Active Directory Attack Techniques: A Pentester's Practical Guide

Published May 01, 2026 · 2,829 words

Active Directory (AD) is the centralized brain of most enterprise networks, making it a prime target for attackers aiming for domain dominance. As pentesters, we understand that compromising AD often means gaining control over the entire environment. This guide dives deep into common Active Directory attack techniques, from initial enumeration and reconnaissance to credential theft, lateral movement, and ultimately, achieving persistent domain administrative access, all with practical examples and the tools we use in the field.

Understanding the Active Directory Landscape for Attackers

Before you even think about launching your first attack, you need to understand the fundamental components of Active Directory. It's not just a directory of users; it's a complex system of Domain Controllers (DCs), users, computers, groups, Group Policy Objects (GPOs), and trust relationships. Each of these components presents potential weaknesses we can exploit.

Domain Controllers are the beating heart, storing the critical NTDS.DIT database which holds all user hashes and other sensitive information. Users and computers form the bulk of the directory, often with misconfigured permissions or weak credentials. GPOs dictate security settings and software deployments, sometimes offering avenues for privilege escalation. Trusts allow different domains or forests to communicate, which can be abused for cross-domain lateral movement.

Key Takeaway: Active Directory centralizes critical IT infrastructure, making it an invaluable target for privilege escalation and persistent access. Its complexity often hides misconfigurations ripe for exploitation. A solid understanding of its structure is foundational for any successful AD attack.

Initial Reconnaissance & Enumeration: Unveiling Active Directory Weaknesses

The first step in any AD attack is thorough reconnaissance. You need to identify domain controllers, enumerate users and groups, and map out potential attack paths. This phase is about gathering as much information as possible without causing suspicion.

Network-Level Active Directory Reconnaissance

Your journey usually starts with network scanning to locate potential Domain Controllers and identify open ports. Nmap is your best friend here, helping you discover hosts running critical AD services like LDAP (389, 636), Kerberos (88), SMB (445), and DNS (53).

You can identify potential DCs by looking for systems with multiple AD-related ports open. Often, a simple OS detection scan can confirm it's a Windows Server acting as a DC.

nmap -p 53,88,135,139,389,445,464,593,636,3268,3269 -A -T4 <target_IP_range>

This command scans for common AD ports, attempts service/OS detection, and uses an aggressive timing template. From my experience, identifying these ports is the fastest way to confirm you're looking at a domain controller.

For more detailed network scanning insights, check out our Nmap Tutorial for Pentesters.

User & Group Enumeration Active Directory Techniques

Once you've found a DC, the next step is to enumerate users and groups. This helps you build a target list for credential attacks. Tools like the Impacket suite's smbclient.py, rpcclient, or even PowerShell (if you have a foothold) are invaluable.

On Linux, ldapsearch can sometimes enumerate users, especially if anonymous LDAP binds are enabled (though this is rare in secure environments).

ldapsearch -x -h <DC_IP> -b "dc=example,dc=local" "(objectClass=user)" sAMAccountName

On a compromised Windows machine, PowerShell cmdlets like Get-ADUser and Get-ADGroup are incredibly powerful for detailed enumeration:

Get-ADUser -Filter * -Properties * | Select-Object sAMAccountName, Description, LastLogonDate, ServicePrincipalName | Export-Csv -Path C:\temp\ad_users.csv -NoTypeInformation

This command exports extensive details about all AD users, including potential Kerberoasting targets (users with ServicePrincipalName values).

Leveraging BloodHound for Active Directory Pathfinding

BloodHound is an absolute game-changer for Active Directory attack techniques. It visualizes the relationships between users, groups, computers, and GPOs, allowing you to quickly identify attack paths to high-value targets like Domain Admins.

You collect data using ingestors like SharpHound (for Windows) or BloodHound.py (for Linux/Python). These tools dump information about users, groups, computer sessions, ACLs, and GPOs into JSON files. You then import these into the BloodHound GUI.

# Example using BloodHound.py from a Linux attacker machine
# Requires credentials for a domain user
bloodhound.py -c All -u <username> -p <password> -d <domain.local> -ns <DC_IP> --collectionmethod All

Once the data is imported, BloodHound's interface lets you run queries like "Find shortest paths to Domain Admins" or "Find users with RDP access to Domain Controllers." It isn't just a tool; it's a strategic weapon for understanding complex Active Directory attack techniques and prioritizing your efforts.

