AS-REP Roasting LDAP Reconnaissance Activity

Kerberos is an authentication protocol that verifies user credentials and permissions for accessing services. When a user wants to access a service, the user account is required to pre-authenticate (by submitting credentials and an encrypted timestamp) to a Key Distribution Center (KDC) installed on a domain controller. The KDC then provides a cryptographic proof of identity known as a ticket-granting ticket (TGT), which the user can later submit to receive service tickets (TGS) for other services. However, Windows provides a way to disable the pre-authentication requirement for specific accounts. AS-REP Roasting is a technique where an attacker identifies accounts with this disabled requirement and obtains TGT tickets for these accounts for offline password cracking.

To locate accounts with disabled pre-authentication, the attacker submits an LDAP query to a domain controller to return a list of vulnerable accounts (1). To collect TGT tickets, the attacker submits an AS-REP request for the vulnerable account to the KDC, which returns a TGT to the attacker (2). If the TGT ticket is encrypted with a weak cipher algorithm, such as RC4, the TGT is more vulnerable to offline cracking, enabling the attacker to identify the user account password.