active directorykerberosas-rep roastingcredentials

The accounts that hand out crackable tickets (AS-REP Roasting)

Any account with Kerberos pre-authentication disabled will return crackable material to anyone who asks, no credentials needed. Here is AS-REP Roasting, and the one setting that stops it.

2026-06-06 · GraphLattice · 1 min read

Attack flow

1Enumerate accounts without pre-auth

2Request an AS-REP for each

3Receive crackable encrypted material

4Crack offline

5Authenticate as the account

Seen in the wildRansomware affiliatesAccess brokers

Some accounts will hand a stranger something to crack, no login required. You just have to ask the right way.

What it is

Kerberos pre-authentication proves you know a password before the KDC replies. For accounts with pre-auth disabled (the DONT_REQ_PREAUTH flag), anyone can request an AS-REP and receive material encrypted with the account’s password hash, then crack it offline. No prior credentials are needed. This is T1558.004.

Why it works

It requires no authentication to start, the setting is often left on legacy or service accounts, and weak passwords crack quickly.

How to detect it

Look for a spike in AS-REQ for pre-auth-disabled accounts from a single source, and Event 4768 with pre-authentication type 0.

The fix that holds

Require Kerberos pre-authentication on all accounts (remove DONT_REQ_PREAUTH), enforce strong passwords, and alert on AS-REP requests for any pre-auth-disabled account. A honeypot account with pre-auth off and no legitimate use is a high-fidelity tripwire.

Practice it

We built an AS-REP Roasting scenario in GraphLattice Range so teams learn to find the exposed accounts and close the setting.

What it is

Why it works

How to detect it

The fix that holds

Practice it

More field notes

From a normal account to domain admin (noPac)

The server that can impersonate anyone

When every local admin password is the same