Pre-Authentication Attacks (No Credentials)

This phase covers everything I can do before I have a single valid domain credential.

At this point, I assume:

  • I only have network access
  • I don’t trust DNS, time, or name resolution
  • I want to learn as much as possible without burning accounts

Most of these attacks either:

  • give me my first credential
  • confirm valid users
  • or prepare the ground for relay and escalation later

Mindset for Pre-Auth

Before touching tools, I always ask:

  • Can I learn usernames without authentication?
  • Is name resolution trusted?
  • Is Kerberos configured correctly?
  • Can I force authentication from something I don’t control?
  • Can I relay whatever I capture into something useful?

Noise matters here. Lockouts and alerts happen early if I’m careless.


Name Resolution Poisoning

Active Directory environments still commonly rely on legacy name resolution.

If LLMNR, NBT-NS, or mDNS are enabled:

  • I can poison name resolution
  • force systems to authenticate to me
  • and capture or relay credentials

What I’m Looking For

  • NTLM authentication over SMB or HTTP
  • Service accounts authenticating automatically
  • Machine accounts talking without user interaction

Why This Matters

  • One poisoned authentication can become:
    • an NTLM hash
    • a relay to LDAP / SMB / AD CS
    • a foothold without cracking anything

IPv6 Abuse (mitm6 / DHCPv6)

IPv6 is often enabled but unmanaged.

If that’s the case:

  • I can become the DNS server
  • intercept authentication
  • and relay credentials at scale

Key Observations

  • This is extremely powerful in flat networks
  • Often works even when SMB signing is enabled
  • Pairs very well with LDAP and AD CS relay

Kerberos User Enumeration

Before attacking passwords, I want valid usernames.

Kerberos leaks this information if configured normally.

What I Learn

  • Which usernames exist
  • Which accounts are disabled
  • Which ones have pre-auth disabled

Why I Do This First

  • Prevents blind spraying
  • Reduces noise
  • Makes later attacks precise

Password Spraying (Pre-Auth)

This is not brute force.

I spray:

  • one password
  • against many users
  • slowly and intentionally

Rules I Follow

  • Respect lockout policy
  • Spray once per password
  • Wait between attempts
  • Prioritize common passwords and seasonal patterns

When It’s Worth Doing

  • Large user base
  • Weak password hygiene
  • External-facing environments

AS-REP Roasting (No Pre-Auth Accounts)

If an account has:

  • Do not require Kerberos preauthentication enabled

I can request authentication material without knowing the password.

Why This Is Valuable

  • Completely offline cracking
  • No authentication failures
  • Often misconfigured service or legacy accounts

What I Look For

  • Old users
  • Service accounts
  • Lab or migration leftovers

NTLM Relay (Pre-Auth Context)

Relay attacks often start here, even if execution happens later.

Possible Relay Targets

  • SMB (if signing is disabled)
  • LDAP / LDAPS
  • AD CS enrollment endpoints

Why I Care Early

  • Relay paths influence everything I do later
  • Determines whether poisoning is worth continuing
  • Helps me plan privilege escalation paths early

Decision Points After Pre-Auth

At the end of this phase, I want at least one of the following:

  • A valid domain username list
  • One cracked password
  • One reusable NTLM authentication
  • A confirmed relay path
  • Evidence of AD CS misconfiguration

If I have none of these, I reassess:

  • spraying strategy
  • poisoning viability
  • environmental constraints

Common Mistakes to Avoid

  • Spraying too fast
  • Ignoring lockout policy
  • Poisoning everything and burning credentials
  • Jumping to tools before understanding the environment
  • Treating pre-auth as “just AS-REP”

Notes to Self

  • Pre-auth is about positioning, not winning
  • Every credential burned here limits future options
  • Quiet enumeration pays off later
  • If pre-auth is locked down, the environment is usually hardened elsewhere too

Next section: Authenticated Enumeration


Comments