๐งช Active Directory Exploitation Lab
Complete domain compromise from initial foothold to persistence
Advanced Level LabBuild This Lab with GOAD
Use GOAD for a ready-to-run, vulnerable AD environment.
Lab Overview
This advanced lab simulates a real-world Active Directory environment where you'll perform a complete domain compromise. Starting with limited access to a domain-joined machine, your objective is to escalate privileges, move laterally through the network, and achieve Domain Administrator access while maintaining persistence.
Learning Objectives
- Master Active Directory enumeration and reconnaissance techniques
- Exploit Kerberos-based vulnerabilities (Kerberoasting, ASREPRoasting)
- Perform lateral movement across domain-joined systems
- Escalate privileges to Domain Administrator level
- Establish persistent access mechanisms
- Understand real-world AD attack chains
๐ฏ Lab Environment
Network Topology
- Domain: RFS.LOCAL
- Domain Controller: DC01.RFS.LOCAL (Windows Server 2019)
- Member Server: SRV01.RFS.LOCAL (Windows Server 2016)
- Workstations: WS01.RFS.LOCAL, WS02.RFS.LOCAL (Windows 10)
- File Server: FS01.RFS.LOCAL (Windows Server 2019)
- Network Range: 192.168.100.0/24
๐ ๏ธ Required Tools
Enumeration Tools
- PowerView: AD enumeration and exploitation
- BloodHound: Attack path analysis
- ADRecon: Comprehensive AD information gathering
- ldapdomaindump: LDAP enumeration
Exploitation Tools
- Rubeus: Kerberos ticket manipulation
- Impacket: Protocol implementations
- Mimikatz: Credential extraction
- PowerShell Empire: Post-exploitation
Persistence Tools
- SharPersist: Persistence techniques
- PowerSploit: PowerShell exploitation
- Invoke-Obfuscation: PowerShell obfuscation
- Custom Scripts: Tailored persistence mechanisms
๐ Lab Phases
Phase 1: Initial Reconnaissance
Enumerate the Active Directory environment and identify attack vectors.
- Domain and forest enumeration
- User and group discovery
- Service Principal Name (SPN) identification
- Trust relationship analysis
Phase 2: Initial Compromise
Exploit identified vulnerabilities to gain additional access.
- Kerberoasting vulnerable service accounts
- ASREPRoasting pre-authentication disabled accounts
- Password spraying against identified users
- Credential extraction from compromised systems
Phase 3: Lateral Movement
Move through the network using compromised credentials.
- Pass-the-hash and over-pass-the-hash attacks
- PowerShell remoting exploitation
- WMI and DCOM lateral movement
- Token impersonation techniques
Phase 4: Privilege Escalation
Escalate to Domain Administrator level access.
- Delegation abuse (unconstrained/constrained)
- DCSync attack against domain controller
- Golden ticket creation and usage
- AdminSDHolder abuse
Phase 5: Persistence & Stealth
Establish multiple persistence mechanisms.
- Golden ticket persistence
- Silver ticket for specific services
- Skeleton key implementation
- Group Policy modification
๐ฏ Detailed Scenarios
Scenario 1: Service Account Exploitation
Objective: Identify and exploit Kerberoastable service accounts.
Tasks
- Enumerate all SPNs in the domain
- Identify vulnerable service accounts
- Request TGS tickets for services
- Extract and crack service account passwords
- Verify access with compromised accounts
Key Commands
Get-DomainUser -SPNRequest-SPNTicketInvoke-Kerberoasthashcat -m 13100
Scenario 2: Delegation Attack Chain
Objective: Exploit delegation vulnerabilities for privilege escalation.
Tasks
- Identify computers with unconstrained delegation
- Force authentication to delegated machine
- Extract TGT from LSASS memory
- Pass-the-ticket for privilege escalation
- Achieve Domain Admin access
Expected Findings
- Unconstrained delegation on SRV01
- Forced authentication via printer bug
- Domain Controller TGT extraction
- Full domain compromise
Scenario 3: Golden Ticket Persistence
Objective: Create and use golden tickets for persistent access.
Tasks
- Extract KRBTGT account hash
- Identify domain SID
- Generate golden ticket
- Test persistent access
- Demonstrate stealth capabilities
Persistence Benefits
- Long-term access (10 years default)
- Bypass most detection mechanisms
- Works even after password changes
- Administrative access to all systems
๐ Attack Path Analysis
BloodHound Analysis Exercise
Use BloodHound to identify and visualize attack paths to Domain Admins.
Data Collection
- Run SharpHound collector
- Import data into BloodHound
- Run pre-built queries
- Identify shortest paths to DA
Key Queries
- Shortest Path to Domain Admins
- Find all Kerberoastable Users
- Find Computers with Unconstrained Delegation
- Find ASREPRoastable Users
๐ Expected Results
Lab Completion Criteria
Successfully complete the following objectives to pass the lab:
- ๐ฏ Domain Enumeration: Map the complete AD structure
- ๐ Service Account Compromise: Successfully crack Kerberoast hashes
- ๐ถ Lateral Movement: Access multiple domain systems
- ๐ Domain Admin Access: Achieve highest privileges
- ๐ Persistence: Establish multiple backdoors
- ๐ Documentation: Detailed attack chain report
๐ก Advanced Techniques
OPSEC Considerations
- Avoid noisy enumeration techniques
- Use legitimate admin tools when possible
- Implement proper timing between actions
- Clean up artifacts after testing
Detection Evasion
- PowerShell logging bypass
- AMSI evasion techniques
- ETW bypass methods
- Living off the land approach
Alternative Attack Paths
- Resource-based constrained delegation
- Shadow credentials attack
- ADCS certificate abuse
- Group Policy modification
๐ Knowledge Validation
Post-Lab Assessment
Answer these questions to validate your understanding:
- What is the difference between Kerberoasting and ASREPRoasting?
- How does unconstrained delegation differ from constrained delegation?
- What are the prerequisites for a DCSync attack?
- How long is a golden ticket valid by default, and can this be changed?
- What is the difference between a golden ticket and a silver ticket?
- How can AdminSDHolder be abused for persistence?
- What are the key indicators of compromise for each attack type?
- How would you defend against the attacks demonstrated in this lab?
๐ก๏ธ Defense Recommendations
Security Hardening Measures
- ๐ Service Accounts: Use Managed Service Accounts (MSA)
- ๐ซ Kerberos: Enable AES encryption for Kerberos
- ๐ฅ Privileged Groups: Minimize Domain Admin membership
- ๐ฅ๏ธ Delegation: Avoid unconstrained delegation
- ๐ Monitoring: Implement comprehensive AD logging
- ๐จ Detection: Deploy behavioral analytics
- ๐ LAPS: Implement Local Administrator Password Solution
- ๐ฐ Tiering: Implement administrative tier model
๐ฏ Lab Completion Checklist
Verify your progress: Ensure you've completed all components.
- โ Successfully enumerated the complete AD environment
- โ Exploited Kerberoasting vulnerabilities
- โ Performed lateral movement across multiple systems
- โ Escalated to Domain Administrator privileges
- โ Created and used golden tickets
- โ Established persistent backdoor access
- โ Analyzed attack paths with BloodHound
- โ Documented complete attack chain
Estimated Time: 8-12 hours for complete lab