Active Directory Attack Overview
#Overview
Active Directory is the backbone of enterprise identity management. A misconfiguration chain from unauthenticated enumeration through to Domain Admin typically follows a predictable progression: anonymous access reveals usernames or credentials, authenticated access unlocks BloodHound ingestion and ACL abuse, and privileged access enables credential dumping and persistence. This index maps 15 distinct AD attack techniques across five access levels, providing a full-spectrum reference for internal pentests.
#Attack Progression
UNAUTHENTICATED
|-- Anonymous LDAP bind -> password in description (7-anonymous-ldap-to-foothold)
|-- SMB null session -> GPP cpassword (5-gpp-password-extraction)
|-- RID cycling (lookupsid) -> user list
|-- AS-REP Roasting (2-as-rep-roasting)
AUTHENTICATED USER
|-- Password spraying across protocols (4-password-spraying)
|-- Kerberoasting (3-kerberoasting)
|-- BloodHound ingestion -> ACL analysis
|-- NTLM relay (6-ntlm-theft-and-relay)
|-- ADCS enumeration (9-adcs-exploitation)
PRIVILEGED USER (specific groups)
|-- Server Operators: service binary hijack (11-group-membership-abuse)
|-- Backup Operators: NTDS.dit dump (11-group-membership-abuse)
|-- DNSAdmins: DLL injection (11-group-membership-abuse)
|-- Account Operators: group manipulation (11-group-membership-abuse)
|-- ReadLAPSPassword: local admin retrieval (12-laps-and-gmsa)
|-- ReadGMSAPassword: managed account hash (12-laps-and-gmsa)
DOMAIN PRIVILEGED (ACL holder)
|-- GenericAll on user -> force password / shadow credential (10-acl-abuse)
|-- WriteOwner on group -> add self -> escalate (10-acl-abuse)
|-- WriteDACL on domain -> grant DCSync (10-acl-abuse)
|-- Targeted Kerberoasting via WriteSPN (10-acl-abuse)
|-- RBCD (8-kerberos-delegation-attacks)
|-- Constrained delegation abuse (8-kerberos-delegation-attacks)
|-- AD Recycle Bin recovery (15-ad-recycle-bin-attacks)
DOMAIN ADMIN
|-- DCSync (13-dcsync-and-golden-ticket)
|-- Golden/Silver/Diamond Tickets (13-dcsync-and-golden-ticket)
|-- Cross-forest attacks (14-trusts-and-cross-forest)
|-- ADFS/SAML attacks (16-adfs-and-saml-attacks)
TEXT
#Decision Tree: From Access Level to Attack
What access do you have?
|
+-- NO CREDENTIALS
| +-- SMB Null Session? --> GPP password extraction, user enumeration
| +-- Anonymous LDAP? ---> windapsearch, user description passwords
| +-- User list exists? -> AS-REP Roasting (GetNPUsers)
| +-- Username list? ----> Password spraying
|
+-- LOW-PRIVILEGED USER
| +-- Kerberos enabled? --> Kerberoasting (GetUserSPNs)
| +-- WinRM access? -----> Upload BloodHound collector, enumerate
| +-- SMB write share? -> ntlm_theft, SCF/LNK attacks
| +-- ADCS present? -----> certipy find (ESC1-16)
| +-- SPN write rights? -> Targeted Kerberoasting
|
+-- PRIVILEGED GROUP MEMBER
| +-- Server Operators? -> sc config binPath hijack
| +-- Backup Operators? -> NTDS.dit dump via diskshadow or wbadmin
| +-- DNSAdmins? ---------> DLL injection via DNS service
| +-- Account Operators? -> Add self to Exchange groups -> DCSync
| +-- LAPS_Readers? ------> Get-AdmPwdPassword
| +-- Infrastructure (gMSA)? -> Read msDS-ManagedPassword
|
+-- ACL HOLDER
| +-- GenericAll on User? ----> ForceChangePassword / Shadow Credential
| +-- WriteOwner on Group? --> Take ownership -> add self -> escalate
| +-- WriteDACL on Domain? --> Grant DCSync to controlled account
| +-- GenericWrite on User? -> Targeted Kerberoasting (set SPN)
| +-- GenericWrite on Computer? -> RBCD attack
| +-- WriteProperty on GPO? -> GPO abuse via SharpGPOAbuse
| +-- AddSelf on Group? ------> Add self to Infrastructure/LAPS_Readers
|
+-- DOMAIN ADMIN
+-- DCSync with secretsdump.py
+-- Forge Golden Ticket (krbtgt hash + domain SID)
+-- Cross-forest: foreign group membership, trust key abuse
+-- ADFS: Golden SAML, token signing certificate extraction
TEXT
#Cross-Reference Map
| # | File | Access Required | Key Tools | Real-World Machines |
|---|---|---|---|---|
| 2 | as-rep-roasting.md | None (user list) | GetNPUsers, hashcat 18200 | Blackfield, Forest, Sauna, Rebound |
| 3 | kerberoasting.md | Domain user | GetUserSPNs, hashcat 13100 | Active, Rebound |
| 4 | password-spraying.md | None (user list) | netexec, crackmapexec | Cicada, Monteverde |
| 5 | gpp-password-extraction.md | SMB read access | gpp-decrypt, smbclient | Active |
| 6 | ntlm-theft-and-relay.md | SMB write access | Responder, ntlmrelayx | Flight, Fluffy |
| 7 | anonymous-ldap-to-foothold.md | LDAP network access | windapsearch, ldapsearch | Cascade, Forest, Monteverde |
| 8 | kerberos-delegation-attacks.md | Various | Rubeus, getST, rbcd.py | Rebound, Authority |
| 9 | adcs-exploitation.md | Domain user | certipy, Certify, PKINITtools | Escape, Fluffy, Certified, Authority, TombWatcher |
| 10 | acl-abuse.md | Domain user | bloodyAD, PowerView, dacledit | Forest, Fluffy, Certified, Multimaster, TombWatcher |
| 11 | group-membership-abuse.md | Group member | sc, robocopy, diskshadow | Return, Blackfield, Forest, Multimaster |
| 12 | laps-and-gmsa.md | Specific group | LAPSToolkit, netexec, bloodyAD | Timelapse, TombWatcher, Rebound |
| 13 | dcsync-and-golden-ticket.md | Replication rights | secretsdump, ticketer | Sauna, Forest, Flight, Rebound, Authority |
| 14 | trusts-and-cross-forest.md | Domain user | netdom, Get-ADTrust, nltest | (conceptual) |
| 15 | ad-recycle-bin-attacks.md | Domain user | Get-ADObject, Restore-ADObject | Cascade, TombWatcher |
| 16 | adfs-and-saml-attacks.md | DA / ADFS admin | (conceptual) | (conceptual) |
#Start Here: Automated Enumeration
Before working through the techniques below one by one, run the Automated Active Directory Enumeration Playbook -- a single script that performs the full unauthenticated and authenticated sweep (BloodHound, Kerberoasting, delegations, ADCS/ESC, trusts, ACLs, honeypot heuristics) and saves every result into organized files mapped to the attack pages in this module. The manual flow below is what that playbook automates.
