Listen to this Post

Introduction:
Active Directory (AD) is the cornerstone of authentication and authorization in most corporate Windows environments, making it a prime target for attackers. This article deconstructs a full red team engagement against the “Game of Active Directory” (GOAD) lab, demonstrating the practical attack chains that lead from initial foothold to total forest compromise, all for a minimal cloud cost.
Learning Objectives:
- Understand the key attack vectors within Active Directory, including ACL abuse and Kerberos exploitation.
- Learn the specific commands and tools used for reconnaissance, privilege escalation, and persistence.
- Develop mitigation strategies to defend against the demonstrated post-exploitation techniques.
You Should Know:
1. Initial Reconnaissance and Enumeration
Before launching attacks, understanding the AD landscape is crucial. This involves enumerating users, computers, groups, and trusts.
Command (PowerShell – Using PowerView):
Get-NetDomainController Get-NetUser | select cn, samaccountname, memberof Get-NetComputer | select cn, operatingsystem Get-NetGroup -GroupName "Domain Admins" Get-NetLocalGroup -ComputerName <TARGET_COMPUTER> -GroupName "Administrators"
Step-by-step guide:
This series of PowerView cmdlets provides a foundational understanding of the domain. `Get-NetDomainController` identifies the domain controllers. `Get-NetUser` and `Get-NetComputer` list all users and machines, respectively, which are potential targets. `Get-NetGroup` is used to identify high-value groups like “Domain Admins,” and `Get-NetLocalGroup` enumerates local administrators on a specific machine, revealing lateral movement paths.
2. Abusing Weak ACLs with ForceChangePassword
Access Control Lists (ACLs) define permissions on AD objects. A common misconfiguration is granting a low-privileged user the right to change another user’s password.
Command (PowerShell – Using PowerView):
Set-DomainUserPassword -Identity 'TargetUser' -Verbose
Step-by-step guide:
After using `Get-ObjectAcl` to discover that your current user has the `ForceChangePassword` right on TargetUser, you can use the `Set-DomainUserPassword` cmdlet. This resets the target’s password without knowing the current one. You can then use the new password with `runas /user:TargetUser` or `psexec` to assume that user’s identity and privileges.
3. Kerberoasting: Cracking Service Account Passwords
Kerberoasting attacks target service accounts, which use Kerberos tickets for authentication. Weak passwords on these accounts can be cracked offline.
Command (From a Linux Attack Box):
python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -dc-ip <DC_IP> 'DOMAIN/USER:Password' -request hashcat -m 13100 -a 0 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
Step-by-step guide:
The `GetUserSPNs.py` script from the Impacket suite requests Service Principal Names (SPNs), which returns Ticket-Granting Service (TGS) tickets for service accounts. These tickets are encrypted with the service account’s password hash. The `-request` flag outputs these hashes. These hashes are then fed into `hashcat` using mode `13100` (Kerberos 5 TGS-REP etype 23) to be cracked against a wordlist like rockyou.txt.
4. Shadow Credentials Attack
This modern technique adds a “shadow” credential (a certificate) to a target AD object, allowing you to authenticate as that principal using the certificate.
Command (Linux – Using PKINITtools and Whisker):
On Linux python3 addshadowcredential.py -dc-ip <DC_IP> 'DOMAIN/USER:Password' -target 'TARGET_USER' On Windows after obtaining a certificate Whisker.exe add /target:TARGET_USER$ Rubeus.exe asktgt /user:TARGET_USER$ /certificate:MY_CERTIFICATE /password:MY_PASSWORD /ptt
Step-by-step guide:
First, use a tool like `addshadowcredential.py` to add a Key Credential (a certificate) to the `msDS-KeyCredentialLink` attribute of the target computer or user account. Then, on a Windows machine, use `Whisker` to perform the same action or `Rubeus` to request a Ticket-Granting Ticket (TGT) using that newly assigned certificate. The `/ptt` flag injects the ticket into the current session, granting you the target’s privileges.
5. DCSync Attack for Total Domain Compromise
The DCSync attack impersonates a domain controller to synchronize replication data, which includes the entire NTDS.dit database (password hashes for all users).
Command (PowerShell – Using Mimikatz):
mimikatz lsadump::dcsync /domain:lab.local /user:Administrator mimikatz lsadump::dcsync /domain:lab.local /all /csv
Step-by-step guide:
To perform a DCSync attack, your user account needs specific replication rights (like Replicating Directory Changes), which are often granted to Domain Admins and other highly privileged accounts. By using Mimikatz’s `lsadump::dcsync` module, you can target a specific user like `Administrator` to retrieve their NTLM hash, or use `/all` to dump every account in the domain. These hashes can then be used for Pass-the-Hash attacks or cracked.
6. Lateral Movement with PsExec
Once you have administrative credentials, moving between systems is key. PsExec is a lightweight telnet-replacement that lets you execute processes on other systems.
Command (From a Linux Attack Box – Using Impacket’s psexec.py):
python3 /usr/share/doc/python3-impacket/examples/psexec.py 'DOMAIN/ADMIN_USER:Password@TARGET_IP'
Step-by-step guide:
This Impacket script authenticates to the target Windows machine using the provided administrator credentials. Upon successful authentication, it creates a Windows service to launch a remote command prompt (cmd.exe) or PowerShell, giving you an interactive shell on the remote system. It’s a classic method for lateral movement once local administrator credentials are known.
7. AV Evasion and Persistence
Ensuring your access survives reboots and evades detection is the final step in a professional engagement.
Command (PowerShell – Creating a Scheduled Task for Persistence):
$Action = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Tools\my_beacon.exe" $Trigger = New-ScheduledTaskTrigger -AtStartup Register-ScheduledTask -TaskName "WindowsUpdateService" -Action $Action -Trigger $Trigger -User "SYSTEM"
Step-by-step guide:
This PowerShell script creates a new scheduled task that runs a payload (my_beacon.exe) at system startup under the highly privileged `SYSTEM` context. By naming it something benign like “WindowsUpdateService,” it helps avoid suspicion. This provides a persistent backdoor that will re-establish connection every time the compromised server is rebooted.
What Undercode Say:
- The Attack Surface is Vast and Often Poorly Defended. This engagement highlights that a single misconfiguration, like an overly permissive ACL, can be the initial thread that, when pulled, unravels the entire domain. Defense requires a granular, least-privilege approach across the entire AD structure.
- The Cost of Attack is Falling Dramatically. The fact that a full forest compromise can be practiced and demonstrated for under $30 is a stark warning to the industry. It lowers the barrier to entry for attackers and means blue teams must be prepared for highly sophisticated attacks that are cheap to run. The lab’s reproducibility makes it an invaluable, but also dangerous, resource.
Prediction:
The techniques demonstrated in the GOAD lab represent the current standard for AD attacks. In the future, we predict a rise in fully automated attack chains driven by AI, where a single initial access point can be exploited to achieve full domain compromise with minimal human interaction. Furthermore, as cloud-based AD identities (Azure AD/Entra ID) become more integrated with on-premise AD, we will see these classic attack methodologies adapted and weaponized against hybrid identity environments, expanding the attack surface beyond the corporate firewall.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Charlie Wilson – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


