Skip to content

AD Attack Examples and Tools

Attack Examples

Fantastic resources with many attacks explained with clear step-by-step instructions and screenshots.

  • Pentest Everything Highly recommended, because it has many parts structured according to MITRE ATT&CK.
  • Red Team Notes A collection of techniques that exploit and abuse Active Directory, Kerberos authentication, Domain Controllers and similar matters.
    • Unconstrained delegation
    • Constrained delegation
    • Resource-based constrained delegation (RBCD)
    • Kerberoasting
    • AS-Rep Roasting
    • Golden Tickets
    • Silver Tickets
    • and more
  • GOAD - Go Active Directory It would be nice to have time and skills for setting up their (free) lab, but it is too complex. Reading their numerous examples is very useful, though, in particular:
  • Hack The Box - Absolute Writeup (i.e., written summary) of how to get Administrator access on a virtual machine named Absolute (available on Hack The Box). Based on Kerberos abuse, showing both KrbRelay to add a user to the administrators group, and KrbRelayUp to get the machine account hash and do a DC sync attack.

  • Juggernaut Pentesting Academy Very clear blog with many resources on:

    • Hack The Box Writeups
    • Active Directory Hacking
    • Windows and Linux Privilege Escalation

Offensive tools

  • Mimikatz The father of modern Windows attacks. Many tutorials out there, including this one.

  • Rubeus

    • Roasting;
    • Ticket requests and renewals;
    • Ticket Forgery;
    • Ticket Management;
    • Ticket Extraction and Harvesting;
    • Brute force and spray;
    • Constrained delegation abuse;
    • S4U.

  • CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve its functionality and allowing it to evade most endpoint protection/IDS/IPS solutions. CME makes heavy use of the Impacket library for working with network protocols and performing a variety of post-exploitation techniques.

  • Empire: A Powerful Post – Exploitation Tool
  • Certipy Offensive tool for enumerating and abusing Active Directory Certificate Services (AD CS).