Internal Network & Active Directory · intermediate · ~12 min
Describe the core AD credential attacks and the conditions each needs (authorized labs only).
Core AD credential attacks: password spraying (one password × many accounts, under lockout), Kerberoasting (crack SPN service-ticket encryption offline), AS-REP roasting (no-preauth accounts leak crackable data unauthenticated), and credential reuse / pass-the-hash (drives lateral movement). All abuse weak/exposed secrets, not crypto.
These are the attacks that actually compromise domains in practice, and they're configuration/password problems — so understanding their conditions tells you both how to find them (authorized) and how to defend (managed passwords, LAPS, monitoring).
Spraying. 1 password × many users, lockout-aware; 4625 bursts. Kerberoasting. Offline crack of SPN account hashes. AS-REP roasting. Unauthenticated, needs pre-auth disabled. Reuse/PtH. Shared local-admin creds → lateral movement; LAPS defends. Common cure. Strong, unique, managed secrets + monitoring.
These are the workhorse AD attacks — almost all abuse passwords, not exploits. Authorized labs only.
Try one common password against many accounts (the reverse of brute force), staying under lockout thresholds. Works because some user in a large org always uses Spring2026!. Spraying low-and-slow avoids lockouts; defenders detect it via 4625 bursts across accounts.
Request service tickets (TGS) for accounts with SPNs; the ticket is encrypted with the service account's password hash, so you crack it offline (no lockout, no noise on the target). Service accounts with weak passwords fall fast. Defense: long random (25+ char) managed service-account passwords; flag SPN accounts.
Accounts with Kerberos pre-authentication disabled return crackable material without any authentication. Defense: don't disable pre-auth; strong passwords.
A local admin password reused across machines (or a recovered NTLM hash) lets you authenticate to many hosts — the engine of lateral movement. Defense: LAPS (unique local admin passwords), tiered admin, Protected Users.
Each attack converts "a weak or exposed secret somewhere in the domain" into access. Strong, unique, managed passwords + monitoring blunt the whole class.
Spraying, Kerberoasting, AS-REP roasting, and credential reuse are the bread-and-butter AD attacks — each turning a weak or exposed password into access. Managed unique passwords (LAPS, long SA passwords), pre-auth, and monitoring defend the whole class.