🖥Active Directory Lab: Enumeration and Exploitation 🔐

Robert Scocca
14 min readMay 28, 2021

Learn about Active Directory penetration testing enumeration and exploitation using tools like Impacket, Kerbrute, and CrackMapExec. This post focuses on initial external enumeration and exploitation; from the perspective of having access to the AD network but have no account credentials and little information about the internal network. You will learn:

  • Target enumeration with Nmap, CME, Nbtscan
  • Username enumeration with Nmap and Kerbrute
  • Exploit misconfigurations with Windapsearch and AS-REP Roasting
  • Poisoning AD protocols with Responder and mitm6
  • Password Spraying with Kerbrute and Spray.sh
  • Pass the Hash and Kerberoasting

As if this is a black box test, out goal is to first gather valuable information like number of hosts, what services are running on them, what the domain name is, what users are in the domain, what their passwords are. I’ll quickly go through the commands and results of each attack that will help gain you a foothold on an AD network.

In a future post I will write about how to exploit and enumerate AD once you have a foothold. Once you compromise an account, especially an admin account, a lot of damage can be done to AD. Any tool used in this post is either native to Kali Linux or has it’s GitHub linked as it’s discussed.

This guide builds off the network that is built in this post. If you’d like to replicate these attacks yourself, read that post first to learn how to build your own Active Directory lab.

I’m using an Active Directory network consisting of 2 Windows 10 Workstations and 1 Domain Controller setup in VMware Workstation. Note the subnet of this network is .

Enumerate Targets

First enumerate what hosts are on the network, their IP addresses, how many are their and what services they are running.