Pentest Copilot: Automates AS-REP roasting to RCE on a remote host

Pentest Copilot’s submodule streamlines this process, from live host discovery to credential cracking, automatically building a vulnerability graph that links every stage of the attack. This blog walks through that workflow step by step, with proof-of-concept screenshots.

Step 1: Checking for Live Hosts

The process begins with CHK_LIVE_HOSTS, where Pentest Copilot maps out active machines in the subnet. In the exploit graph, you can see a green Subnet node (192.168.56.0/24) linked to multiple blue Host nodes, confirming the discovery of AD machines.

Step 2: Service Enumeration

Once hosts are identified, Copilot runs service enumeration. The graph view confirms Kerberos (88), LDAP (389/636), and SMB (445) availability. This ensures that the following Kerberos roasting attempt is meaningful and scoped.

Step 3: User Enumeration

Next, CHK_USER_ENUM is executed. The POC interface highlights accounts flagged with “No Pre-Authentication”, which makes them candidates for AS-REP roasting. This enumeration is the crucial precursor to capturing encrypted authentication material.

Step 4: Running AS-REP Roasting

For each identified user, Pentest Copilot requests an authentication response from the Domain Controller. Since pre-auth is disabled, the DC obliges with an AS-REP, encrypted with the user’s secret key (derived from their password).

The screenshot below shows the captured $krb5asrep$ hashes formatted for direct use in Hashcat.

Step 5: Cracking Credential Hashes

The captured AS-REP hashes are piped into Pentest Copilot’s integrated hash cracking engine. In the demo, Hashcat is seen running against common wordlists, quickly revealing weak credentials.

Step 6: Generating a Unified Secret

Instead of duplicating information, Copilot merges both the AS-REP hash and the cracked plaintext password into a single Secret entity. This ensures that each credential is uniquely tracked and consistently linked across the graph.

Step 7: Mapping Vulnerabilities

Finally, Copilot creates two distinct Vulnerability entities that link back to the same Secret:

1. AS-REP Hash Capture (CWE-522: Insufficiently Protected Credentials)
2. Cracked Credential Exposure (CWE-321: Hard-coded or Weak Credentials)

The exploit graph clearly shows these linked nodes, preserving the full attack chain.

And here’s the final exploit graph snapshot — the subnet, hosts, users, secrets, and vulnerabilities all interconnected, giving defenders and researchers a complete picture of the attack surface and paths.

Why This Matters

• Attack Simulation Accuracy — Logs each stage of enumeration, roasting, and cracking.
• Graph Context — Secrets and vulnerabilities are fully mapped, preventing blind spots.
• Efficiency — Automation replaces repetitive manual roasting and cracking.
• Audit Ready — Outputs are structured for defensive teams and compliance reviews.

Defensive Recommendations

• Enable Kerberos pre-authentication for all accounts.
• Audit AD for legacy accounts where this setting is disabled.
• Monitor Kerberos AS-REQ patterns for unusual or bulk requests.
• Adopt proactive password hygiene, including strong passphrases and periodic cracking in red team exercises.

References

• AS-REP Roasting – Harmj0y’s Blog
• MITRE ATT&CK: Credential Dumping (T1558.004)
• Microsoft Security Guidance on Kerberos

Top 5 FAQs on AS-REP Roasting

1. What is AS-REP Roasting?
An attack that targets accounts without Kerberos pre-auth, allowing attackers to capture encrypted responses and attempt offline cracking.

2. Why is it effective?
It bypasses lockout policies since cracking is offline, and weak passwords fall quickly.

3. How does Pentest Copilot help?
By automating host discovery, roasting, cracking, and graph-based linking of secrets to vulnerabilities.

4. What should defenders watch for?
Excessive AS-REQ traffic, unusual Kerberos patterns, and weak password reuse.

5. How can it be prevented?
Enforce pre-authentication, strong password policies, and regular password audits.