Why would organizations disable Kerberos pre-authentication if it creates this vulnerability?

Organizations typically disable Kerberos pre-authentication to support legacy applications that require it, or due to outdated accounts that have never been updated. In some cases, it was used as a temporary workaround for application compatibility issues, but the accounts were never reconfigured after the underlying problem was resolved. Microsoft recommends never disabling pre-authentication unless absolutely necessary.

Can AS-REP Roasting be detected by security monitoring tools?

AS-REP Roasting is described as difficult to detect because the attack uses legitimate Kerberos authentication mechanisms and can be executed by any authenticated user. However, tools like Netwrix Threat Prevention can detect and respond to authentication attacks, while Netwrix Enterprise Auditor can identify accounts with disabled pre-authentication before they are exploited.

AS-REP Roasting Attack Demo: Active Directory Exploit

Name: AS-REP Roasting Attack Demo: Active Directory Exploit
Uploaded: 2026-05-12T20:28:39-04:00
Duration: 7 min 47 s
Description: What is AS-REP Roasting? AS-REP Roasting is an attack that exploits misconfigured Active Directory accounts with disabled Kerberos pre-authentication. Attackers can retrieve password hashes and crack them with minimal effort, leading to unauthorized ac...

Netwrix

05/12/2026

0 (0%)

Report Like Favorite

TL;DR

AS-REP Roasting exploits Active Directory accounts with disabled Kerberos pre-authentication, allowing any authenticated user to retrieve password hashes without knowing the actual password.
The attack requires minimal skill and uses common tools like Rubeus for hash extraction and Hashcat for offline password cracking, often succeeding within hours using standard dictionary attacks.
Vulnerable accounts often exist due to legacy application requirements or outdated configurations that were never remediated after temporary workarounds were implemented.
Prevention requires enforcing complex passwords, enabling Kerberos pre-authentication on all accounts, eliminating standing privileged accounts, and implementing continuous monitoring for Active Directory misconfigurations.

Understanding the AS-REP Roasting Vulnerability

AS-REP Roasting is a low-skill Active Directory attack that exploits accounts with disabled Kerberos pre-authentication. When pre-authentication is enabled, the AS-REP request to the Key Distribution Center (KDC) includes an encrypted timestamp and password, preventing unauthorized requests and replay attacks. However, when pre-authentication is disabled, attackers can request a Ticket Granting Ticket (TGT) using only the user's UPN, without knowing the password. The KDC returns the TGT along with the user's password hash, which can then be cracked offline using brute-force tools like Hashcat. This vulnerability often exists due to legacy application requirements, outdated accounts that were never updated, or temporary workarounds that became permanent misconfigurations.

Attack Execution and Lateral Movement

The demonstration shows a complete attack chain starting with reconnaissance using PowerShell to identify vulnerable accounts with disabled Kerberos pre-authentication. Using Rubeus, the attacker extracts the AS-REP hash for a domain admin account, exfiltrates the data, and cracks the password offline using Hashcat with a standard dictionary file (rockyou.txt). The attack succeeds in under a day, with the password cracking completing in seconds. Once credentials are obtained, the attacker demonstrates lateral movement by using RDP to access the domain controller with the compromised domain admin account. The demonstration emphasizes that even non-privileged accounts can be leveraged for lateral movement across the network, making comprehensive security controls essential beyond just protecting administrative accounts.

Chapters

0:00 - Introduction to AS-REP Roasting
0:17 - Kerberos Pre-Authentication Explained
1:34 - Why Pre-Authentication Gets Disabled
2:06 - Reconnaissance and Target Identification
2:57 - Hash Extraction with Rubeus
4:17 - Password Cracking with Hashcat
6:20 - Lateral Movement and Domain Access
7:22 - Prevention and Mitigation Strategies

Key Quotes

0:12 "ASREP Roasting is a low-skill attack that takes advantage of Active Directory accounts that have Kerberos Preauth disabled and can be executed by any authenticated AD user."
0:51 "The request does not require the user's password. The KDC will happily return the TGT along with the hash of the user's password."
1:41 "The typical recommendation from Microsoft is to never do it."
7:24 "It's low effort, low skill, difficult to detect, but it can be easily prevented with just a bit of work, and, of course, with the help of the NetRx suite of data security products."