Common Active Directory Attack Techniques: Exploiting Core Services

With enumeration complete, it's time to move to active exploitation. Many common Active Directory attack techniques target the Kerberos authentication protocol or specific user/service misconfigurations.

Kerberoasting for Active Directory Service Account Credentials

Kerberoasting is a technique where you request a Kerberos service ticket (TGS) for a service principal name (SPN) registered to a user account. If that user account's password is weak, you can crack the hash offline. This is potent because any authenticated domain user can request these tickets.

Many services (like SQL Server, scheduled tasks, web applications) run under domain user accounts. If these accounts have weak passwords, they become prime Kerberoasting targets.

Using Impacket's GetUserSPNs.py, you can request service tickets from the DC:

# Requesting service tickets using GetUserSPNs.py
GetUserSPNs.py -dc-ip <DC_IP> <domain>/<username>:<password> -request

This command outputs hashes in a format suitable for cracking with tools like Hashcat:

hashcat -m 13100 <kerberoast_hashes.txt> <wordlist.txt>

Success here often gives you credentials for accounts that might have elevated privileges on specific servers or even the domain.

AS-REP Roasting: Targeting User Account Weaknesses

AS-REP Roasting targets user accounts that have the "Do not require Kerberos preauthentication" flag enabled. When this flag is set, a user can request an Authentication Service (AS) reply without providing a pre-authenticator, meaning you can request a TGT (Ticket Granting Ticket) encrypted with the user's NTLM hash without knowing their password.

Again, Impacket's GetNPUsers.py is excellent for this:

# Requesting AS-REP hashes
GetNPUsers.py -dc-ip <DC_IP> <domain>/ -request -no-pass

This will dump hashes for any vulnerable accounts. You then crack these hashes offline with Hashcat, similar to Kerberoasting, typically using mode 18200.

Pass-the-Hash (PtH) and Over-the-Hash (PtO) Active Directory Attacks

Pass-the-Hash (PtH) is a classic attack where an attacker authenticates to a remote system using a user's NTLM hash instead of their plaintext password. This works because Windows often doesn't need the plaintext password for authentication, just the hash.

If you've dumped hashes from a compromised machine (e.g., via LSASS), and find a local administrator hash for another machine, you can use PtH to move laterally.

Impacket's suite provides excellent tools for this, like wmiexec.py, psexec.py, and smbexec.py:

# Using wmiexec.py with a hash to get a shell
wmiexec.py -hashes <LM_HASH>:<NT_HASH> <domain>/<username>@<target_IP>

This allows you to execute commands remotely on the target system as the specified user, often leading to a shell if the user has administrative privileges.

For more detailed information on hash-based attacks, our Mimikatz Tutorial is a must-read.

Golden Ticket & Silver Ticket Attacks

These are powerful persistence techniques that allow you to forge Kerberos tickets.

Golden Ticket: Forges a Kerberos Ticket Granting Ticket (TGT). With the KRBTGT account's NTLM hash (the account used to encrypt all TGTs in a domain), you can create TGTs for any user in the domain, granting you unlimited access for the ticket's lifetime. This essentially gives you permanent Domain Admin access without needing the actual password. You need the domain name, domain SID, and the KRBTGT hash.
Silver Ticket: Forges a Kerberos Ticket Granting Service (TGS) ticket for a specific service on a specific server. This requires the NTLM hash of the service account or the computer account for the target service. A Silver Ticket grants access to a single service (e.g., CIFS on a file server) without needing Domain Admin privileges, but often provides local admin access to that specific resource.

Both attacks are performed using tools like Mimikatz or Rubeus. They are extremely stealthy and effective for maintaining persistence after initial compromise.

# Mimikatz command to create a Golden Ticket (run on a compromised machine)
# Requires KRBTGT hash
lsadump::lsa /inject
kerberos::golden /domain:<domain.local> /sid:<domain_SID> /krbtgt:<krbtgt_hash> /user:<any_user_name> /id:<user_rid> /ptt

This command creates a golden ticket and "Passes The Ticket" (PTT) into the current session, allowing you to access domain resources as the forged user.

Credential Theft & Lateral Movement within Active Directory

Once you gain an initial foothold, the next critical step is often to steal credentials and use them to move laterally across the network, escalating privileges until you control the domain.

