This room focuses on what changes once you have a valid AD account. It covers authenticated enumeration with built-in Windows tools, PowerShell AD modules, PowerView, BloodHound, and a practical AS-REP Roasting workflow for accounts that do not require Kerberos preauthentication.
Core idea: the jump from unauthenticated to authenticated AD access is significant. Even low-privileged credentials can expose users, groups, privileges, password policy, and attack paths that were invisible before.
This room builds directly on unauthenticated recon. Once you can log in, you can query the domain much more effectively and with more precision.
AS-REP Roasting targets user accounts that have Kerberos preauthentication disabled.
UF_DONT_REQUIRE_PREAUTH is set, the KDC can return an AS-REP blob without verifying the user first.Difference from Kerberoasting: Kerberoasting targets service tickets; AS-REP Roasting targets users with preauth disabled.
The room presents two common approaches:
Using GetNPUsers.py, you can provide a list of usernames and request AS-REP material for any vulnerable accounts without supplying a password.
Once the AS-REP material is collected, the next step is offline cracking.
18200 is used for AS-REP hashes.hashcat -m 18200 hashes.txt wordlist.txt.This is a low-noise attack because the expensive password guessing happens offline after the material is collected.
The room also emphasizes living-off-the-land enumeration from a shell on a Windows host.
whoami confirms user and domain context.whoami /all reveals SIDs, group memberships, and privileges.hostname, systeminfo, and set expose host, OS, and domain context.Important privileges: the room specifically calls out SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege, SeBackupPrivilege, SeRestorePrivilege, and SeDebugPrivilege as especially valuable.
Classic CMD tooling still gives a lot of value in AD environments.
net user /domain lists domain users.net user username /domain gives account details and some group info.net group /domain lists domain groups.net group "Group Name" /domain lists group membership.net accounts /domain helps reveal password policy.This is one of the cleanest ways to perform fast authenticated enumeration without introducing extra tooling.
The room also frames PowerShell-based enumeration as a major step up in flexibility.
These approaches are stronger for bulk collection, filtering, and targeted hunting than the simpler net commands.
BloodHound remains one of the most useful authenticated AD tools because it maps relationships rather than just listing objects.
This room is about using a legitimate foothold to transition from “we have a user” to “we understand the domain.”
GetNPUsers.py and Hashcat mode 18200 are the key tools to remember for that workflow.whoami /all is one of the fastest ways to assess privilege-bearing group memberships and dangerous token privileges.net user, net group, and net accounts /domain remain useful low-friction AD enumeration commands.