Subscribe to Hexnode Blog
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
BackWhat Is AS-REP Roasting?
AS-REP roasting is an Active Directory attack technique in which attackers request Kerberos AS-REP responses for accounts with pre-authentication disabled and attempt to crack the encrypted response offline to recover account credentials.
Because the password-cracking process occurs offline after the encrypted response is captured, attackers can attempt password guessing without generating repeated failed login attempts against the domain controller.
AS-REP roasting specifically targets user or service accounts configured without Kerberos pre-authentication.
How AS-REP Roasting Attacks Work
In a standard Active Directory environment, Kerberos pre-authentication requires clients to encrypt timestamp data using a key derived from the user’s password before requesting authentication.
When Kerberos pre-authentication is disabled, an attacker with network access to the domain controller can request an Authentication Service Response (AS-REP) for that account.
The domain controller responds with encrypted authentication data associated with the account, which the attacker can capture and store locally.
Attackers then use offline password-cracking tools to attempt dictionary attacks or brute-force attacks against the encrypted response.
AS-REP Roasting vs. Kerberoasting
AS-REP roasting and Kerberoasting are related Active Directory credential attacks, but they target different Kerberos mechanisms.
| Attack Technique | Target Requirement | Extracted Component |
| AS-REP Roasting | Kerberos pre-authentication disabled | Encrypted AS-REP authentication data |
| Kerberoasting | Service Principal Name (SPN) configured | Kerberos service ticket (TGS) data |
Why is it Dangerous?
Offline password-cracking techniques reduce the number of repeated authentication attempts visible to the domain controller during password guessing.
If attackers successfully recover credentials, they may attempt unauthorized access, lateral movement, privilege escalation, or additional domain compromise activities depending on the account’s permissions.
Organizations often reduce this risk by:
- Enforcing Kerberos pre-authentication
- Auditing Active Directory configurations
- Monitoring Kerberos authentication activity
- Using strong passwords and MFA
- Limiting unnecessary privileged accounts
Detecting and Preventing AS-REP Roasting
Security teams commonly monitor Kerberos authentication activity and Windows security events to identify suspicious AS-REP requests.
Unusual authentication requests targeting accounts with pre-authentication disabled may indicate reconnaissance or attack activity.
To reduce exposure, organizations often:
Require Kerberos pre-authentication for user and service accounts wherever possible.
Regularly review accounts configured without Kerberos pre-authentication.
Use long, complex passwords and multi-factor authentication to reduce password-cracking risk.
Analyze Kerberos-related security events and authentication anomalies for suspicious behavior.
How Hexnode Supports Endpoint Identity Posture
Hexnode UEM can provide device compliance and posture signals based on configured security policies across managed devices.
Organizations may use Hexnode’s supported Conditional Access integrations to incorporate device compliance status into policy-based access workflows.
This can help organizations restrict access from unmanaged or non-compliant devices before they access sensitive corporate resources.
FAQs
Kerberos pre-authentication may be disabled because of compatibility requirements, legacy systems, service accounts, or administrative misconfiguration.
Yes. Security teams may monitor Kerberos authentication activity, AS-REQ/AS-REP traffic patterns, and related Windows security events to identify suspicious behavior.
No. Attackers generally only need network connectivity to the domain controller and knowledge of a valid account configured without pre-authentication.
AS-REP roasting targets accounts with Kerberos pre-authentication disabled and performs offline password cracking, while password spraying attempts online logins using commonly used passwords across many accounts.