Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Active Directory - Summary

A condensed reference covering the AD attack methodology documented in this directory, from external recon through credential abuse.

1. External Recon & Enumeration

Gather publicly accessible information before touching the target network. Use OSINT tools (Google dorking, LinkedIn, GitHub, DNS records, Shodan, Wayback Machine, credential leak databases) to map the organization’s external footprint, identify employees, find leaked credentials, and validate scope.

2. Initial Domain Enumeration

Once on the internal network, enumerate without credentials using passive and active techniques:

  • Passive: Wireshark/tcpdump for ARP, MDNS, LLMNR traffic; identify hosts and naming conventions
  • Active: Responder in analyze mode, fping sweeps, Nmap scans for common AD ports (DNS 53, Kerberos 88, LDAP 389/636, SMB 445, RDP 3389, WinRM 5985/5986)
  • Key tools: Kerbrute for user enumeration via Kerberos pre-auth, enum4linux for SMB/RPC enumeration

3. LLMNR/NBT-NS Poisoning

Exploit fallback name resolution protocols to capture NTLMv1/v2 hashes. Run Responder or Inveigh to spoof responses when DNS fails. Captured hashes can be cracked offline with Hashcat (mode 5600 for NTLMv2) or relayed with ntlmrelayx.py.

4. Password Policy Enumeration

Retrieve the domain password policy before spraying to avoid lockouts. Methods include CrackMapExec (--pass-pol), rpcclient, ldapsearch, enum4linux, and the AD PowerShell module (Get-ADDefaultDomainPasswordPolicy). Key fields: lockout threshold, observation window, min password length, complexity requirements.

5. Password Spraying

Try one common password across many accounts, respecting lockout thresholds. Build target user lists via SMB NULL sessions, LDAP anonymous binds, Kerbrute, or credentialed queries. Use seasonal/company-specific password patterns. Tools: Kerbrute, CrackMapExec, rpcclient, DomainPasswordSpray.ps1.

6. Enumerating Security Controls

After gaining a foothold, assess defensive posture: Windows Defender status, AppLocker rules, PowerShell language mode (Constrained Language Mode), LAPS deployment, and EDR/AV products. This informs tool selection and evasion strategy.

7. Credentialed Enumeration

From Linux

CrackMapExec, BloodHound (via bloodhound-python), rpcclient, ldapsearch, Windapsearch, Impacket tools (GetUserSPNs.py, psexec.py).

From Windows

ActiveDirectory PowerShell module, PowerView/SharpView, BloodHound/SharpHound, Snaffler (file share mining). Focus on group memberships, ACLs, GPOs, trusts, SPN accounts, and sensitive data in shares.

8. Living Off the Land

AD enumeration using only native Windows tools when offensive tools can’t be loaded: net, dsquery, nltest, setspn, PowerShell AD module, WMI, and environment variables. Generates fewer logs than importing external tools.

9. Kerberoasting

Request TGS tickets for SPN accounts and crack them offline. Any domain user can request a ticket for any SPN in the domain. Service accounts are often privileged (Domain Admins, local admins on multiple servers) and may have weak or reused passwords.

From Linux

Impacket’s GetUserSPNs.py handles the full workflow: enumerate SPNs, request TGS tickets, and output Hashcat-ready hashes. Requires domain credentials (cleartext or NTLM hash) and DC IP. Use -request for all tickets, -request-user for a specific account, and -outputfile to save hashes. Verify cracked creds with CrackMapExec.

From Windows

Three approaches:

  • Semi-manual: setspn.exe to enumerate SPNs, PowerShell KerberosRequestorSecurityToken to request tickets, Mimikatz to export, kirbi2john + Hashcat to crack
  • PowerView: Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat for direct hash extraction
  • Rubeus: kerberoast /stats for recon, /ldapfilter:'admincount=1' /nowrap for high-value targets, /tgtdeleg to force RC4 on pre-2019 DCs

Cracking & Reporting

RC4 tickets (type 23, Hashcat mode 13100) crack orders of magnitude faster than AES-256 (type 18, mode 19700). Even if no tickets crack, report the finding as medium risk — SPNs with crackable encryption are a standing vulnerability. Mitigate with gMSA/MSA, long passphrases, and monitoring Event IDs 4769/4770 for bulk TGS requests.

