Domain Attacks
User Enumeration
Kerberos pre-authentication requests return different response for valid and invalid users. The tool kerbrute allows you to rapidly identify valid usernames in a target domain.
kerbrute userenum -d contoso.com usernames.txtAn extremely underrated option for username enumeration is to view the address books of network-attached printers. Printers almost never require authentication for this - the address book will give you the naming convention and a handful of target usernames.
Password Brute-Forcing
Kerberos is an extremely fast protocol for password brute forcing - you can use kerbrute again here.
kerbrute passwordspray -d contoso.com valid_users.txt Password123However, I have had a lot of false negatives with this method. I recommend just finding the least visible host (from XDR) and firing off SMB authentication attempts.
nxc smb 10.10.10.10 -u ./valid_users.txt -p Password123ASREP Roasting
ASREP roasting allows you to request password hashes for accounts that don't require Kerberos pre-authentication. You can try to brute-force identify ASREP accounts from a valid user list (see above).
ASREP Roast
impacket-GetNPUsers Contoso.com/ -dc-ip 10.10.10.10 -no-pass -usersfile valid.txtNote that you can Kerberoast non-ASREP accounts from an ASREP account without credentials.
Pre-2000 Computers
Very old Windows machines may be set to use pre-2000's default passwords - the hostname.
SERVER1$ : SERVER1You can discover these in a variety of ways, but you'll likely get a STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT error when you've guessed the right password. You can reset the account's password with impacket-changepasswd, but try to use the kpasswd method for best results:
impacket-changepasswd contoso.com/'finance-pc$':'finance-pc'@dc.contoso.com -newpass 'Password!123' -p kpasswdDynamic DNS Injection
Some domains allow for dynamic DNS updates for compatibility. Hijack server DNS records to intercept authentication, either NTLM/Kerberos or cleartext protocols.
Last updated