Common AD Attack Techniques

After this lesson, you will be able to: Explain and demonstrate (in a lab) the common AD attacks: Pass-the-Hash, Pass-the-Ticket, Kerberoasting, AS-REP Roasting, and Golden Ticket.

This lesson covers the canonical AD attacks that turn a foothold into domain dominance, mapping each to the authentication flow from the previous lesson, all demonstrated only in a lab you control.

Prerequisites:AD Authentication: Kerberos and NTLM

Pass-the-Hash and Pass-the-Ticket

Pass-the-Hash abuses NTLM: with a stolen NTLM password hash, an attacker authenticates as that user without cracking the password, because NTLM accepts the hash. Pass-the-Ticket abuses Kerberos: a stolen TGT or service ticket is injected into a session to impersonate the user for the ticket's lifetime. Both let an attacker move laterally using credentials they captured (from memory with tools like Mimikatz) without ever knowing the plaintext password.

Kerberoasting and AS-REP Roasting

Kerberoasting: any authenticated user can request service tickets for accounts with a Service Principal Name; those tickets are encrypted with the service account's password hash, so the attacker cracks them offline. Service accounts often have weak, rarely-changed passwords, making this highly effective. AS-REP Roasting targets accounts with Kerberos pre-authentication disabled: the attacker requests an AS-REP and cracks the returned material offline. Both yield credentials without touching the target account directly.

Golden Ticket: total domain compromise

If an attacker steals the krbtgt account's password hash (which signs all TGTs), they can forge a Golden Ticket: a valid TGT for any user, including a fabricated Domain Admin, with an arbitrary lifetime. This is near-total, persistent domain compromise, and it is why protecting domain controllers and rotating the krbtgt key (twice) after a suspected compromise is critical. Related is the Silver Ticket (forging a service ticket using a service account's hash).

Lab: demonstrate the attacks

Lab AD only. Tools like Impacket, Rubeus, and Mimikatz.

1
1. In your lab domain, start as a low-privilege user.
2
2. Kerberoast: use Impacket's GetUserSPNs or Rubeus to request service tickets, then crack them with hashcat.
3
3. AS-REP Roast: find accounts without pre-auth (GetNPUsers) and crack the output.
4
4. With a cracked or dumped credential, demonstrate Pass-the-Hash/Pass-the-Ticket lateral movement.
5
5. Discuss (and only in a fully owned lab, demonstrate) how a stolen krbtgt hash enables a Golden Ticket. Then move to defenses next lesson.

Quick Check

Why is stealing the krbtgt account hash so catastrophic?

Pick one.

It signs all TGTs, so an attacker can forge a valid ticket (Golden Ticket) for any user, including Domain Admin, with an arbitrary lifetimeIt contains every user's plaintext passwordIt disables Windows DefenderIt is the local administrator password

Common mistakes only experienced practitioners catch

Running these outside an owned lab. Assuming strong user passwords protect you while service accounts stay weak (Kerberoasting). Leaving pre-authentication disabled on accounts (AS-REP Roasting). Not protecting domain controllers and the krbtgt account. Treating a single rotation of krbtgt as enough (it must be rotated twice). Forgetting that Pass-the-Hash needs no cracking, so a stolen hash is immediately dangerous.

←AD Authentication: Kerberos and NTLM

Back to Active Directory and Windows Security

BloodHound and Attack Paths→