AD Attack PathsActive Directory / Internal Network2024

Active Directory Attack Lab

Full enterprise AD simulation with end-to-end attack chains

BloodHoundMimikatzImpacketKerberosADCS

Overview

This project involved designing and deploying a realistic Active Directory lab environment using VMware, then conducting a simulated red team engagement against it. The lab was built to mirror a small enterprise environment which was complete with a Windows Server 2019 Domain Controller, two domain-joined Windows 10 workstations, and a Kali Linux attack machine. The engagement followed a realistic attack chain: initial access via credential harvesting, internal enumeration, lateral movement, and ultimately domain compromise via multiple privilege escalation paths.

Methodology

Lab Setup

Deployed Windows Server 2019 as the DC with Active Directory Domain Services configured. Joined two Windows 10 VMs to the domain with intentionally misconfigured users, SPNs, and delegation settings to create realistic attack paths.

Enumeration

Used BloodHound with SharpHound collector to map all AD objects, group memberships, ACLs, and attack paths. PowerView provided supplementary enumeration of SPNs, domain trusts, and user attributes.

Kerberoasting

Identified service accounts with SPNs set using PowerView. Requested Kerberos TGS tickets for these accounts and extracted the encrypted ticket hashes. Cracked tickets offline using hashcat with rockyou wordlist.

AS-REP Roasting

Identified accounts with Kerberos pre-authentication disabled using Get-DomainUser. Requested AS-REP hashes without authentication and cracked them offline.

NTLM Relay

Used Responder to capture NTLMv2 hashes from broadcast protocols (LLMNR/NBT-NS). Relayed captured authentication to a second machine using ntlmrelayx to gain a shell without cracking the hash.

ADCS Escalation

Identified vulnerable certificate templates using Certify. Requested a certificate for a domain admin using ESC1 technique (subject alternative name abuse), then used the certificate to authenticate as Domain Admin via PKINIT.

Findings

Critical

ADCS ESC1 - SAN Abuse

A certificate template allowed requesters to specify a Subject Alternative Name, enabling impersonation of any domain user including Domain Admin.

Critical

Kerberoastable Service Accounts

Three service accounts had weak passwords and SPNs set, cracked within minutes using offline dictionary attacks.

High

AS-REP Roastable Accounts

Two accounts had pre-authentication disabled with passwords cracked offline.

High

LLMNR/NBT-NS Poisoning

Broadcast protocols enabled on the network allowed hash capture and relay without user interaction.

Medium

Excessive ACL Permissions

BloodHound identified a path where a standard user had GenericWrite over a privileged group, enabling group membership manipulation.

Tools Used

BloodHound + SharpHoundPowerViewMimikatzImpacket suite (ntlmrelayx, secretsdump)ResponderCertifyRubeusHashcat

Remediation

›Disable LLMNR and NBT-NS via Group Policy
›Enforce strong passwords and regular rotation for all service accounts
›Enable Kerberos pre-authentication on all accounts
›Audit and remediate ADCS certificate templates - disable SAN specification for non-admin templates
›Review all ACLs using BloodHound and remove unnecessary GenericWrite/GenericAll permissions
›Implement tiered administration to limit lateral movement paths

References

[1]SpecterOps - Certified Pre-Owned (ADCS research)
[2]The Hacker Recipes - AD Attacks
[3]BloodHound documentation
[4]MITRE ATT&CK - Active Directory

All Projects Work with me →