#Common Enumeration Flow
# Step 1: Scan and identify domain controller
nmap -p- --min-rate=1000 -T4 <TARGET>
nmap -p<open_ports> -sC -sV <TARGET>
# Step 2: Attempt anonymous access
smbclient -L //<TARGET> # Null session share listing
smbmap -H <TARGET> # Anonymous share enumeration
ldapsearch -x -H ldap://<TARGET> -b "dc=<domain>" # Anonymous LDAP bind
./windapsearch.py -d <domain> --dc-ip <TARGET> -U # User enumeration
# Step 3: Get user list
lookupsid.py guest@<TARGET> -no-pass 10000 # RID cycling
impacket-lookupsid '<domain>/guest'@<TARGET> -no-pass | grep 'SidTypeUser'
# Step 4: Try AS-REP roasting
GetNPUsers.py -usersfile users.txt <domain>/ -no-pass -dc-ip <TARGET>
# Step 5: Spray common passwords
netexec smb <TARGET> -u users.txt -p passwords.txt
# Step 6: BloodHound ingestion (once credentials exist)
bloodhound-python -d <domain> -u <user> -p '<pass>' -dc <dc> -c all -ns <ip>
# Step 7: ADCS enumeration (once credentials exist)
certipy find -u <user>@<domain> -p '<pass>' -dc-ip <TARGET> -vulnerable
BASH
#Tool Quick Reference
| Tool | Purpose | Install |
|---|---|---|
| Impacket | GetNPUsers, GetUserSPNs, secretsdump, ticketer, getST, lookupsid | pip install impacket |
| netexec / crackmapexec | SMB/LDAP/WinRM enumeration, spraying, module execution | pipx install git+https://github.com/Pennyw0rth/NetExec |
| BloodHound | AD relationship visualization and attack path discovery | apt install bloodhound; pip install bloodhound-python |
| certipy | ADCS exploitation (ESC1-16) | pip3 install certipy-ad |
| bloodyAD | ACL abuse, group manipulation | pip install bloodyad |
| PowerView | Domain object enumeration and ACL manipulation (Windows) | PowerShell module |
| hashcat | Password cracking | apt install hashcat |
| Evil-WinRM | PowerShell Remoting shell | gem install evil-winrm |
| Responder | NTLM hash capture via LLMNR/NBT-NS/mDNS poisoning | apt install responder |
| PKINITtools | Shadow credential exploitation | GitHub: dirkjanm/PKINITtools |
#Source Machines
- Active (Easy) -- GPP + Kerberoasting
- Sauna (Easy) -- AS-REP + DCSync
- Forest (Easy) -- AS-REP + Account Operators + DCSync
- Cicada (Easy) -- Password spray + SeBackupPrivilege
- Cascade (Medium) -- Anonymous LDAP + VNC decrypt + AD Recycle Bin
- Return (Easy) -- Printer LDAP capture + Server Operators
- Timelapse (Easy) -- SMB + PFX cracking + LAPS
- Fluffy (Easy) -- NTLM theft + ACL chain + Shadow Credentials + ESC16
- Certified (Medium) -- ACL chain + Shadow Credentials + ESC9
- Escape (Medium) -- NTLM relay via MSSQL + ESC1
- Monteverde (Medium) -- Password spray + Azure AD Connect extraction
- Authority (Medium) -- Ansible vault cracking + ESC1 + PassTheCert
- Blackfield (Hard) -- AS-REP + LSASS dump + Backup Operators
- Flight (Hard) -- NTLM theft + DCSync via machine account
- TheFrizz (Medium) -- CVE-2023-45878 + password cracking + GPO abuse
- Rebound (Insane) -- Pre-auth Kerberoasting + Descendant Object Takeover + Cross-session relay + gMSA + RBCD
- Multimaster (Insane) -- SQLi + VSCode debugger + GenericWrite AS-REP + Server Operators
- TombWatcher (Medium) -- Targeted Kerberoasting + gMSA + ForceChangePassword + Shadow Credential + AD Recycle Bin + ESC15