Categories:

» Webinar Library » Netwrix
» Data Protection

Tags:

Show more Show less

Browse videos

Upcoming Webinar Calendar

05/12/2026

11:30 PM

05/12/2026

Implementing Effective Strategies for Active Directory Security and Data Protection

https://www.truthinit.com/index.php/channel/1888/implementing-effective-strategies-for-active-directory-security-and-data-protection/
05/13/2026

01:00 AM

05/13/2026

Transforming the Black Box: Reveal Hidden Threats and AI Risks through Data Lineage

https://www.truthinit.com/index.php/channel/1890/transforming-the-black-box-reveal-hidden-threats-and-ai-risks-through-data-lineage/
05/13/2026

05:00 AM

05/13/2026

Transforming the Black Box: Revealing AI Risks and Hidden Threats through Data Lineage

https://www.truthinit.com/index.php/channel/1894/transforming-the-black-box-revealing-ai-risks-and-hidden-threats-through-data-lineage/
05/19/2026

01:00 PM

05/19/2026

Establishing a Robust AI Governance Framework for GenAI Throughout Deployment Phases

https://www.truthinit.com/index.php/channel/1936/establishing-a-robust-ai-governance-framework-for-genai-throughout-deployment-phases/
05/20/2026

08:00 AM

05/20/2026

Establishing a Robust AI Governance Framework for GenAI Throughout Its Lifecycle

https://www.truthinit.com/index.php/channel/1937/establishing-a-robust-ai-governance-framework-for-genai-throughout-its-lifecycle/
05/20/2026

10:00 PM

05/20/2026

Establishing a Robust AI Governance Framework for GenAI Throughout Its Lifecycle

https://www.truthinit.com/index.php/channel/1953/establishing-a-robust-ai-governance-framework-for-genai-throughout-its-lifecycle/
05/21/2026

11:00 AM

05/21/2026

The Autonomous Era: Orchestrating a Resilient Enterprise

https://www.truthinit.com/index.php/channel/1372/the-autonomous-era-orchestrating-a-resilient-enterprise/
05/27/2026

04:00 AM

05/27/2026

Rivoluziona i rischi dell'AI in opportunità con Netskope AI Security

https://www.truthinit.com/index.php/channel/1925/rivoluziona-i-rischi-dellai-in-opportunità-con-netskope-ai-security/
05/27/2026

10:00 AM

05/27/2026

Adopting AI: From Illusion to Intentional Control

https://www.truthinit.com/index.php/channel/1924/harnessing-ai-transitioning-from-illusion-to-purposeful-mastery/
05/28/2026

01:00 PM

05/28/2026

Harnessing AI for Smaller Teams: Strategies for Secure Implementation

https://www.truthinit.com/index.php/channel/1951/harnessing-ai-for-smaller-teams-strategies-for-secure-implementation/
06/02/2026

01:00 PM

06/02/2026

Spring of Satori: Delving into Recent Findings and the 2026 Threat Landscape

https://www.truthinit.com/index.php/channel/1930/spring-of-satori-delving-into-recent-findings-and-the-2026-threat-landscape/
06/04/2026

02:00 AM

06/04/2026

Mastering the Unseen: Managing Shadow AI and Agentic MCP Traffic

https://www.truthinit.com/index.php/channel/1948/mastering-the-unseen-managing-shadow-ai-and-agentic-mcp-traffic/
06/16/2026

07:00 AM

06/16/2026

Transforming Data Risk into Actionable Priorities: Essential Fixes First

https://www.truthinit.com/index.php/channel/1952/transforming-data-risk-into-actionable-priorities-essential-fixes-first/