🖥Active Directory Lab: Enumeration and Exploitation 🔐

Robert Scocca
14 min readMay 28, 2021

Learn about Active Directory penetration testing enumeration and exploitation using tools like Impacket, Kerbrute, and CrackMapExec. This post focuses on initial external enumeration and exploitation; from the perspective of having access to the AD network but have no account credentials and little information about the internal network. You will learn:

  • Target enumeration with Nmap, CME, Nbtscan
  • Username enumeration with Nmap and Kerbrute
  • Exploit misconfigurations with Windapsearch and AS-REP Roasting
  • Poisoning AD protocols with Responder and mitm6
  • Password Spraying with Kerbrute and Spray.sh
  • Pass the Hash and Kerberoasting

As if this is a black box test, out goal is to first gather valuable information like number of hosts, what services are running on them, what the domain name is, what users are in the domain, what their passwords are. I’ll quickly go through the commands and results of each attack that will help gain you a foothold on an AD network.

In a future post I will write about how to exploit and enumerate AD once you have a foothold. Once you compromise an account, especially an admin account, a lot of damage can be done to AD. Any tool used in this post is…

--

--