10. ACL Abuse

Access Control Lists define who can access AD objects and at what level. Misconfigurations are invisible to vulnerability scanners and often persist for years. Key abusable permissions:

  • ForceChangePassword — reset a user’s password without knowing it (Set-DomainUserPassword)
  • GenericAll — full control; change passwords, modify group membership, read LAPS passwords
  • GenericWrite — write non-protected attributes; assign SPNs for targeted Kerberoasting, add group members
  • WriteDACL — modify the DACL to grant yourself further rights; powerful for persistence
  • WriteOwner — take ownership, then modify DACL for full control

Enumerate with BloodHound (SharpHound/bloodhound-python) and PowerView (Find-InterestingDomainAcl). Common attack scenarios: abusing Help Desk password reset permissions, adding controlled accounts to privileged groups, and exploiting excessive rights from software installs (Exchange). Always get client approval before destructive actions and revert all changes.

ACL Enumeration Methodology

Avoid broad Find-InterestingDomainAcl dumps — use targeted enumeration instead. Get the SID of a controlled user (Convert-NameToSid), then find objects they have rights over with Get-DomainObjectACL -ResolveGUIDs. Follow the chain: each compromised user may have rights over another, forming multi-hop attack paths (e.g., ForceChangePassword → GenericWrite on group → nested group membership → GenericAll → DCSync). BloodHound’s “Transitive Object Control” view and pre-built queries reveal these full chains instantly. Without PowerView, use Get-Acl with Get-ADUser in a foreach loop and manually resolve GUIDs via Get-ADObject against the Extended-Rights container.

ACL Abuse Execution

Execute multi-hop chains by authenticating as each user in sequence using PSCredential objects. Use Set-DomainUserPassword for ForceChangePassword, Add-DomainGroupMember for GenericWrite on groups, and Set-DomainObject to assign fake SPNs for targeted Kerberoasting via GenericAll (preferred over password reset when the target can’t be interrupted). Cleanup in reverse order — remove SPN before group membership, since membership grants the rights to modify the SPN. Detect ACL abuse via Event ID 5136 (directory object modified); convert SDDL strings with ConvertFrom-SddlString to identify unauthorized GenericWrite/GenericAll grants on high-value objects.

11. DCSync

Abuses the Directory Replication Service Remote Protocol to mimic a Domain Controller and extract NTLM hashes for all domain users. Requires DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights on the domain object (held by Domain/Enterprise Admins by default, but commonly found on other accounts).

  • From Linux: secretsdump.py -just-dc DOMAIN/user@DC_IP dumps all NTLM hashes, Kerberos keys, and cleartext passwords (for accounts with reversible encryption). Use -just-dc-ntlm for hashes only, -just-dc-user for a single account.
  • From Windows: mimikatz # lsadump::dcsync /domain:DOMAIN /user:administrator (run as a user with DCSync rights via runas /netonly).
  • Verify rights: PowerView Get-ObjectAcl filtering for Replication-Get ACEs, or BloodHound’s “Find Principals with DCSync Rights” query.
  • Reversible encryption: Accounts with ENCRYPTED_TEXT_PWD_ALLOWED store passwords using RC4 with the Syskey; secretsdump decrypts them automatically. Enumerate with Get-ADUser -Filter 'userAccountControl -band 128'.
  • Post-DCSync: Pass-the-Hash with the Administrator NTLM hash, create Golden Tickets with the krbtgt hash, or crack hashes for password strength reporting (filter disabled accounts with -user-status).

12. Privileged Access & Lateral Movement

When you lack local admin rights for Pass-the-Hash, leverage RDP, WinRM, and MSSQL access for lateral movement. Enumerate with BloodHound edges (CanRDP, CanPSRemote, SQLAdmin) and PowerView (Get-NetLocalGroupMember for “Remote Desktop Users” and “Remote Management Users” groups). First check: does Domain Users have execution rights over any hosts?