LSASS Credential Dumping: A Prime Active Directory Attack Vector

The Local Security Authority Subsystem Service (LSASS) process on Windows holds crucial authentication information, including plaintext passwords, NTLM hashes, and Kerberos tickets, for currently logged-on users. Dumping LSASS memory is a primary method for credential theft.

Tools like Mimikatz are famous for this:

# Running Mimikatz to dump LSASS credentials
privilege::debug
sekurlsa::logonpasswords

This command, run with administrative privileges on a target machine, will display passwords and hashes for users who have logged onto that system, including potentially Domain Admins if they've logged onto the compromised host.

Other tools like Procdump (from Sysinternals) can dump the LSASS process to a file, which can then be analyzed offline.

Responder & LLMNR/NBT-NS Poisoning

Responder is a potent tool for capturing hashes via Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) poisoning. When a client fails to resolve a hostname via DNS, it often falls back to these protocols, broadcasting queries to the local network.

Responder listens for these broadcasts. When a client requests an unknown hostname, Responder impersonates the requested host, tricking the client into sending its NTLMv2 hash for authentication. This is common in flat networks where clients often misspell hostnames or try to access non-existent resources.

# Running Responder to capture hashes
responder -I <interface_name> -rdw

This command starts Responder on the specified interface, capturing NTLMv2 hashes from LLMNR, NBT-NS, and SMB requests. You can then crack these hashes offline to obtain plaintext credentials.

Group Policy Object (GPO) Exploitation

GPOs are powerful. They push configurations, scripts, and software to users and computers across the domain. If you have write access to a GPO that applies to high-privilege users or computers (like Domain Controllers), you can modify it to execute arbitrary code, create new administrative accounts, or dump hashes.

Common GPO exploitation scenarios include:

Modifying startup/shutdown scripts to execute malicious payloads.
Adding new users to the local Administrators group on target machines.
Changing security settings to weaken defenses.

I've personally seen GPO misconfigurations provide a direct path to domain admin many times. It's a goldmine for lateral movement and persistence, especially when an attacker gains 'Edit settings, delete, modify security' permissions on an important GPO.

Key Takeaway: Lateral movement in Active Directory isn't just about finding a single exploit; it's about chaining together compromised credentials, misconfigurations, and weak protocols to gain deeper access across the domain. Always think about how each piece of information can lead to the next.

Attack Technique	Primary Target	Required Permissions (Common)	Impact
Kerberoasting	Service Accounts (SPNs)	Any domain user	Offline cracking of service hashes for plaintext passwords.
AS-REP Roasting	User Accounts (no preauth)	Any domain user	Offline cracking of user hashes for plaintext passwords.
Pass-the-Hash (PtH)	User/Admin Hashes	Local admin hash (NTLM) on target system.	Impersonation of user without plaintext password, remote execution.
Golden Ticket	KRBTGT Account	KRBTGT hash (usually from Domain Admin compromise).	Unlimited TGT for any user/service, domain persistence.
DCSync	Domain Controller	Replication privileges (e.g., Domain Admin, Enterprise Admin).	Extraction of all domain password hashes (NTDS.DIT).
LSASS Dumping	Logged-on Users	Local Administrator on target machine.	Extraction of plaintext passwords, hashes, Kerberos tickets.

Advanced Active Directory Attack Paths & Persistence

Once you've moved past basic credential theft, you'll start looking at more sophisticated ways to maintain access and fully control the domain. These often involve abusing misconfigured permissions or trust relationships.

Domain Trust Exploitation

Organizations often have multiple domains or even forests, connected by trust relationships. These trusts define how users and resources from one domain can authenticate and access resources in another. If you compromise a domain, you might be able to use its trust relationships to pivot into other, potentially higher-value domains.

Tools like BloodHound can visualize these trust paths, and Rubeus (for Kerberos manipulation) or Impacket can often be used to move across them. For example, a transitive trust means if Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A implicitly trusts Domain C. Abusing these relationships can lead to a full forest compromise.

ACL-Based Active Directory Attacks (Abusing Delegations)

Active Directory Access Control Lists (ACLs) define who can do what to which objects. Misconfigured ACLs are a common source of privilege escalation. For example, if a low-privileged user has 'GenericWrite' or 'AllExtendedRights' permissions on a high-privileged user object, they might be able to reset that user's password or modify their attributes to gain control.

