Kerberos AS-REP roasting attacks: What you need to know

Robust passwords remain the cornerstone of online security, even as malicious actors sharpen their attacks. Consider the threat from AS-REP roasting – and the defenses organizations must deploy to protect their Active Directory. AS-REP (Authentication Server Response) Roasting targets user objects in Active Directory that don’t require Kerberos pre-authentication. Kerberos – an authentication protocol – usually requires an operator to transmit an Authentication Server Request (known as an AS-REQ) to a domain controller (DC). This message holds a timestamp that is encrypted with a hash of the user’s password. The DC must decrypt that timestamp using its own version of the hash: success sees the DC send back an AS-REP message with a Ticket Granting Ticket (TGT), which can then be used to make access requests. However, this secure process only functions safely when Kerberos pre-authentication is operational. In some cases, it may be disabled – for example, in systems that don’t support ... Read full article.