  • RDP: GUI access for data pillaging, credential harvesting, and local privilege escalation. Connect with xfreerdp (Linux) or mstsc.exe (Windows).
  • WinRM: Remote PowerShell via Enter-PSSession (Windows) or evil-winrm (Linux, supports pass-the-hash with -H). The “Remote Management Users” group grants WinRM without local admin.
  • MSSQL: Sysadmin access enables OS command execution via xp_cmdshell. The SQL service account nearly always has SeImpersonatePrivilege, making SYSTEM escalation possible via JuicyPotato/PrintSpoofer/RoguePotato. Enumerate with PowerUpSQL (Get-SQLInstanceDomain) or connect with mssqlclient.py. SQL credentials often found via Kerberoasting, Snaffler (web.config), or password spraying.

Enumeration and attack is iterative — repeat after every new account takeover.

13. Kerberos Double Hop Problem

WinRM/PSRemoting only forwards a TGS ticket for the target service — the user’s TGT is not sent, so the remote host cannot authenticate to a third resource (e.g., querying a DC from a WinRM session). This does not affect RDP or PSExec, which cache NTLM hashes in memory.

Workarounds:

  • PSCredential object: Pass -Credential $Cred explicitly on every command that reaches a second hop (works from evil-winrm and Enter-PSSession).
  • Register-PSSessionConfiguration: Create a named session config with -RunAsCredential, restart WinRM, reconnect with -ConfigurationName. Caches a TGT so all commands work without explicit credentials. Requires GUI access and an elevated PowerShell console (not usable from evil-winrm or Linux).
  • Other options: CredSSP, port forwarding, sacrificial process injection, nested Invoke-Command.

14. Bleeding Edge Vulnerabilities

Three high-impact attacks that exploit slow patch management cycles to achieve domain compromise quickly.

  • NoPac (CVE-2021-42278 + CVE-2021-42287): SamAccountName spoofing — any standard domain user creates a machine account, renames it to match a DC, requests Kerberos tickets as the DC, and gets a SYSTEM shell or performs DCSync. Blocked if ms-DS-MachineAccountQuota is 0. Uses smbexec.py under the hood (noisy, may trigger AV).
  • PrintNightmare (CVE-2021-34527 + CVE-2021-1675): RCE via the Print Spooler service. Requires MS-RPRN/MS-PAR exposed on target (check with rpcdump.py). Delivers a DLL payload via SMB share for a Meterpreter SYSTEM shell on the DC. Risk: may crash Print Spooler. Requires cube0x0’s Impacket fork.
  • PetitPotam (CVE-2021-36942): Unauthenticated LSA spoofing — coerces a DC to authenticate via NTLM to an attacker host, relayed to AD CS Web Enrollment to obtain a certificate for the DC machine account. Certificate → TGT (via PKINIT/gettgtpkinit.py) → DCSync. Patching alone is insufficient; must also disable NTLM on DCs/AD CS and enable Extended Protection for Authentication. See “Certified Pre-Owned” whitepaper for full AD CS hardening.

All three can lead to full domain compromise. NoPac and PrintNightmare require standard domain credentials; PetitPotam requires none (but requires AD CS).

15. Miscellaneous Misconfigurations

A grab-bag of commonly overlooked AD issues that provide footholds, credentials, or escalation paths.

