Active Directory
⏱ ~3-min readAceMark GuideWhat this topic is really about
SSH port forwarding (local/remote/dynamic) and tools like chisel tunnel traffic through a foothold to reach internal hosts not directly routable from the attacker. Port scanning discovers services, hash cracking recovers passwords, and banner grabbing reads service banners.
AS-REP roasting targets accounts with "Do not require Kerberos pre-authentication" set — the KDC returns an AS-REP encrypted with the user hash, crackable offline. Kerberoasting needs an SPN, pass-the-hash uses NTLM, golden ticket forges a TGT with the KRBTGT hash.
See the mechanism
Any authenticated domain user can request a TGS for any service principal name (SPN). A diagram for this topic isn't available yet — the worked example below walks the same reasoning step by step.
An exam-style question, fully explained
A Kerberoasting attack requires which of the following?
- Identify what the question tests: A Kerberoasting attack requires which of the following.
- Any authenticated domain user can request a TGS for any service principal name (SPN).
- The returned ticket is encrypted with the service account NTLM hash and can be cracked offline.
- Domain admin, DC access, or local admin are not required.
Traps the examiner sets
- AS-REP roasting targets accounts with "Do not require Kerberos pre-authentication" set — the KDC returns an AS-REP encrypted with the user hash, crackable offline.
Test your recall
Answer each from memory — you'll see instantly whether you're right and why.
Run a focused 10-question mini-mock on Active Directory and see it stick.
Practice more of this topic →