AS-REP Roasting is a credential theft technique targeting the Kerberos authentication protocol within Microsoft Active Directory environments. It is a critical concept for the CompTIA PenTest+ certification under the 'Attacks and Exploits' domain. The vulnerability arises when a user account has th…AS-REP Roasting is a credential theft technique targeting the Kerberos authentication protocol within Microsoft Active Directory environments. It is a critical concept for the CompTIA PenTest+ certification under the 'Attacks and Exploits' domain. The vulnerability arises when a user account has the property 'Do not require Kerberos preauthentication' enabled.
In a standard Kerberos exchange, a user must prove their identity before the Domain Controller (DC) issues a Ticket Granting Ticket (TGT). They do this by sending a timestamp encrypted with their password hash in the initial Authentication Service Request (AS-REQ). This step is called preauthentication.
However, if preauthentication is disabled for a specific account, the DC does not require this proof. An attacker—even one without domain credentials—can send a request for that user, and the DC will immediately respond with an AS-REP (Authentication Service Reply) message. Crucially, this message contains a part of the ticket encrypted with the target user's password hash.
The attacker captures this encrypted data and takes it offline. Using cracking tools like Hashcat or John the Ripper, they perform a brute-force or dictionary attack to reveal the plaintext password. Because the cracking happens offline, it does not interact with the DC, meaning it avoids triggering account lockout policies or generating failed login logs.
Penetration testers often use tools like Rubeus (Windows) or Impacket’s GetNPUsers.py (Linux) to identify vulnerable accounts and extract the hashes. Mitigation involves auditing Active Directory to ensure 'Do not require Kerberos preauthentication' is unchecked for all users.
A Comprehensive Guide to AS-REP Roasting for CompTIA PenTest+
What is AS-REP Roasting? AS-REP Roasting is an attack against the Kerberos authentication protocol within an Active Directory environment. It specifically targets user accounts that have the property "Do not require Kerberos preauthentication" enabled. Unlike many other Active Directory attacks, AS-REP Roasting does not necessarily require the attacker to have compromised a domain user account yet; they only need network connectivity to the Domain Controller.
Why is it Important? This attack vector is critical because it represents a low-hanging fruit for attackers to gain initial entry or escalate privileges. If an administrator creates an account and accidentally leaves pre-authentication disabled (or disables it for legacy application support), an attacker can request a piece of encrypted data (the AS-REP) for that user, take it offline, and crack the password. This exposes weak passwords to brute-force attacks without locking out the account.
How it Works: The Mechanism The attack exploits the first step of the Kerberos handshake: 1. Identification: The attacker scans the domain to identify user accounts with the DONT_REQ_PREAUTH flag set. 2. Request (AS-REQ): The attacker sends an Authentication Service Request (AS-REQ) to the Key Distribution Center (KDC/Domain Controller) on behalf of the target user. Because pre-authentication is disabled, the KDC does not ask for the user's password (timestamp encrypted with the user's hash) to verify identity. 3. Reply (AS-REP): The KDC happily responds with an AS-REP message. This message contains a Ticket Granting Ticket (TGT) and a session key, which are encrypted using the target user's password hash. 4. Offline Cracking: The attacker captures this encrypted blob and uses tools like Hashcat or John the Ripper to brute-force the hash offline. If successful, they reveal the plaintext password.
Common Tools In a PenTest+ scenario, you will often see tools like Rubeus (Windows) or Impacket's GetNPUsers.py (Linux) used to perform this attack.
Exam Tips: Answering Questions on AS-REP roasting When facing questions about this topic on the exam, look for these specific indicators and strategies:
1. Keywords to Watch For: Look for phrases such as "Pre-authentication disabled,""Kerberos pre-auth,""GetNPUsers," or scenarios describing an attacker obtaining a hash without sending a password to the DC.
2. Differentiating from Kerberoasting: This is the most common confusion point. AS-REP Roasting targets users without pre-auth (no TGS needed, targets the initial TGT request). Kerberoasting targets Service Accounts (SPNs) and requires a valid user account to request a TGS (Ticket Granting Service) ticket.
3. Remediation Answers: If the question asks how to fix this vulnerability, the correct answer is almost always: Enable Kerberos Pre-authentication for all users or enforce complex passwords that cannot be easily cracked offline.
4. Attack Signature: If a log shows an AS-REQ followed immediately by an AS-REP without a prior encrypted timestamp validation, identify it as potential AS-REP Roasting activity.