Active Directory Penetration Testing

Active Directory (AD) manages authentication for Windows networks. It is complex, legacy, and almost always insecure. "Hack the Domain Controller" is the goal of every internal pentest. Once you are Domain Admin (DA), you own all data, all emails, and all servers.

Kerberos Explained Simply

Kerberos avoids sending passwords. It uses Tickets.
1. User logs in. DC verifies password. Sends a TGT (Ticket Granting Ticket).
2. User wants to access FileServer. User sends TGT to DC.
3. DC checks TGT. DC sends a TGS (Ticket Granting Service) for the FileServer.
4. User sends TGS to FileServer. Access Granted.

1. Kerberoasting (Attacking the TGS)

Service Accounts (SQL, IIS) act like users. They have passwords.
Any valid user can request a TGS for ANY service. The TGS is encrypted with the Service Account's NTLM hash.
Attack:
1. Request TGS tickets for all SPNs (Service Principal Names).
2. Take the tickets offline.
3. Crack them with Hashcat (`hashcat -m 13100`).
Why it works: Service accounts often have weak passwords like "Service123".

2. AS-REP Roasting (Attacking the TGT)

If a user has the setting "Do not require Kerberos preauthentication" enabled (rare, but happens), you can request a TGT for them without knowing their password.
The DC sends you the TGT, encrypted with their password hash.
Crack it offline. You now have their password.

3. BloodHound: Mapping the Path

AD is a graph. "Alice is admin on PC-1. Bob is logged into PC-1. Bob is Admin on Server-2. DomainAdmin is logged into Server-2."
BloodHound visualizes this.

# Collection (Sharphound)
Invoke-BloodHound -CollectionMethod All

# Analysis (Neo4j Graph Database)
MATCH p = shortestPath((u:User)-[r:MemberOf|HasSession|AdminTo*1..]->(g:Group {name:'DOMAIN ADMINS'})) RETURN p
        

It draws the line: "Phish Alice -> Dump Bob's Hash -> Pivot to Server-2 -> Steal DA Token."

4. The Golden Ticket (Persistence)

If you compromise the Domain Controller, you can dump the hash of the `krbtgt` account.
This account signs ALL Kerberos tickets.
With the `krbtgt` hash, you can forge a TGT for Any User (even non-existent ones) valid for 10 Years.
You can be "Administrator" and say "This ticket is valid". The domain trusts you.

# Mimikatz Golden Ticket Creation
kerberos::golden /user:FakeAdmin /domain:corp.local /sid:S-1-5-21-... /krbtgt:HASH /id:500
        

5. NTLM Relay

AD still supports NTLM (legacy). NTLM is a challenge-response protocol.
Attack:
1. Attacker sits in the middle (Man-in-the-Middle) via LLMNR/NetBIOS spoofing (Responder).
2. Victim tries to access a file share.
3. Attacker says "I am the file share. Authenticate to me."
4. Attacker relays that authentication to the Critical Server.
5. Critical Server thinks Attacker is Victim.

Golden Defense

1. Tiered Administration: DA accounts should NEVER log into workstations.
2. Disable NTLM: Force Kerberos only.
3. Strong Service Passwords: Use Managed Service Accounts (MSA) which rotate automatically (120 chars).