for a malicious actor to generate malware? You might be surprised.

Read More »
IDOR Fix

Insecure Direct Object Reference (IDOR)

Insecure Direct Object Reference (IDOR) vulnerabilities pose a significant risk to the security of web applications, allowing attackers unauthorized access to sensitive data and functionalities. By understanding the implications of IDOR and adopting secure coding practices, web developers can protect their applications and users from potential exploitation.

Read More »
mass assignment vulnerability- Web Application Security

Mass Assignment Vulnerabilities

Mass Assignment Vulnerability occurs when a web application allows users to submit a more extensive set of data than is intended or safe. The potential consequences of this vulnerability can be severe

Read More »
How to prevent active directory attack

AS-REP Roasting

Kerberos Authentication Service Response (AS-REP) Roasting, a technique similar to Kerberoasting, has gained prominence as a method for attackers to compromise Active Directory (AD) authentication systems.

Read More »
The Impact of Data Breach

The Impact of a Data Breach

Increasingly, investors see proactive cybersecurity spending as a hallmark of strong corporate governance. It can be factored into how they value a company’s resilience and risk profile

Read More »
Best Penetration Testing Companies

Internal Network Penetration Testing | Redbot Security

Internal network penetration testing is essential for identifying security gaps within an organization’s infrastructure. Attackers exploit misconfigured permissions, weak credentials, and unpatched vulnerabilities to escalate privileges and move laterally within networks. A thorough penetration test helps uncover these risks before they are exploited, ensuring stronger security controls, improved access management, and compliance with industry standards. Redbot Security’s expert-led penetration testing provides in-depth assessments to fortify your internal network against evolving threats.

Read More »

Additional Articles
that you may find helpful

© Copyright 2016-2025 Redbot Security