Active Directory Attacks — Kerberoasting, Pass-the-Hash

Active Directory in the Enterprise — Why AD Is the #1 Pentest Target

Active Directory (AD) remains the backbone of identity and access management in most enterprise environments. Its central role in managing users, groups, permissions, and policies makes it an attractive target for attackers aiming to compromise entire networks. With millions of organizations relying on AD for authentication, attackers recognize its vulnerabilities and exploit them through sophisticated Active Directory attacks to gain persistent access, escalate privileges, and exfiltrate sensitive data.

One reason AD is a prime target is its hierarchical structure, which consolidates critical information in a single database. As a result, compromising AD can enable an attacker to move laterally within the network, access high-value assets, and maintain persistence. This makes AD security a top priority for cybersecurity professionals conducting AD pentesting and offensive assessments.

Furthermore, the integration of various services like DNS, Group Policy, and Kerberos within AD amplifies its attack surface. Attackers leverage this interconnectedness to execute complex techniques like Kerberoasting, pass-the-hash, and Golden Ticket attacks. Understanding the intricacies of AD vulnerabilities is essential for defenders and ethical hackers aiming to strengthen defenses against advanced threats targeting enterprise infrastructure.

AD Enumeration — BloodHound, PowerView & LDAP Queries

Effective Active Directory hacking begins with meticulous enumeration. This phase uncovers valuable information about domain structure, user privileges, group memberships, and trust relationships. Tools such as BloodHound, PowerView, and LDAP queries are crucial for mapping the attack surface and identifying potential privilege escalation paths.

BloodHound uses graph theory to visualize complex AD relationships. It collects data via the SharpHound ingestor, which leverages PowerShell to query AD for user, group, computer, and trust information. For example, running

Invoke-BloodHound -CollectionMethod All

PowerView, another powerful PowerShell tool, allows attackers to enumerate AD domains, users, groups, and permissions. Commands like

Get-NetUser

Get-NetGroup

LDAP queries provide low-level access to AD data. For instance, executing

ldapsearch -x -b "dc=example,dc=com" "(objectClass=person)"

Combining these tools allows an attacker or security professional to generate a comprehensive map of the AD environment, pinpointing crucial accounts and trust relationships that can be exploited in subsequent attack phases.

Kerberoasting — Extracting & Cracking Service Account Hashes

Kerberoasting is a highly effective Active Directory attack technique that targets service accounts to extract and crack their Kerberos service tickets. Since service accounts often run with elevated privileges and have weaker password policies, compromising them can lead to domain escalation.

The attack begins with an attacker requesting service tickets for service accounts using a valid user account. These tickets are encrypted with the service account’s password hash. The attacker then extracts the Ticket Granting Service (TGS) tickets from memory or network traffic, typically using tools like Impacket or Rubeus.

Once the TGS tickets are obtained, the attacker attempts to crack their hashes offline using tools such as Hashcat or John the Ripper. The process involves applying password cracking techniques—brute-force, dictionary attacks, or hybrid methods—to recover the plaintext password.

Example command with Impacket to request a service ticket:

python3 GetUserSPNs.py -request -dc-ip  /

And to extract tickets from memory or traffic, Rubeus can be employed:

Rubeus.exe kerberoast

Success in Kerberoasting grants an attacker access to highly privileged service accounts, enabling lateral movement or domain escalation. Defenders should enforce strong password policies, monitor for abnormal ticket requests, and implement sensitive account protections to mitigate this threat.

AS-REP Roasting — Attacking Accounts Without Pre-Authentication

While Kerberoasting targets service accounts, AS-REP roasting exploits user accounts that do not require pre-authentication. These accounts can be attacked even if the attacker has limited initial access, making this technique a potent threat in AD environments.

In an AS-REP roasting attack, an attacker enumerates user accounts that have the Do not require Kerberos pre-authentication property enabled. This configuration allows the attacker to request Authentication Service (AS) responses without providing credentials, resulting in the server sending back an encrypted ticket containing the user’s hash.

Tools like Impacket or Hashcat facilitate this attack. For example, with Impacket:

python3 GetNPUsers.py -userfile users.txt -dc-ip  

This command lists user accounts susceptible to AS-REP roasting. The attacker then cracks the captured hashes offline, recovering plaintext passwords.

Preventing AS-REP roasting requires strict account configurations, such as disabling the "Do not require Kerberos pre-authentication" setting for user accounts. Monitoring abnormal account request patterns and implementing strong password policies further reduce the attack surface.

Understanding this attack vector is vital for AD pentesters and security teams aiming to identify and remediate weak account configurations before malicious actors exploit them.

Pass-the-Hash & Pass-the-Ticket — Credential Reuse Attacks

Active Directory attacks often involve credential reuse techniques like pass-the-hash (PtH) and pass-the-ticket (PtT). These methods enable attackers to authenticate as legitimate users without knowing their plaintext passwords, facilitating lateral movement and privilege escalation.

