Last updated: April 29, 2026
Why this module exists. Every AD pentester checks Kerberoasting first. Most check AS-REP Roasting second. The astonishing thing is how often it works in 2026 — accounts with DONT_REQ_PREAUTH set, often “temporarily” by an admin in 2014 and never unset. One vulnerable account is enough to crack a domain user’s password offline.
The bug, structurally
Kerberos pre-authentication: when you request a TGT, you must prove you know your password by encrypting a timestamp with a key derived from it. The KDC decrypts, checks the timestamp is recent, and if so issues the TGT.
If pre-auth is disabled (DONT_REQ_PREAUTH flag in userAccountControl), the KDC issues a TGT to anyone who asks, encrypted with the user’s password-derived key. An attacker requests, takes the encrypted TGT offline, and brute-forces the password.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.