Active Directory Attacks

Active Directory Attacks - Complete Guide to Windows Domain Penetration Testing

Skill Overview

The Active Directory Attacks skill provides red team members and penetration testers with a comprehensive technical playbook for attacking Windows domain environments, covering the end-to-end process from information gathering and credential acquisition to privilege escalation on domain controllers.

Applicable Scenarios

1. Red Team Operations and Adversary Simulation

In authorized red team exercises, it is necessary to simulate real attacker behavior to assess the security of an organization's AD environment. This skill provides a complete attack chain from initial access to domain takeover, including Kerberos attacks, lateral movement, and persistence techniques.

2. Penetration Testing and Security Assessments

When security testers need to perform a thorough security assessment of an Active Directory environment, they can use the attack techniques collected in this skill to identify vulnerabilities and misconfigurations in the domain, such as accounts without Kerberos pre-authentication enabled or improperly configured certificate services.

3. Incident Response and Forensic Analysis

By understanding AD attack techniques, security teams can better identify signs of compromise, analyze attack paths, and develop effective defenses. This skill documents the characteristics and artifacts of various attacks in detail, helping blue teams improve detection capabilities.

Core Features

1. Comprehensive Coverage of Attack Techniques

Includes mainstream AD attack techniques, such as credential attacks (Kerberoasting, AS-REP Roasting, Password Spraying), ticket attacks (Golden Ticket, Silver Ticket, Pass-the-Ticket), hash passing (Pass-the-Hash, OverPass-the-Hash), NTLM relay, and AD CS certificate service attacks, meeting attack needs across different scenarios.

2. Practical Tool Integration Guides

Provides usage methods and command examples for mainstream tools such as BloodHound, Impacket, Mimikatz, Rubeus, CrackMapExec, PowerView, and Responder, helping users quickly execute various attacks. Also includes exploitation guides for critical CVEs like ZeroLogon and PrintNightmare.

3. Complete Workflow Guidance

Offers structured step-by-step procedures from Kerberos clock synchronization and BloodHound reconnaissance to the execution of specific attacks. Includes practical notes such as common troubleshooting steps, handling clock drift, and pre-attack checks to ensure successful operations.

Frequently Asked Questions

What is the basic principle of a Kerberoasting attack?

Kerberoasting exploits the fact that Kerberos service tickets (TGS) are encrypted with the service account hash. After requesting a TGS for any service with an SPN, an attacker can perform offline brute-force cracking of the service account password. This attack does not require special privileges—any domain user can request TGS for all SPN services—making it a classic privilege escalation path in domain penetration.

What permissions are required to perform a DCSync attack?

A DCSync attack requires the "Replicating Directory Changes" permission, which is typically held only by Domain Admins, Enterprise Admins, or domain controller computer accounts. Successfully executing DCSync can obtain the krbtgt account hash, which can be used to craft a Golden Ticket and achieve full control of the domain. This skill provides full commands for performing DCSync using Impacket’s secretsdump and Mimikatz.

How do you handle clock synchronization issues in Kerberos attacks?

Kerberos requires the client and domain controller clocks to be within ±5 minutes, otherwise authentication will fail. This skill provides several solutions: use nmap to detect clock drift, synchronize time with net time /domain /set, or on Linux use the faketime tool to temporarily adjust time without changing the system clock, ensuring Kerberos attacks proceed smoothly.