2 CVE-2026-33550

[Determine application's/system's password policy] Determine the password policies of the target application/system. [Select dictionaries] Pick the dictionaries to be used in the attack (e.g. different languages, specific terminology, etc.) [Determine username(s) to target] Determine username(s) whose passwords to crack. [Use dictionary to crack passwords.] Use a password cracking tool that will leverage the dictionary to feed passwords to the system and see if they work.

An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password. [Determine application's/system's password policy] Determine the password policies of the target application/system. [Brute force password] Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access.

Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials. Scan for user accounts with set SPN values Request service tickets Extract ticket and save to disk Crack the encrypted ticket to harvest plain text credentials

An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system. [Determine application's/system's password policy] Determine the password policies of the target application/system. [Obtain password hashes] An attacker gets access to the database table storing hashes of passwords or potentially just discovers a hash of an individual password. [Run rainbow table-based password cracking tool] An attacker finds or writes a password cracking tool that uses a previously computed rainbow table for the right hashing algorithm. It helps if the attacker knows what hashing algorithm was used by the password system.

This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.

[Acquire known credentials] The adversary must obtain known credentials in order to access the target system, application, or service. [Determine target's password policy] Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria. [Attempt authentication] Try each credential until the target grants access. [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within a system or application [Spoofing] Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks. [Data Exfiltration] The adversary can obtain sensitive data contained within the system or application.

An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain. [Acquire known Windows administrator credentials] The adversary must obtain known Windows administrator credentials in order to access the administrative network shares. [Attempt domain authentication] Try each Windows administrator credential against the hidden network shares until the target grants access. [Malware Execution] An adversary can remotely execute malware within the administrative network shares to infect other systems within the domain. [Data Exfiltration] The adversary can remotely obtain sensitive data contained within the administrative network shares.

[Determine target's password policy] Determine the password policies of the target system/application. [Select passwords] Pick the passwords to be used in the attack (e.g. commonly used passwords, passwords tailored to individual users, etc.) [Brute force password] Given the finite space of possible passwords dictated by information determined in the previous steps, try each password for all known user accounts until the target grants access.

[Acquire known credentials] The adversary must obtain known credentials in order to access the target system, application, or service. [Determine target's password policy] Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria. [Attempt authentication] Try each username/password combination until the target grants access. [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application [Spoofing] Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks. [Data Exfiltration] The adversary can obtain sensitive data contained within the system or application.

An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols. [Acquire known Windows credential hash value pairs] The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain. [Attempt domain authentication] Try each Windows credential hash value pair until the target grants access. [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain [Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks. [Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications.

An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain. [Acquire known Kerberos credentials] The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain. [Attempt Kerberos authentication] Try each Kerberos credential against various resources within the domain until the target grants access. [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain [Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks. [Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications.

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System. [Acquire known operating system credentials] The adversary must obtain known operating system credentials in order to access the target system, application, or service within the domain. [Attempt authentication] Try each operating system credential against various systems, applications, and services within the domain until the target grants access. [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the network [Spoofing] Malicious data can be injected into the target system or into other systems on the network. The adversary can also pose as a legitimate user to perform social engineering attacks. [Data Exfiltration] The adversary can obtain sensitive data contained within system files or application configuration.

An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.