Active Directory Exploitation: Kerberoasting and AS-REP Roasting Explained

Active Directory (AD) is the central nervous system of over 90% of enterprise networks worldwide. Consequently, AD exploitation is the absolute cornerstone of internal network penetration testing and modern ransomware affiliate models.

Among the arsenal of attacks used against Active Directory, identity and credential theft via the Kerberos authentication protocol are explicitly favored by threat actors because they operate identically to legitimate network traffic. In this deep-dive tutorial, Cayvora Security's Red Team elaborates on the mechanics of two devastating attacks: Kerberoasting and AS-REP Roasting.

Understanding The Vulnerability Groundwork

To understand these attacks, we must briefly review how Microsoft implemented the Kerberos protocol.

When a user in an AD environment wants to access a service (e.g., an SQL Server database or a File Share), the authentication process works without exchanging passwords over the wire. Instead, it uses a ticket-granting system centrally managed by the Domain Controller (acting as the Key Distribution Center, or KDC).

The overarching flaw that enables both Kerberoasting and AS-REP Roasting offline brute-forcing is the fact that parts of these Kerberos tickets are encrypted using the NTLM hash of the associated user or service account password.

1. Kerberoasting

Kerberoasting is an efficient privilege escalation technique where any authenticated domain user can request a Kerberos service ticket (TGS) for a specific service account and extract it from memory for offline password cracking.

The Problem with Service Accounts

Enterprise networks run heavily on "Service Accounts"—user accounts created specifically to run applications like Microsoft SQL, Exchange, or internal IIS pools. Because IT required these services to run uninterrupted, they historically configured these service accounts with two fatal flaws: 1. "Password never expires" is checked. 2. The password used is often weak, easily guessable, or hasn't changed in a decade.

The Attack Execution

An attacker running on a compromised workstation as a standard user executes a tool like Invoke-Kerberoast or Rubeus.

1. SPN Discovery: The attacker queries LDAP to retrieve a list of all domain accounts that have a Service Principal Name (SPN) registered. An SPN links a service instance to a logon account.
2. TGS Request: The attacker requests a Ticket Granting Service (TGS) ticket for the targeted SPN from the Domain Controller.
3. Extraction: The Domain Controller gladly provides the TGS. According to the Kerberos specification, a portion of this ticket is encrypted using the password hash of the service account itself, ensuring only the service can read the ticket.
4. Offline Cracking: The attacker extracts the encrypted ticket into memory and saves it to a file.

The attacker then feeds this ticket into Hashcat or John the Ripper on an extremely powerful offline GPU rig:

hashcat -m 13100 kerbroast_hashes.txt rockyou.txt -r rules/best64.rule

Because this cracking occurs entirely offline, it generates zero failed-login events, completely bypassing automated Account Lockout policies and SOC detection.

2. AS-REP Roasting

AS-REP Roasting targets a different phase of the Kerberos protocol and exploits a specific, dangerous misconfiguration on user accounts.

The Misconfiguration: Pre-Authentication Disabled

Normally, when a user requests an initial Ticket Granting Ticket (TGT) from the Domain Controller, they must provide a timestamp encrypted with their password hash. This proves they know the password before the DC hands over the ticket. This phase is called Kerberos Pre-Authentication.

However, administrators sometimes disable Pre-Authentication for older legacy applications that do not support it, by checking the box "Do not require Kerberos preauthentication" on the user's AD object.

The Attack Execution

If pre-authentication is disabled, the attacker DOES NOT even need a compromised workstation or a valid domain user account to initiate the attack. They just need to be on the same physical network.

1. Enumeration: The attacker sends an AS-REQ (Authentication Service Request) for known usernames to the Domain Controller.
2. The Roast: If the domain controller finds a matching user with pre-authentication disabled, it immediately responds with an AS-REP (Authentication Service Response) containing ticket information.
3. Offline Cracking: Crucially, a portion of the AS-REP response is encrypted using the target user's NTLM password hash.

The attacker captures this response and feeds it into Hashcat (Module 18200) for rapid offline cracking.

Mitigation and Prevention Strategies

Preventing these devastating Kerberos attacks requires strict Active Directory hygiene.

Defending Against Kerberoasting

1. Password Complexity: Ensure that all accounts with an SPN possess a randomly generated password of at least 25 characters. Long, complex passwords render offline dictionary attacks and brute-forcing mathematically unfeasible.
2. Group Managed Service Accounts (gMSA): Transition from manual service accounts to gMSAs. Windows automatically generates, manages, and regularly rotates 120-character complex passwords for gMSAs natively.

Defending Against AS-REP Roasting

1. Audit Pre-Authentication: Use PowerShell to actively scan the domain for any users with the DONT_REQ_PREAUTH flag enabled in the UserAccountControl attribute.
2. Enforce Pre-Authentication: Mandate that all user accounts strictly require Kerberos Pre-Authentication. There is no modern justification for disabling this security primitive.

Conclusion

Kerberoasting and AS-REP Roasting ruthlessly exploit the mechanical design of legacy authentication protocols combined with weak human password policies. Because these attacks operate entirely offline and look indistinguishable from normal network behavior, they remain the dominant privilege escalation vectors in 2025. It is imperative that administrators utilize complex randomized passwords and gMSAs to render cracked hashes impossible.