Pentesting AD

Welcome to Active Directory Attacks —a hands-on, technical deep dive into the offensive security techniques that target the backbone of enterprise infrastructure.

If you are here, you already know that Active Directory is everywhere. It powers authentication, authorisation, and policy management for over 90% of Fortune 1000 companies. It is the crown jewel of the corporate network—and the single most valuable target for adversaries.

This course is not about theory. It is about execution. Over the coming modules, you will learn to think like an attacker who has already breached the perimeter and now finds themselves inside a Windows domain. From initial enumeration to domain dominance and persistence, you will master the techniques that separate novice pentesters from seasoned red team operators.

Why Active Directory?

Active Directory presents a unique security challenge: it was designed for usability and interoperability, not security. Its core protocols—NTLM, Kerberos, SMB, LDAP—were built in an era of trusted networks, where perimeter defenses were assumed to protect the interior.

That assumption has failed.

Today, a single compromised workstation can lead to full domain compromise within hours. Attackers exploit the very features that make AD efficient:

• Name resolution fallbacks that broadcast credentials to the network

• Hash-based authentication that treats the password hash as the password itself

• Trust relationships that grant unintended access

• Legacy protocols that remain enabled for backward compatibility

This course teaches you to identify and exploit these design flaws—not as an academic exercise, but as a practitioner preparing to defend real environments.

The Modern Attack Path

Before we dive into individual techniques, understand the kill chain that defines modern Active Directory attacks:

Enumeration → Initial Access → Discovery → Post Exploitation → Lateral Movement → Privilege Escalation → Persistence → Domain Compromise

Each technique you will learn maps directly to this chain:

What You Will Learn

Module 1: Enumeration

Learn to scope an Active Directory environment. Discover hosts, running services, open ports, domain users and generate a clear image of the network topology – machines, users, running services. You will also learn how to implement vulnerability scanners across the network to check for the possibility of finding an unpactched system that could possibly yield initial access if exploited.

Module 2: Breached Credentials

Credentials can be used to authenticate to the network. Sometimes lists of users and passwords are sold on the dark web or found in data dumps from other large scale hacks. Other times password spraying or brute forcing may be employed with a quality wordlist to gain initial access to the network. The users identified in the previous module come in useful during this process.

Oftentimes, a pentest is started from an “assumed breach” position, meaning that a standard domain user account is delegated to the penetration tester to authenticate to the network. Other times this is not the case and a combination of OSINT to find possible credentials in data dumps and quality wordlists along with industry standard tools can be used to gain an initial foothold on the AD Domain if authentication is possible. We will explore these various methods in module one.

Social engineering techniques like phishing or weaponised documents are also often used by adversaries to compromise user/employee credentials that athenticate against the domain, or compromise an employee domain workstation in a corporate network. This is not something we will cover in depth in this course but we will talk about it briefly.

Module 3: LLMNR Poisoning

You will learn how legacy name resolution protocols (LLMNR and NBT-NS) become attack vectors. Using Responder, you will capture NTLMv2 hashes from unsuspecting users simply by waiting for a typo or misconfiguration. You will see firsthand how “passive” attacks yield high-value credentials without triggering alarms. The module also covers how to analyse captured hashes, determine which are crackable, and understand the limitations of this attack in modern networks.

Module 4: SMB/NTLM Relay

When hashes cannot be cracked, you will learn to relay them. Using ntlmrelayx.py, you will intercept authentication attempts and relay them to targets where the victim has privileges — gaining code execution, dumping SAM hashes, and escalating privileges without ever possessing the plaintext password. You will also learn how to configure SMB signing requirements and identify when relaying is possible versus when it is blocked.

Module 5: IPv6 DNS Takeover

In this module, you will learn how IPv6 DNS takeover attacks work and why they are effective in modern networks where IPv6 is often enabled by default. You’ll explore how attackers can introduce rogue router advertisements to position themselves as a DNS server, allowing them to intercept and redirect traffic from target systems.

You will also be introduced to LDAP relay techniques, where intercepted authentication attempts are forwarded to legitimate directory services. The module will demonstrate how these combined techniques can be used to manipulate Active Directory environments when protections like LDAP signing are not enforced, along with an overview of key mitigation strategies.

Module 6: AS-REP Roasting

Module 7: Domain Discovery

Generate a clear attack strategy using the BloodHound tool from a low privileged domain user account. You will learn how to collect data, import it into BloodHound, and navigate its interface to identify attack paths, high-value targets, and hidden relationships such as shortest paths to Domain Admin or users with privileged group memberships.

Module 8: Shell Access

Gain command line access to compromised hosts, execute commands and browse the file system. You will practice obtaining different types of shells, including reverse shells and bind shells, and learn how to stabilise semi-interactive shells into fully functional command prompts by creating custom shellcode.

Module 9: File Transfers

Transfer files between compromised hosts and the attack box. Learn Python3 for file transfers over HTTP and learn how to set up your own SMB server to allow file transfers over SMB and use built-in Windows tools like certutil and bitsadmin to download payloads when outbound HTTP/HTTPS is allowed but other ports are blocked.

