Here’s a breakdown of AS-REP Roasting, a stealthy attack technique used against Active Directory environments:

🔍 What Is AS-REP Roasting?

AS-REP Roasting is a Kerberos-based attack that targets user accounts in Active Directory with Kerberos pre-authentication disabled. It allows attackers to request encrypted authentication responses (AS-REP messages) without needing the user’s password.

🧠 How It Works

1. Kerberos Pre-authentication Disabled:

   • Normally, Kerberos requires users to prove their identity before receiving a ticket.
   • If pre-authentication is disabled, attackers can request a ticket without verifying credentials.

2. Request AS-REP:

   • The attacker sends an AS-REQ (Authentication Service Request) for a vulnerable account.

3. Receive AS-REP:

   • The domain controller responds with an AS-REP, which includes data encrypted with the user’s password hash.

4. Offline Cracking:

   • The attacker extracts the encrypted portion and uses tools like Hashcat or John the Ripper to brute-force the password offline.

🛠️ Tools Commonly Used

• Rubeus: For requesting AS-REP and extracting hashes.
• Impacket: Python-based toolkit for network protocols.
• Hashcat: For cracking password hashes.

⚠️ Why It’s Dangerous

• No need for elevated privileges: Even low-privileged users can execute this attack.
• Stealthy: Since cracking is done offline, it avoids detection during the attack phase.
• Targets weak passwords: Especially effective against accounts with simple or reused passwords.

🛡️ How to Defend Against It

• Enable Kerberos Pre-authentication for all accounts.
• Audit Active Directory for accounts with pre-authentication disabled.
• Use tools like Purple Knight or Semperis DSP to monitor and remediate vulnerabilities.
• Set strong passwords and enforce password policies.