Skip to content
Hash Identifier

Series

Attacking Active Directory

5 posts in this series. Read them in order or jump to any one.

  1. AS-REP Roasting: cracking accounts that skipped Kerberos preauth

    How AS-REP roasting lets an unauthenticated attacker pull a crackable krb5asrep hash from accounts with preauth disabled, and how defenders catch it.

  2. Pass-the-Hash: authenticating with an NTLM hash you never cracked

    Why an NTLM hash is password-equivalent, how pass-the-hash works with Impacket, NetExec and Mimikatz, and the controls that actually stop lateral movement.

  3. Dumping NTDS.dit and cracking every password in the domain

    How domain hashes get extracted from NTDS.dit with secretsdump, how to feed the NT hashes to hashcat, map them back to users, and detect a DCSync.

  4. Capturing NetNTLMv2 with Responder and cracking it offline

    Poison LLMNR and NBT-NS with Responder to capture a NetNTLMv2 challenge response, crack it with hashcat mode 5600, and know when to relay instead.

  5. Cracking cached domain credentials (DCC2 / MS-Cache v2)

    Extract DCC2 hashes from a domain-joined host with secretsdump, crack them with hashcat mode 2100, and understand why MS-Cache v2 is slow by design.

All posts in this series

AS-REP Roasting: cracking accounts that skipped Kerberos preauth
How AS-REP roasting lets an unauthenticated attacker pull a crackable krb5asrep hash from accounts with preauth disabled, and how defenders catch it.
as-rep roastingactive directorykerberoshashcat
Pass-the-Hash: authenticating with an NTLM hash you never cracked
Why an NTLM hash is password-equivalent, how pass-the-hash works with Impacket, NetExec and Mimikatz, and the controls that actually stop lateral movement.
pass-the-hashntlmactive directorylateral movement
Dumping NTDS.dit and cracking every password in the domain
How domain hashes get extracted from NTDS.dit with secretsdump, how to feed the NT hashes to hashcat, map them back to users, and detect a DCSync.
ntdsdcsyncactive directoryhashcat
Capturing NetNTLMv2 with Responder and cracking it offline
Poison LLMNR and NBT-NS with Responder to capture a NetNTLMv2 challenge response, crack it with hashcat mode 5600, and know when to relay instead.
netntlmv2responderactive directoryhashcat
Cracking cached domain credentials (DCC2 / MS-Cache v2)
Extract DCC2 hashes from a domain-joined host with secretsdump, crack them with hashcat mode 2100, and understand why MS-Cache v2 is slow by design.
dcc2mscacheactive directoryhashcat