  • Exchange group abuse: The Exchange Windows Permissions group can write DACLs on the domain object — leverage for DCSync. Organization Management has full control over Exchange security groups and can access all mailboxes. The PrivExchange flaw lets any mailbox user relay Exchange’s SYSTEM-level NTLM auth to LDAP for instant Domain Admin.
  • Printer Bug (MS-RPRN): Any domain user can coerce a server’s spooler service (runs as SYSTEM) to authenticate to an attacker host via SMB. Relay to LDAP for DCSync rights or RBCD. Useful for cross-forest attacks when unconstrained delegation is enabled. Enumerate with Get-SpoolStatus.
  • MS14-068: Forged Kerberos PAC accepted by KDC — standard user to Domain Admin. Defense is patching only.
  • Sniffing LDAP credentials: Redirect LDAP test connections from printers/applications to a listener on port 389. Credentials often sent in cleartext and frequently privileged.
  • DNS enumeration: adidnsdump resolves all DNS records in a zone via LDAP (all domain users can list DNS child objects). Reveals “hidden” hostnames behind non-descriptive naming conventions. Use -r to resolve unknown records.
  • Password in Description field: Get-DomainUser with description filtering finds passwords stored in account descriptions/notes.
  • PASSWD_NOTREQD flag: Accounts exempt from password policy length — may have no password. Enumerate with Get-DomainUser -UACFilter PASSWD_NOTREQD.
  • SYSVOL script credentials: The scripts directory is readable by all authenticated users. Hunt for passwords in .vbs, .ps1, .bat files. Spray found passwords with CrackMapExec --local-auth.
  • GPP passwords: AES-encrypted cpassword in SYSVOL XML files — Microsoft published the key. Patched (MS14-025) but existing files remain. Decrypt with gpp-decrypt; discover with CrackMapExec gpp_password/gpp_autologin modules or Get-GPPPassword.ps1.
  • ASREPRoasting: Accounts with DONT_REQ_PREAUTH — request AS-REP without credentials and crack offline (Hashcat mode 18200). Enumerate with PowerView, attack with Rubeus (asreproast /nowrap), Impacket (GetNPUsers.py), or Kerbrute (auto-dumps during user enumeration). If you have GenericWrite over an account, enable the flag temporarily.
  • GPO abuse: Writable GPOs (WriteProperty/WriteDacl) allow adding local admins, granting privileges, or creating scheduled tasks on all computers in linked OUs. Enumerate with PowerView or BloodHound; exploit with SharpGPOAbuse. Audit with group3r, ADRecon, or PingCastle.

16. Domain Trusts

Trusts create authentication links between domains/forests, allowing cross-domain resource access. Common in M&A scenarios for quick integration but frequently introduce unintended attack paths.

Trust types: Parent-child (intra-forest, bidirectional, transitive), cross-link (between child domains), tree-root, forest (between forest root domains), external (non-transitive, uses SID filtering), and ESAE (bastion forest). Transitive trusts extend trust to objects the child domain trusts; non-transitive trusts are direct only.

Direction: One-way (trusted → trusting only) or bidirectional (both ways). Bidirectional trusts with acquired companies are particularly risky — a weaker trusted domain becomes an indirect attack path into the principal domain.

Enumeration: Use Get-ADTrust -Filter * (built-in), Get-DomainTrust / Get-DomainTrustMapping (PowerView), netdom query /domain:<DOMAIN> trust (cmd), or BloodHound’s “Map Domain Trusts” query. Key properties: Direction, IntraForest, ForestTransitive, SIDFilteringQuarantined, TGTDelegation. Once trusts are mapped, enumerate users/groups/SPNs across each trust and perform cross-trust attacks (Kerberoasting, password spraying). Always document discovered trusts for the report — clients are often unaware of them.

17. Child -> Parent Trust Attacks (Windows)

Compromising any child domain in a forest means compromising the entire forest via the ExtraSids attack. Within the same forest, sidHistory is respected (no SID Filtering on intra-forest trusts), so a Golden Ticket forged in the child domain with the Enterprise Admins SID (-519) injected as an ExtraSID grants full forest-wide administrative access.

Prerequisites (from compromised child domain): Child domain KRBTGT NT hash (via DCSync), child domain SID (Get-DomainSID), Enterprise Admins SID from the parent domain (Get-DomainGroup -Domain <PARENT> -Identity "Enterprise Admins"), any username (can be fake), and the child domain FQDN.

Execution: Mimikatz kerberos::golden /user:hacker /domain:<CHILD> /sid:<CHILD_SID> /krbtgt:<HASH> /sids:<EA_SID> /ptt or Rubeus golden /rc4:<HASH> /domain:<CHILD> /sid:<CHILD_SID> /sids:<EA_SID> /user:hacker /ptt. Then DCSync the parent domain with lsadump::dcsync /user:<PARENT>\administrator /domain:<PARENT>. The only defense is changing the KRBTGT password (twice) after compromise.