Complete Active Directory penetration testing methodology — from zero access to full domain compromise with permanent Golden Ticket persistence.
This research was conducted in an isolated lab environment for educational purposes only. Never use these techniques on systems you do not own or have explicit written permission to test.
| Phase | Technique | Tool | Result |
|---|---|---|---|
| Recon | BloodHound Enumeration | SharpHound + BloodHound CE | Full AD Map |
| Initial Access | AS-REP Roasting | Impacket-GetNPUsers | Hash Captured |
| Credential Access | Kerberoasting | Impacket-GetUserSPNs | Service Hashes |
| Domain Dominance | DCSync Attack | Impacket-secretsdump | ALL Hashes |
| Lateral Movement | Pass-the-Hash | Evil-WinRM | Admin Shell |
| Persistence | Golden Ticket | Impacket-ticketer | 10-Year Access |
| Machine | OS | IP | Role |
|---|---|---|---|
| DC01 | Windows Server 2022 | 192.168.114.10 | Domain Controller |
| WIN10-PC | Windows 10 Enterprise | 192.168.114.20 | Victim Workstation |
| Kali Linux | Kali 2024 | 192.168.114.132 | Attacker Machine |
- BloodHound CE — AD attack path visualization
- SharpHound v2.6.8 — AD data collector
- Impacket Suite — AS-REP Roasting, Kerberoasting, DCSync
- Evil-WinRM — Pass-the-Hash shell
- Hashcat v7.1.2 — Password hash cracking
- VMware Workstation 17 Pro — Virtualization
Mapped entire AD domain with 307 objects. Identified Kerberoastable accounts, AS-REP targets, Domain Admins, and active sessions.
Attacked peter.parker (pre-auth disabled). Captured krb5asrep hash with ZERO credentials.
Used alice (low-privilege) to request service tickets for svc.sql and svc.http. Captured krb5tgs hashes for offline cracking.
Dumped ALL domain NTLM hashes including KRBTGT. Complete credential database compromised.
Used Administrator NTLM hash with Evil-WinRM. Obtained interactive shell on DC01 as Domain Admin.
Forged Kerberos TGT using stolen KRBTGT hash. Established 10-year persistent access to domain.
| Severity | Finding | Account |
|---|---|---|
| 🔴 CRITICAL | AS-REP Roastable | peter.parker |
| 🔴 CRITICAL | Kerberoastable SPNs | svc.sql, svc.http |
| 🔴 CRITICAL | DCSync — Full Hash Dump | All accounts |
| 🔴 CRITICAL | Golden Ticket Persistence | KRBTGT |
| 🟠 HIGH | Weak Admin Password | john.admin |
| 🟠 HIGH | Weak User Passwords | alice, bob |
AD-Attack-Lab/
├── AD_Red_Team_Report.docx ← Full research report
├── Screenshot_*.png ← Attack evidence
├── LICENSE
└── README.md
- Enable Kerberos pre-authentication on ALL accounts
- Use gMSAs for service accounts (auto-rotating passwords)
- Restrict DCSync permissions to DCs only
- Enable Windows Defender Credential Guard
- Change KRBTGT password TWICE after any compromise
- Run BloodHound as blue team tool regularly
Abdullah Cybersecurity Student | Red Team Researcher
- 🔗 LinkedIn: [Abdullah Mehmood]
- 📧 Email: [aabdullahmehmood85@gmail.com]