Ethredix Ethredix
CS

Active Directory Penetration Testing

Comprehensive Active Directory security testing - from reconnaissance to domain dominance.

Enumeration

Mapping AD structure, users, groups, trust relationships and permissions.

Exploitation

Exploiting misconfigurations, weak passwords, delegations and known AD vulnerabilities.

Persistence

Testing persistence mechanisms - Golden/Silver tickets, ACL backdoors.

Common AD Attacks

Kerberoasting

Obtaining TGS tickets for service accounts and offline password cracking.

SPN enumeration, TGS-REP extraction, hashcat cracking

AS-REP Roasting

Exploiting accounts without Kerberos pre-authentication to obtain AS-REP hashes.

DONT_REQ_PREAUTH flag, offline hash cracking

Pass-the-Hash / Pass-the-Ticket

Using obtained NTLM hashes or Kerberos tickets for lateral movement.

NTLM relay, ticket injection, authentication bypass

Golden/Silver Ticket

Creating forged Kerberos tickets using KRBTGT or service account hash.

Persistence mechanism, domain-wide access

DCSync

Abusing replication permissions to extract all domain passwords.

Replicating Directory Changes, KRBTGT hash extraction

ACL Abuse

Exploiting weak ACLs for privilege escalation - GenericAll, WriteDACL, ForceChangePassword.

BloodHound analysis, ACL modification, path to DA

GPO Abuse

Modifying Group Policy Objects to distribute malware or gain admin access.

GPO modification, scheduled tasks, startup scripts

Unconstrained/Constrained Delegation

Abusing Kerberos delegation to impersonate privileged users.

TGT extraction, service impersonation, S4U2Self/S4U2Proxy

Testing Tools

Enumeration

  • → BloodHound
  • → PowerView
  • → ldapdomaindump
  • → ADRecon

Exploitation

  • → Impacket
  • → Rubeus
  • → Mimikatz
  • → CrackMapExec

Post-Exploitation

  • → Covenant/Cobalt Strike
  • → SharpHound
  • → PowerSploit
  • → Empire

Testing Output

BloodHound Analysis

  • → Attack paths visualization
  • → Shortest path to DA
  • → ACL abuse opportunities
  • → High-value targets

Technical Findings

  • → Weak password policy
  • → Privileged accounts exposure
  • → Delegation misconfigurations
  • → GPO vulnerabilities

Hardening Recommendations

  • → Tiering model implementation
  • → LAPS deployment
  • → Protected Users group
  • → Credential Guard

Monitoring Recommendations

  • → Sysmon configuration
  • → Event log forwarding
  • → Anomaly detection rules

Process

01

Initial Access

Obtaining initial domain access - phishing, network access, weak credentials.

02

Domain Enumeration

Mapping AD structure using BloodHound, PowerView, ldapsearch.

03

Privilege Escalation

Kerberoasting, AS-REP roasting, ACL abuse, GPO exploitation.

04

Lateral Movement

Pass-the-hash, pass-the-ticket, psexec, WMI, PowerShell remoting.

05

Domain Dominance

DCSync, Golden Ticket, Domain Admin compromise, persistence mechanisms.

06

Reporting

BloodHound graphs, attack paths, remediation roadmap, hardening guidelines.

Book Penetration Test