Module 10: Post Exploitation

Compromised a host? Now what? Learn post exploitation techniques that will help you uncover information that will help you compromise more of the network. This includes enumerating local users, domain users, groups, installed software, running processes, scheduled tasks, network connections, and sensitive files. You will also learn how to identify whether the compromised host is a workstation, server, or domain controller, and how that influences your next moves. Dump LSASS memory from the local Windows machine to try and find privileged user account credentials/NTLM hashes.

Module 11: Lateral Movement

Throughout the course, you will develop proficiency with Impacket, the industry-standard Python library for Active Directory exploitation, and NetExec, the industry-standard network service exploitation tool. You will learn not just individual commands, but how to chain them together for automated, multi-stage attacks that mirror real adversary behavior. This includes using pass-the-hash, pass-the-ticket, and overliving-off-the-land techniques to move between hosts without writing new tools to disk.

Module 12: Privilege Escalation

Compromising a standard user is only the beginning. You will learn to enumerate AD misconfigurations — overly permissive ACLs, unconstrained delegation, Kerberoastable accounts, and Certificate Services vulnerabilities — to escalate to Domain Admin privileges. Each technique is taught with practical examples, including how to request and crack service tickets, abuse ACL entries like GenericAll or WriteDacl, and exploit common PKI misconfigurations in Active Directory Certificate Services.

Module 13: Domain Persistence

Once you achieve Domain Admin, you will learn the ultimate persistence technique: the Golden Ticket. You will forge Kerberos tickets that grant you unlimited, undetectable access to any resource in the domain — even if every password is changed.

Module 14: Domain Compromise

In this module you will learn how to dump the contents of the Active Directory central database (NTDS.dit) to retrieve password hashes for all users in the domain. You will cover multiple methods, including volume shadow copy techniques, using ntdsutil, and remote dumping with Impacket’s secretsdump.py. The module also teaches you how to extract hashes without touching disk where possible, and how to crack or pass those hashes to compromise every machine and user in the environment.

Course Philosophy

This course is built on three principles:

1. Practice Over Theory

Each technique is accompanied by a hands-on lab in an isolated Active Directory environment. You will execute every attack yourself—not just watch demonstrations. By the end, you will have a personal lab environment to continue testing and refining your skills.

2. Understand Before Automating

We will use tools like Responder and Impacket—but we will also dissect what they do. You will learn the underlying protocols (NTLM, Kerberos, SMB) so you can adapt when automated tools fail or need customization.

3. Think Like an Adversary

This is not a “vulnerability scanning” course. You will learn to think in terms of attack paths: how a low-privileged user becomes a Domain Admin, and how to identify those same paths in your own organization’s environment.

Prerequisites & Tools

Technical Prerequisites

• Terraform
• Microsoft Azure
• Azure CLI
• Kali Linux (VM or Bare Metal)
• OpenVPN Client

What You Should Know

• Basic Windows system administration (users, groups, permissions)

• Familiarity with networking concepts (TCP/IP, DNS, SMB)

• Comfort with command-line interfaces (Linux terminal, PowerShell)

• Basic understanding of programming concepts (helpful but not required)

Tools You Will Master

• Responder — LLMNR/NBT-NS poisoning

• Impacket — psexec, wmiexec, smbexec, ntlmrelayx, secretsdump, ticketer

• NetExec — Multi-protocol lateral movement
• Powerview – Active Directory domain discovery
• BloodHound — Active Directory enumeration and attack path mapping

• lsassy— Local credential extraction

• Certipy – A tool for enumerating and abusing Active Directory Certificate Services (AD CS)

• Seatbelt — a C# project that performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives

Lab Environment

You will have access to:

• A fully configured Active Directory domain with Domain Controller and workstations

• Attack machine (Kali Linux) preloaded with all necessary tools

• Isolated virtual network for safe, legal practice

A Note on Ethics

This course teaches offensive techniques for one purpose: defense. Every attack demonstrated is a technique used by real adversaries. Understanding how these attacks work is the only way to effectively detect, prevent, and respond to them.

You are responsible for how you use this knowledge. Never apply these techniques against systems you do not own or have explicit written permission to test. The line between pentesting and malicious activity is authorisation—and crossing it has real consequences.

What You Will Achieve

By the end of this course, you will be able to:

• Enumerate Active Directory environments to identify attack paths

• Capture credentials using LLMNR poisoning and SMB relay attacks

• Gain access to the network through IPv6 DNS Spoofing and LDAP relay attacks

• Move laterally using Pass-the-Hash and Impacket tooling

• Escalate privileges from standard user to Domain Admin

• Establish persistence with Golden Ticket attacks

• Compromise an AD Domain dumping the central user database

Whether you are an aspiring penetration tester, a system administrator looking to defend your environment, or a red team operator sharpening your skills, this course will give you the practical knowledge to own the domain—and then secure it.

Ready to Begin?

Turn on your lab. Open your terminal. The domain is waiting.

Let’s attack.