Pass-the-Hash leverages stolen NTLM password hashes. Attackers can use tools like Impacket's pth-winexe or Mimikatz to inject hashes into memory or impersonate users across network services. For example:

mimikatz > sekurlsa::logonPasswords

Or with Impacket:

python3 pth-winexe.py /:@

Pass-the-Ticket involves forging or stealing Kerberos tickets. Attackers extract valid tickets using Mimikatz’s kerberos::list command, then inject them into their session to impersonate the user:

mimikatz > kerberos::ptt 

This technique allows persistent access without re-entering credentials, especially effective against systems with weak ticket management or high trust relationships.

Mitigations include implementing Windows Defender Credential Guard, enforcing strong password and account lockout policies, and monitoring for abnormal authentication patterns. Regularly rotating keys and implementing multifactor authentication further reduce the attack surface for credential reuse attacks.

Golden Ticket & Silver Ticket — Kerberos Ticket Forging

Kerberos ticket forging stands among the most advanced Active Directory attacks. The Golden Ticket attack involves creating a forged Kerberos Ticket Granting Ticket (TGT) impersonating any user, including domain admins, by compromising the Key Distribution Center (KDC) secret key.

Attackers typically extract the KRBTGT account hash from a domain controller using Mimikatz or similar tools. With this hash, they generate a Golden Ticket that grants unrestricted access across the domain:

kerberos::golden    

Similarly, Silver Tickets are forged TGS tickets for specific services, allowing lateral movement to compromised servers or applications without needing domain admin privileges.

Comparison of Golden and Silver Tickets:

Defenders must monitor for abnormal ticket creation, implement strong KRBTGT password rotation, and restrict privileged account use to prevent such attacks. Regular security audits and advanced detection mechanisms are critical components of an effective defense strategy. For detailed insights, visit Networkers Home Blog.

DCSync Attack — Dumping Domain Controller Password Hashes

The DCSync attack represents a critical threat where an attacker simulates the behavior of a domain controller to extract password hashes, especially the KRBTGT and user account hashes. This attack leverages the replication permissions granted to certain AD accounts, enabling attackers to synchronize directory data remotely.

Using tools like Mimikatz, an attacker with sufficient privileges can execute:

privilege::debug
ntds::dcsync /user:Administrator /domain:example.com

This command retrieves password hashes directly from the domain controller, including those of high-privilege accounts. Once obtained, these hashes can be used for pass-the-hash or ticket forging attacks, escalating the threat level significantly.

Protection against DCSync involves strict privilege management—ensuring only authorized accounts have replication permissions—and continuous monitoring of replication activities. Implementing privileged access management and regular password rotations further mitigate risks. Organizations should also leverage SIEM solutions for anomaly detection related to directory replication activities.

Understanding and defending against DCSync is crucial for comprehensive AD security. For more advanced attack techniques and defenses, consult Networkers Home Blog.

AD Attack Mitigation — Tiered Administration, LAPS & Monitoring

Securing Active Directory involves implementing layered defense strategies. Tiered administration, such as Microsoft’s Tier Model, restricts privileged access to dedicated tiers—workstations, servers, and domain controllers—reducing the risk of lateral movement and privilege escalation.

Implementing Local Administrator Password Solution (LAPS) ensures unique, regularly rotated local administrator passwords for each machine, preventing attackers from lateral movement via shared credentials. Regularly auditing group memberships, especially for privileged accounts, reduces the attack surface.

Monitoring and alerting are critical. Employ tools like SIEM solutions and native Windows Event Logs to detect suspicious activities such as abnormal ticket requests, privilege escalations, or replication anomalies. Enabling detailed logging for Kerberos, LDAP, and PowerShell activities provides visibility into malicious behaviors.

Additional best practices include:

• Enforcing multi-factor authentication (MFA) for all privileged accounts
• Applying the principle of least privilege
• Regularly patching and updating domain controllers and related infrastructure
• Conducting periodic security assessments and penetration testing to identify vulnerabilities

Implementing these controls significantly raises the difficulty for attackers attempting to perform Active Directory attacks successfully and strengthens overall enterprise security posture.

Key Takeaways

• Active Directory remains the primary target for advanced Active Directory attacks due to its central role in enterprise identity management.
• Tools like BloodHound, PowerView, and LDAP queries are essential for AD enumeration, revealing attack paths and privilege escalations.
• Kerberoasting and AS-REP roasting exploit weak password policies, enabling offline password cracking of service and user accounts.
• Credential reuse attacks such as pass-the-hash and pass-the-ticket facilitate lateral movement without plaintext passwords.
• Kerberos ticket forging (Golden and Silver Tickets) allows persistent, domain-wide access, demanding robust monitoring and password rotation.
• DCSync attacks enable attackers to dump password hashes directly from domain controllers, highlighting the importance of privilege management.
• Mitigation strategies include tiered admin models, LAPS, continuous monitoring, and regular security assessments, fundamental for defending AD environments.

Frequently Asked Questions