Credential Attacks in Domain Environments

Credential Attacks in Domain Environments

Kerberoasting attacks target Service Principal Names (SPNs) to obtain crackable ticket hashes. Any domain user can request service tickets for SPNs, receiving encrypted tickets containing service account password hashes. Offline cracking frequently succeeds due to weak service account passwords. Tools like Rubeus, GetUserSPNs.py, or PowerView automate ticket requests, while Hashcat cracks resulting hashes.

AS-REP Roasting exploits accounts with Kerberos pre-authentication disabled, allowing ticket requests without proving identity. Attackers obtain encrypted tickets containing password hashes for offline cracking. While less common than Kerberoasting, AS-REP Roasting requires no domain credentials for initial enumeration. Rubeus, GetNPUsers.py, and PowerView identify and exploit vulnerable accounts.

Password spraying leverages common passwords across multiple accounts, avoiding lockout thresholds. Unlike brute force attacks targeting single accounts, password spraying tests passwords like "Summer2024!" against all domain users. This technique frequently succeeds due to weak password policies and human predictability. Tools like Kerbrute, Rubeus, or custom scripts automate spraying while respecting lockout policies.

NTLM relay attacks capture and relay authentication attempts to access resources. When systems attempt NTLM authentication to attacker-controlled services, captured authentication relays to legitimate services. SMB signing misconfigurations, WebDAV services, and various protocols enable relay attacks. Responder captures authentication attempts while ntlmrelayx or MultiRelay relay to targets.