Mastering Active Directory Exploitation: Kerberoasting and NTLM Attacks

Listen to this Post

Featured Image

Introduction:

Active Directory (AD) remains a prime target for attackers due to its central role in enterprise authentication. Techniques like Kerberoasting and NTLM relay attacks exploit weak configurations to extract credentials and escalate privileges. This guide dives into offensive AD security, providing hands-on commands and mitigations.

Learning Objectives:

  • Understand Kerberoasting and extract service account hashes.
  • Crack NTLM hashes using Hashcat.
  • Implement defensive measures against AD attacks.

1. Enumerating Service Principal Names (SPNs) for Kerberoasting

Command (PowerShell):

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

What It Does:

Lists all AD users with SPNs, which are often service accounts vulnerable to Kerberoasting.

Step-by-Step:

  1. Run the command in a domain-joined Windows machine with AD module.

2. Identify high-value targets (e.g., SQL, HTTP services).

  1. Extract their Ticket Granting Service (TGS) tickets for offline cracking.

2. Requesting TGS Tickets with Rubeus

Command:

Rubeus.exe kerberoast /outfile:hashes.txt

What It Does:

Requests encrypted TGS tickets and exports them in a crackable format (Hashcat or John).

Step-by-Step:

  1. Download Rubeus.

2. Execute from an elevated shell.

  1. Crack the hashes using Hashcat (-m 13100 for Kerberos 5 TGS-REP).

3. Cracking Kerberos Hashes with Hashcat

Command:

hashcat -m 13100 hashes.txt rockyou.txt -O

What It Does:

Uses GPU acceleration to crack Kerberos TGS tickets.

Step-by-Step:

  1. Ensure Hashcat and a wordlist (e.g., rockyou.txt) are installed.

2. Run the command with the extracted hashes.

3. Use cracked passwords for lateral movement.

4. Exploiting NTLM Relay Attacks

Command (Impacket):

ntlmrelayx.py -t ldap://DC-IP -smb2support

What It Does:

Relays captured NTLM credentials to a Domain Controller (DC), dumping hashes or creating backdoor users.

Step-by-Step:

  1. Set up a listener with Responder or MitM6.

2. Capture NTLMv2 hashes during authentication attempts.

3. Relay them via `ntlmrelayx.py` to escalate privileges.

5. Mitigating AD Attacks

Defensive Measures:

  • Enable SMB Signing:
    Set-SmbServerConfiguration -RequireSecuritySignature $true
    
  • Restrict Kerberos Delegation:
    Set-ADAccountControl -Identity <User> -TrustedForDelegation $false
    
  • Enforce Strong SPN Passwords:
    Regularly audit service accounts with Get-ADUser -Filter -Properties PasswordLastSet.

What Undercode Say:

  • Key Takeaway 1: Kerberoasting exploits weak service account passwords—always enforce long, complex credentials.
  • Key Takeaway 2: NTLM relay attacks thrive on insecure protocols; disable NTLM where possible.

Analysis:

AD attacks persist due to legacy configurations and overprivileged service accounts. Red teams must simulate these attacks to uncover gaps, while blue teams should prioritize logging (e.g., `4624` events for Kerberos TGS requests) and least-privilege principles.

Prediction:

As AI-driven password cracking improves, attackers will automate Kerberoasting and NTLM relay at scale. Future AD defenses will rely on AI-powered anomaly detection and Zero Trust frameworks to mitigate these threats.

Ready to test your skills? Try the Soupedecode 01 TryHackMe room for hands-on practice!

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Eduardo Cochella – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky