Steal or Forge Kerberos Tickets: AS-REP Roasting


Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking Kerberos messages.Preauthentication offers protection against offline Password Cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Identity ExposureActive DirectoryAuthenticated AD userLDAP/S(389/636)Domain User + UACPlugin ID: 22-C-KERBEROS-CONFIG-ACCOUNT:R-KERB-WEAK-CONFIG-DONT-REQUIRE-PREAUTH-ACCOUNT
Tenable Identity ExposurePassword SyncActive DirectoryPrivileged AD userRPC (135 + high ports)User PasswordPlugin ID: C-PASSWORD-HASHES-ANALYSIS


Tenable Identity Exposure DCSync feature

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Credential Access

Sub-Technique: AS-REP Roasting

Platform: Windows

Products Required: Tenable Identity Exposure

Tenable Release Date: 2022 Q3