BloodHound is exceptional at identifying these ACL-based attack paths. PowerShell tools like PowerView from the PowerSploit framework can also enumerate ACLs directly, allowing you to spot these dangerous delegations manually.

# Using PowerView to find objects with GenericWrite permissions
Get-NetAcl -Principal <low_priv_user> | ?{$_.ActiveDirectoryRights -like "*GenericWrite*"}

Finding such a misconfiguration can provide a direct path to higher privileges without needing to crack a single hash.

DCSync Attack: Replicating Domain Controller Secrets

The DCSync attack is a powerful technique where an attacker, with specific replication permissions, impersonates a Domain Controller to request password hashes directly from another DC. This attack mimics the legitimate replication process between DCs, making it difficult to detect without proper logging and monitoring.

To execute a DCSync attack, you typically need permissions like "Replicating Directory Changes" and "Replicating Directory Changes All" on the domain naming context. These permissions are usually held by Domain Admins, Enterprise Admins, or specific service accounts. Once you gain these permissions, you can use Mimikatz or Impacket's secretsdump.py to extract all password hashes from the NTDS.DIT database.

# Mimikatz command for DCSync
lsadump::dcsync /domain:<domain.local> /all /debug

This command instructs Mimikatz to perform a DCSync request, pulling all user hashes from the domain. This is often the final step in a full domain compromise, giving you all credentials for offline cracking or PtH attacks.

For more exploitation examples, our Metasploit Tutorial for Pentesters offers additional insights into leveraging tools for various attack vectors.

Defending Against Active Directory Attack Techniques: A Pentester's Perspective

As pentesters, we know what makes our job harder. Effective defense against Active Directory attack techniques requires a multi-layered approach:

Principle of Least Privilege: Limit user and service account permissions to only what's absolutely necessary. This reduces the impact of a compromised account.
Strong Password Policies & MFA: Enforce complex, unique passwords and multi-factor authentication for all privileged accounts. This significantly mitigates the effectiveness of hash-cracking and PtH attacks.
Regular Auditing: Continuously audit GPOs, ACLs, and user permissions for misconfigurations. Tools like BloodHound can help identify these proactively.
Endpoint Detection & Response (EDR) & SIEM: Implement robust monitoring. Look for suspicious activity like LSASS dumps, unusual Kerberos ticket requests (Kerberoasting/AS-REP Roasting attempts), and replication requests from non-DCs.
Patch Management: Keep all systems, especially Domain Controllers, fully patched to prevent exploitation of known vulnerabilities.
Tiered Administration Model: Implement a tiered access model to segregate highly privileged accounts and limit where they can log on. This isolates critical assets from less secure parts of the network.

From my experience, organizations that focus on these areas force attackers to work much harder, increasing the chances of detection.

Microsoft Active Directory Documentation is an excellent resource for understanding AD architecture and security best practices. Also, the BloodHound GitHub Repository provides detailed information on its usage and underlying attack primitives.

Frequently Asked Questions

What is Active Directory and why is it a common target for attackers?

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It manages users, computers, and other network resources, centralizing authentication and authorization. Attackers frequently target AD because compromising it often grants control over the entire enterprise network, allowing them to access sensitive data, deploy malware, and maintain persistence.

What are the most common tools used in Active Directory attacks?

Common tools for Active Directory attacks include BloodHound for reconnaissance and attack path mapping, Impacket for various network protocol manipulations and hash-based attacks (e.g., Pass-the-Hash), Mimikatz for credential dumping and Kerberos ticket forging, and Responder for LLMNR/NBT-NS poisoning. PowerShell-based frameworks like PowerSploit are also crucial for in-depth enumeration and exploitation.

How can organizations protect themselves from Active Directory attack techniques?

Organizations can protect against Active Directory attacks by enforcing the principle of least privilege, implementing strong password policies and multi-factor authentication, regularly auditing GPOs and ACLs for misconfigurations, deploying EDR and SIEM solutions for anomaly detection, and maintaining a robust patch management program. A tiered administration model significantly helps in isolating critical assets.

Is exploiting Active Directory legal for pentesters and bug bounty hunters?

Exploiting Active Directory is legal for pentesters and bug bounty hunters ONLY when performed with explicit, written permission from the asset owner, within a defined scope of work, and in compliance with all relevant laws and ethical guidelines. Unauthorized exploitation is illegal and can lead to severe penalties. Always ensure you have proper authorization before conducting any penetration testing activities.