DailyGlimpse

Mastering Active Directory Attacks: Kerberoasting, AS-REP Roasting, and Pass-the-Hash for PenTest+

AI
April 27, 2026 · 3:28 PM

Active Directory attacks are a critical focus of the CompTIA PenTest+ PT0-003 exam, particularly in Domain 4. This article explores three essential techniques every penetration tester must know: Kerberoasting, AS-REP Roasting, and Pass-the-Hash. We'll break down the mechanics, demonstrate tool syntax, and show how these attacks chain together to escalate from low privileges to domain admin.

Why Active Directory Is the Crown Jewel

Active Directory (AD) is the backbone of most enterprise networks, storing user credentials, permissions, and authentication policies. Gaining control of AD often means full network compromise, making it a prime target for attackers and pen testers alike.

Kerberoasting: Stealing Tickets to Crack Offline

Kerberoasting exploits the Kerberos authentication protocol. An attacker with valid domain credentials can request a service ticket for any account that has a Service Principal Name (SPN) registered. The ticket is encrypted with the service account's password hash, which can be extracted and cracked offline.

Tools: Impacket's GetUserSPNs and Rubeus.

Example command (Impacket):

python3 GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD>

The output is a Kerberos TGS ticket hash that can be cracked with Hashcat.

AS-REP Roasting: When Pre-Auth Is Disabled

AS-REP Roasting targets user accounts that have Kerberos pre-authentication disabled. Without pre-auth, an attacker can request an AS-REP (Authentication Service Response) for any such user, which contains encrypted data that can be cracked offline.

Tool: Impacket's GetNPUsers.

Example command:

python3 GetNPUsers.py -request -dc-ip <DC_IP> <DOMAIN>/

This returns a hash for users with DONT_REQ_PREAUTH set.

Pass-the-Hash: Authentication Without a Password

Pass-the-Hash (PtH) allows an attacker to authenticate using only the NTLM hash of a password, without ever knowing the plaintext. This is effective when hashes are dumped from memory (e.g., via Mimikatz) or extracted from SAM databases.

Tools: CrackMapExec and Mimikatz.

Example using CrackMapExec:

crackmapexec smb <TARGET_IP> -u <USER> -H <NTLM_HASH> -x whoami

Cracking Hashes with Hashcat

Once you have Kerberos tickets or NTLM hashes, Hashcat is the tool of choice for cracking. For Kerberoasting, the hash mode is 13100 (TGS-REP). For AS-REP, it's 18200. For NTLM, use mode 1000.

Example Hashcat command:

hashcat -m 13100 hash.txt wordlist.txt -r rules.rule

Chaining the Attack: From Low Privilege to Domain Admin

A typical attack chain:

  1. Enumerate users with Kerberoastable accounts.
  2. Extract and crack a service account hash.
  3. Use the cracked password to access a server.
  4. Dump LSASS memory to obtain domain admin hash.
  5. Use Pass-the-Hash to gain Domain Admin access.

Quiz Time

  1. What registry key must be set to defend against PtH on Windows? \
  2. Which Kerberos flag indicates pre-authentication is disabled? \
  3. Which port does Kerberos use by default?

Mastering these techniques is essential for the PenTest+ exam and real-world assessments. Practice safely in a lab environment.

← More AI View original