zach@harborsedge-consulting.com
Zach is the founder of Harbor's Edge Consulting LLC, where he focuses on offensive security consulting and helping organizations strengthen their overall security posture. With over seven years of experience in the security world, he has worked across red teaming, penetration testing, and advisory roles to help organizations better understand and defend against modern threats. Zach is passionate about bridging the gap between offensive techniques and defensive strategies, and he enjoys sharing practical insights with the broader security community.
Session
From LM hashes and rainbow tables to GPU rigs and Kerberoasting, the art of cracking Active Directory (AD) passwords has changed dramatically over the past two decades. What once took hours on a desktop can now be achieved in seconds with cloud GPUs and smarter wordlists. At the same time, attackers have shifted tactics—favoring low-and-slow spraying, ticket roasting, and credential theft over brute force.
This talk traces the history of AD password cracking, exploring the techniques that defined each era and how defenses evolved in response. We’ll walk through legacy weaknesses, modern attacks like AS-REP roasting, and the growing role of hybrid AD/cloud identity. Along the way, you’ll see demos of cracking in action and gain a deeper appreciation of why old best practices (like complexity rules) don’t hold up today.
Most importantly, we’ll cover practical steps defenders can take right now: from smarter password policies and banned password lists to detection strategies and long-term mitigations like MFA and passwordless authentication.
Whether you’re red team, blue team, or somewhere in between, you’ll walk away with a clear understanding of how AD password cracking works, how it’s evolved, and what you can do to stay ahead of the curve.