Active Directory Penetration Testing

Active Directory (AD) is the cornerstone of authentication and authorization in most Windows enterprise environments. For cybersecurity professionals, understanding how to ethically test its defenses is not just a skill—it’s a necessity. A comprehensive AD penetration test simulates the actions of a determined adversary, moving from an initial foothold to complete domain compromise. This process reveals critical vulnerabilities in identity and access management, providing a roadmap for defenders to harden their networks against real-world attacks.

1. Foundation: Enumeration and Attack Path Mapping

Before launching any attack, you must understand the landscape. Enumeration is the process of gathering information about the AD domain, including users, groups, computers, and their relationships. Tools like PowerView are invaluable for this, allowing you to query the domain for sensitive data such as privileged group memberships and shared folders.

The true power of enumeration is realized with a tool like BloodHound. It ingests data collected from the domain (using a collector like SharpHound) and maps out the complex web of relationships between objects. BloodHound visualizes attack paths—chains of misconfigured permissions and group memberships that an attacker can traverse. For example, it can reveal that a lowly service account is a member of a group that has "WriteOwner" permissions over a high-value admin account. This graph-based approach transforms a chaotic directory into a clear roadmap to Domain Admin.

2. Initial Access and Credential Theft

Often, the first step inside a network doesn't involve fancy exploits but rather abusing legacy protocols. LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are protocols used by Windows systems to resolve hostnames on a local network when DNS fails. An attacker can use a tool like Responder to perform LLMNR/NBT-NS poisoning. By listening for these broadcast requests and responding with a malicious claim to be the requested host, Responder can trick a user's system into sending its authentication attempt (an NTLMv2 hash) directly to the attacker. This captured hash can then be taken offline for cracking or used in a relay attack.

Another goldmine for credential theft is Group Policy Objects (GPOs). Administrators sometimes store credentials in GPOs for deploying scheduled tasks or mapping drives. By enumerating the SYSVOL share (a domain-wide repository for GPOs and scripts), you can often find XML files containing these credentials in plaintext or in a crackable form, providing a swift escalation path.

3. Exploiting Kerberos: Roasting Attacks

The Kerberos authentication protocol, while robust, has specific vulnerabilities when configured with weak security settings. Kerberoasting targets service accounts. Any domain user can request a Kerberos service ticket (TGS) for any service, such as an SQL server. If the service account is configured with a weak password, the encrypted part of this ticket can be captured and taken offline to attempt to crack the account's password. The attack is stealthy because it uses normal Kerberos traffic and requires no special permissions to initiate.

AS-REP Roasting targets a different Kerberos pre-authentication setting. When a user account has the "Do not require Kerberos preauthentication" flag set, you can request an Authentication Service Reply (AS-REP) for that user. This reply contains data encrypted with the user's password hash, which can also be captured and cracked offline. This often catches high-privilege users whose accounts have been misconfigured for legacy compatibility.

4. Lateral Movement: Pass-the-Hash and Pass-the-Ticket

Once you have credentials, you need to move. Pass-the-Hash (PtH) is a technique that allows an attacker to authenticate to a remote system using a user's NTLM hash, without needing the plaintext password. This works because NTLM authentication uses the hash as the fundamental secret. Tools like Mimikatz can extract hashes from memory and then use them to spawn new sessions on other machines, enabling lateral movement across the network even if password policies are strong.

Pass-the-Ticket (PtT) is the Kerberos equivalent. Instead of hashes, you steal Kerberos Ticket-Granting Tickets (TGTs) or service tickets from a system's memory. These tickets, which are cached after a user logs on, can be injected into your own session to impersonate the user seamlessly across the domain, often bypassing network restrictions that might block NTLM authentication.

5. Privilege Escalation and Domain Compromise

The ultimate goal is Domain Administrator access. One of the most powerful paths to this is through trust relationships in multi-domain forests. If you compromise a domain with a bidirectional trust relationship, you can exploit that trust to access resources in the trusting domain. Techniques like "Golden Ticket" attacks forge Kerberos tickets using the KRBTGT account hash, granting unlimited access across the forest.

The crown jewel of AD attacks is DCSync. This is not an exploit of a flaw, but an abuse of a legitimate AD replication protocol (MS-DRSR). By granting an account specific replication permissions (like the rights of the Domain Admins group), that account can mimic a Domain Controller and request password data for any user in the domain, including the KRBTGT account. Executing a DCSync attack with a tool like Mimikatz effectively gives you the keys to the entire kingdom, allowing you to extract the password hashes of every user.

Common Pitfalls

1. Focusing Only on Technical Exploits: The biggest mistake is ignoring the "people" layer. Phishing campaigns to gain initial credentials or LLMNR poisoning often yield faster results than hunting for a vulnerable service. A comprehensive test must include social engineering and protocol abuse.
2. Stopping at Local Administrator: Finding a local admin password is a major win, but stopping there leaves value on the table. You must use that access to dump credentials from memory (LSASS) with tools like Mimikatz or SharpKatz, which will reveal domain credentials and enable lateral movement.
3. Ignoring BloodHound Data Post-Compromise: After gaining a new set of credentials, many testers fail to re-run BloodHound collection. New credentials change your position on the attack graph, potentially revealing new, shorter paths to Domain Admin that were previously invisible.
4. Loud Tradecraft on the Domain Controller: Running noisy tools or mass password-spraying attacks directly from a compromised Domain Controller can trigger alarms. Operations on DCs should be precise, slow, and use native tools or living-off-the-land binaries (LOLBins) where possible to blend in with normal admin activity.

Summary

• Map the Battlefield: Use enumeration tools and BloodHound to visualize attack paths and identify the most efficient route to high-privilege accounts.
• Steal Credentials Early: Abuse weak protocols like LLMNR/NBT-NS with Responder and search GPOs in SYSVOL to capture initial hashes and passwords.
• Target Kerberos Systematically: Execute Kerberoasting against service accounts and AS-REP roasting against accounts with pre-authentication disabled to obtain crackable tickets.
• Move Laterally with Stolen Credentials: Use Pass-the-Hash (NTLM) and Pass-the-Ticket (Kerberos) techniques to expand your foothold across the network using stolen authentication material.
• Achieve Domain Dominance: Exploit trust relationships and, with sufficient privileges, perform a DCSync attack to extract the entire domain password database, culminating in full Domain Administrator compromise.