AS-REP Roasting remains one of the most effective attacks against Active Directory environments where Kerberos pre-authentication is disabled for certain accounts. By requesting encrypted authentication responses (AS-REP) directly from a Domain Controller, attackers can attempt offline cracking to recover plaintext credentials.
Pentest Copilot’s submodule streamlines this process, from live host discovery to credential cracking, automatically building a vulnerability graph that links every stage of the attack. This blog walks through that workflow step by step, with proof-of-concept screenshots.
The process begins with CHK_LIVE_HOSTS, where Pentest Copilot maps out active machines in the subnet. In the exploit graph, you can see a green Subnet node (192.168.56.0/24) linked to multiple blue Host nodes, confirming the discovery of AD machines.
Once hosts are identified, Copilot runs service enumeration. The graph view confirms Kerberos (88), LDAP (389/636), and SMB (445) availability. This ensures that the following Kerberos roasting attempt is meaningful and scoped.
Next, CHK_USER_ENUM is executed. The POC interface highlights accounts flagged with “No Pre-Authentication”, which makes them candidates for AS-REP roasting. This enumeration is the crucial precursor to capturing encrypted authentication material.
For each identified user, Pentest Copilot requests an authentication response from the Domain Controller. Since pre-auth is disabled, the DC obliges with an AS-REP, encrypted with the user’s secret key (derived from their password).
The screenshot below shows the captured $krb5asrep$ hashes formatted for direct use in Hashcat.
The captured AS-REP hashes are piped into Pentest Copilot’s integrated hash cracking engine. In the demo, Hashcat is seen running against common wordlists, quickly revealing weak credentials.
Instead of duplicating information, Copilot merges both the AS-REP hash and the cracked plaintext password into a single Secret entity. This ensures that each credential is uniquely tracked and consistently linked across the graph.
Finally, Copilot creates two distinct Vulnerability entities that link back to the same Secret:
The exploit graph clearly shows these linked nodes, preserving the full attack chain.
And here’s the final exploit graph snapshot — the subnet, hosts, users, secrets, and vulnerabilities all interconnected, giving defenders and researchers a complete picture of the attack surface and paths.
1. What is AS-REP Roasting?
An attack that targets accounts without Kerberos pre-auth, allowing attackers to capture encrypted responses and attempt offline cracking.
2. Why is it effective?
It bypasses lockout policies since cracking is offline, and weak passwords fall quickly.
3. How does Pentest Copilot help?
By automating host discovery, roasting, cracking, and graph-based linking of secrets to vulnerabilities.
4. What should defenders watch for?
Excessive AS-REQ traffic, unusual Kerberos patterns, and weak password reuse.
5. How can it be prevented?
Enforce pre-authentication, strong password policies, and regular password audits.