Pentesting AD

Welcome to Active Directory Attacks —a hands-on, technical deep dive into the offensive security techniques that target the backbone of enterprise infrastructure.

If you are here, you already know that Active Directory is everywhere. It powers authentication, authorization, and policy management for over 90% of Fortune 1000 companies. It is the crown jewel of the corporate network—and the single most valuable target for adversaries.

This course is not about theory. It is about execution. Over the coming modules, you will learn to think like an attacker who has already breached the perimeter and now finds themselves inside a Windows domain. From initial enumeration to domain dominance and persistence, you will master the techniques that separate novice pentesters from seasoned red team operators.

Why Active Directory?

Active Directory presents a unique security challenge: it was designed for usability and interoperability, not security. Its core protocols—NTLM, Kerberos, SMB, LDAP—were built in an era of trusted networks, where perimeter defenses were assumed to protect the interior.

That assumption has failed.

Today, a single compromised workstation can lead to full domain compromise within hours. Attackers exploit the very features that make AD efficient:

• Name resolution fallbacks that broadcast credentials to the network

• Hash-based authentication that treats the password hash as the password itself

• Trust relationships that grant unintended access

• Legacy protocols that remain enabled for backward compatibility

This course teaches you to identify and exploit these design flaws—not as an academic exercise, but as a practitioner preparing to defend real environments.

The Modern Attack Path

Before we dive into individual techniques, understand the kill chain that defines modern Active Directory attacks:

Initial Access → Discovery → Lateral Movement → Privilege Escalation → Persistence → Domain Dominance

Each technique you will learn maps directly to this chain:

What You Will Learn

Module 1: Enumeration

Learn to scope an Active Directory environment. Discover hosts, running services, open ports and generate a clear attack strategy using the BloodHound tool.

Module 2: LLMNR Poisoning

You will learn how legacy name resolution protocols (LLMNR and NBT-NS) become attack vectors. Using Responder, you will capture NTLMv2 hashes from unsuspecting users simply by waiting for a typo or misconfiguration. You will see firsthand how “passive” attacks yield high-value credentials without triggering alarms.

Module 3: SMB/NTLM Relay

When hashes cannot be cracked, you will learn to relay them. Using ntlmrelayx.py, you will intercept authentication attempts and relay them to targets where the victim has privileges—gaining code execution, dumping SAM hashes, and escalating privileges without ever possessing the plaintext password.

Module 4: Pass the Hash

Armed with captured NTLM hashes, you will learn to authenticate to remote systems without ever cracking a password. You will use Impacket’s psexec.py, wmiexec.py, and smbexec.py to move laterally across the network, executing commands and establishing footholds on domain-joined systems.

Module 5: Privilege Escalation

Compromising a standard user is only the beginning. You will learn to enumerate AD misconfigurations—overly permissive ACLs, unconstrained delegation, Kerberoastable accounts, and Certificate Services vulnerabilities—to escalate to Domain Admin privileges.

Module 6: Lateral Movement

Throughout the course, you will develop proficiency with Impacket, the industry-standard Python library for Active Directory exploitation, and NetExec, the industry-standard network service exploitation tool. You will learn not just individual commands, but how to chain them together for automated, multi-stage attacks that mirror real adversary behavior.

Module 7: Domain Persistence

Once you achieve Domain Admin, you will learn the ultimate persistence technique: the Golden Ticket. Using Impacket’s ticketer.py and Mimikatz, you will forge Kerberos tickets that grant you unlimited, undetectable access to any resource in the domain—even if every password is changed.

Module 8: Domain Compromise

In this module you will learn how to dump the contents of the Active Directory central database (NTDS.dit) to retrieve password hashes for all users in the domain.

Course Philosophy

This course is built on three principles:

1. Practice Over Theory

Each technique is accompanied by a hands-on lab in an isolated Active Directory environment. You will execute every attack yourself—not just watch demonstrations. By the end, you will have a personal lab environment to continue testing and refining your skills.

2. Understand Before Automating

We will use tools like Responder, Impacket, and Mimikatz—but we will also dissect what they do. You will learn the underlying protocols (NTLM, Kerberos, SMB) so you can adapt when automated tools fail or need customization.

3. Think Like an Adversary

This is not a “vulnerability scanning” course. You will learn to think in terms of attack paths: how a low-privileged user becomes a Domain Admin, and how to identify those same paths in your own organization’s environment.

Prerequisites & Tools

What You Should Know

• Basic Windows system administration (users, groups, permissions)

• Familiarity with networking concepts (TCP/IP, DNS, SMB)

• Comfort with command-line interfaces (Linux terminal, PowerShell)

• Basic Python understanding (helpful but not required)

Tools You Will Master

• Responder — LLMNR/NBT-NS poisoning

• Impacket — psexec, wmiexec, smbexec, ntlmrelayx, secretsdump, ticketer

• Mimikatz — credential extraction, golden tickets

• BloodHound — Active Directory enumeration and attack path mapping

• CrackMapExec / NetExec — Multi-protocol lateral movement

Lab Environment

You will have access to:

• A fully configured Active Directory domain with Domain Controller and workstations

• Attack machine (Kali Linux) preloaded with all necessary tools

• Isolated virtual network for safe, legal practice

A Note on Ethics

This course teaches offensive techniques for one purpose: defense. Every attack demonstrated is a technique used by real adversaries. Understanding how these attacks work is the only way to effectively detect, prevent, and respond to them.

You are responsible for how you use this knowledge. Never apply these techniques against systems you do not own or have explicit written permission to test. The line between pentesting and malicious activity is authorization—and crossing it has real consequences.

What You Will Achieve

By the end of this course, you will be able to:

• Enumerate Active Directory environments to identify attack paths

• Capture credentials using LLMNR poisoning and SMB relay attacks

• Move laterally using Pass the Hash and Impacket tooling

• Escalate privileges from standard user to Domain Admin

• Establish persistence with Golden Ticket attacks

• Compromise an AD Domain dumping the central user database

Whether you are an aspiring penetration tester, a system administrator looking to defend your environment, or a red team operator sharpening your skills, this course will give you the practical knowledge to own the domain—and then secure it.

Ready to Begin?

Turn on your lab. Open your terminal. The domain is waiting.

Let’s attack.