AS-REP Roasting is a technique that targets the Kerberos authentication protocol by exploiting user accounts with Kerberos pre-authentication disabled. When pre-authentication is enabled, a user who needs access to a resource initiates the Kerberos authentication process by sending an Authentication Server (AS) request. However, if pre-authentication is disabled, attackers may obtain the password hashes of user accounts without pre-authentication and attempt to crack them offline.
In short, AS-REP Roasting takes advantage of the fact that, for accounts with the “Do not require Kerberos pre-authentication” option set, there is no need to send the normally required encrypted timestamp (with the user’s password hash) at the beginning of the authentication procedure. This allows adversaries to reveal the credentials of such accounts and makes them vulnerable to password cracking.