Password Guessing
Basic Powershell Script
This method is a slow and low password guessing attempt using powershell script that uses LDAP and ADSI. In the following powershell script we are trying to use the DirectoryEntry constructor with a different username and password. This creates a directory entry in the context of the mentioned user and if found successful, then the object is created and we can conclude that the password is correct.
Crackmapexec
Crackmapexec tool can be used to access the SMB service using the username and password.
Obtaining a TGT
In this method we can attempt to get a TGT from the Domain Controller using a username and password. Kerbrute is one of the tools that can be used for password guessing using this method. The syntax to the command is as follows,
AS-Rep Roasting
As part of obtaining a TGT the username and password has to be presented to the domain controller and this is called preauthentication. Sometimes preauthentication is disabled and any user can send a AS-Req on another user's behalf and get an AS-Rep. Once obtained this can be used to guess the password offline.
Using Impacket
Impactet can be used for performing this attack using the following command,
This should fetch the AS-Rep hash that can be cracked using hashcat using the following command,
Using Rubeus
Rubeus is a Windows tool that can be used to perform the same attack. This tool identifies from the list of users that is vulnerable to this attack and then performs it. The output of the tool displays the hash of the user. The hash can then be used to guess the password using hashcat as above.
In a given domain the users that do not require preauthentication can be identified by using PowerView.ps1's function "Get-DomainUser" with the option "-PreauthNotRequired".
Last updated