# AS-REP Roasting - dumps user account hashes that have Kerberos pre-authentication `DISABLED` . - Unlike Kerberoasting, these users **do not need to be service accounts.** - **The only requirement is “Do not require Kerberos preauthentication” flag set on the user account. (UF_DONT_REQUIRE_PREAUTH)** - During standard Kerberos authentication, the user’s hash encrypts a timestamp, which the Key Distribution Center (KDC) decrypts to verify the user’s identity. However, if pre-authentication is disabled, the KDC skips this verification step and returns an encrypted AS-REP blob without confirming the user’s identity. This blob then be captured and cracked offline to recover the user’s password. # Mitigations - Have a strong password policy. With a strong password, the hashes will take longer to crack making this attack less effective - Don't turn off Kerberos Pre-Authentication unless it's necessary there's almost no other way to completely mitigate this attack other than keeping Pre-Authentication on. Kerberos 5, etype 23, AS-REP hashcat -m 18200