{"id":28,"date":"2026-04-10T04:23:46","date_gmt":"2026-04-10T04:23:46","guid":{"rendered":"https:\/\/cyberforcesecurity.org\/courses\/?post_type=lp_course&#038;p=28"},"modified":"2026-05-26T02:19:40","modified_gmt":"2026-05-26T02:19:40","slug":"active-directory-attacks","status":"publish","type":"lp_course","link":"https:\/\/cyberforcesecurity.org\/courses\/course\/active-directory-attacks\/","title":{"rendered":"Active Directory Attacks"},"content":{"rendered":"<h1>Pentesting AD<\/h1>\n<p>Welcome to <strong>Active Directory Attacks<\/strong> \u2014a hands-on, technical deep dive into the offensive security techniques that target the backbone of enterprise infrastructure.<\/p>\n<p class=\"ds-markdown-paragraph\">If you are here, you already know that <strong>Active Directory<\/strong> is everywhere. It powers authentication, authorisation, and policy management for over <strong>90% of Fortune 1000 companies<\/strong>. It is the crown jewel of the corporate network\u2014and the single most valuable target for adversaries.<\/p>\n<p class=\"ds-markdown-paragraph\">This course is not about theory. It is about <strong>execution<\/strong>. Over the coming modules, you will learn to think like an attacker who has already breached the perimeter and now finds themselves inside a Windows domain. From initial enumeration to domain dominance and persistence, you will master the techniques that separate novice pentesters from seasoned red team operators.<\/p>\n<p><iframe loading=\"lazy\" title=\"I Live For This S*** | Mr. Robot\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/67gYEK4FtzA?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<hr \/>\n<h2>Why Active Directory?<\/h2>\n<p class=\"ds-markdown-paragraph\">Active Directory presents a unique security challenge: it was designed for <strong>usability and interoperability<\/strong>, not security. Its core protocols\u2014NTLM, Kerberos, SMB, LDAP\u2014were built in an era of trusted networks, where perimeter defenses were assumed to protect the interior.<\/p>\n<p class=\"ds-markdown-paragraph\">That assumption has failed.<\/p>\n<p class=\"ds-markdown-paragraph\">Today, a single compromised workstation can lead to <strong>full domain compromise<\/strong> within hours. Attackers exploit the very features that make AD efficient:<\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Name resolution fallbacks<\/strong> that broadcast credentials to the network<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Hash-based authentication<\/strong> that treats the password hash as the password itself<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Trust relationships<\/strong> that grant unintended access<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Legacy protocols<\/strong> that remain enabled for backward compatibility<\/p>\n<\/li>\n<\/ul>\n<p class=\"ds-markdown-paragraph\">This course teaches you to identify and exploit these design flaws\u2014not as an academic exercise, but as a practitioner preparing to defend real environments.<\/p>\n<hr \/>\n<h2>The Modern Attack Path<\/h2>\n<p class=\"ds-markdown-paragraph\">Before we dive into individual techniques, understand the <strong>kill chain<\/strong> that defines modern Active Directory attacks:<\/p>\n<div class=\"md-code-block md-code-block-light\">\n<pre>Enumeration \u2192 Initial Access \u2192 Discovery \u2192 Post Exploitation \u2192 Lateral Movement \u2192 Privilege Escalation \u2192 Persistence \u2192 Domain Compromise<\/pre>\n<\/div>\n<p class=\"ds-markdown-paragraph\">Each technique you will learn maps directly to this chain:<\/p>\n<div class=\"ds-scroll-area ds-scroll-area--show-on-focus-within _1210dd7 c03cafe9\">\n<table>\n<thead>\n<tr>\n<th>Phase<\/th>\n<th>Techniques Covered<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Enumeration<\/strong><\/td>\n<td>nmap, nmap scripts, Nessus, OpenVAS, ldapsearch, rpcclient, Kerbrute, enum4linux<\/td>\n<\/tr>\n<tr>\n<td><strong>Initial Access<\/strong><\/td>\n<td>Breached Credentials, Social Engineering, LLMNR Poisoning, SMB\/NTLM Relay, IPv6 DNS Takeover\/LDAP Relay, AS-REP Roasting, Attacking Exchange Server\/OWA<\/td>\n<\/tr>\n<tr>\n<td><strong>Discovery<\/strong><\/td>\n<td>ADPulse, secretsdump, BloodHound, Powerview<\/td>\n<\/tr>\n<tr>\n<td><strong>Post Exploitation<\/strong><\/td>\n<td>Shell Access, File Transfers, System Enumeration, Data Mining Windows, Dump LSASS, Local Privilege Escalation<\/td>\n<\/tr>\n<tr>\n<td><strong>Lateral Movement<\/strong><\/td>\n<td>Pass-the-Hash, Impacket, PSRemoting, Lateral Movement over RDP<\/td>\n<\/tr>\n<tr>\n<td><strong>Privilege Escalation<\/strong><\/td>\n<td>Pass-the-Ticket, ACL Abuse, Kerberoasting, Unconstrained Delegation, AD CS Attacks<\/td>\n<\/tr>\n<tr>\n<td><strong>Persistence<\/strong><\/td>\n<td>Shadow Credentials, Golden Ticket, Sapphire Ticket<\/td>\n<\/tr>\n<tr>\n<td><strong>Domain Compromise<\/strong><\/td>\n<td>DCSync, NTDS.dit Extraction, Cross-Trust Attacks<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<hr \/>\n<h2>What You Will Learn<\/h2>\n<h3>Module 1: Enumeration<\/h3>\n<p class=\"ds-markdown-paragraph\">Learn to scope an Active Directory environment. Discover hosts, running services, open ports, domain users and generate a clear image of the network topology &#8211; machines, users, running services. You will also learn how to implement vulnerability scanners across the network to check for the possibility of finding an unpactched system that could possibly yield initial access if exploited.<\/p>\n<p><strong>Module 2: Breached Credentials<\/strong><\/p>\n<p>Credentials can be used to authenticate to the network. Sometimes lists of users and passwords are sold on the dark web or found in data dumps from other large scale hacks. Other times password spraying or brute forcing may be employed with a quality wordlist to gain initial access to the network. The users identified in the previous module come in useful during this process.<\/p>\n<p>Oftentimes, a pentest is started from an &#8220;assumed breach&#8221; position, meaning that a standard domain user account is delegated to the penetration tester to authenticate to the network. Other times this is not the case and a combination of OSINT to find possible credentials in data dumps and quality wordlists along with industry standard tools can be used to gain an initial foothold on the AD Domain if authentication is possible. We will explore these various methods in module one.<\/p>\n<p><strong>Social engineering techniques<\/strong> like <em>phishing<\/em> or <em>weaponised documents<\/em> are also often used by adversaries to compromise user\/employee credentials that athenticate against the domain, or compromise an employee domain workstation in a corporate network. This is not something we will cover in depth in this course but we will talk about it briefly.<\/p>\n<h3>Module 3: LLMNR Poisoning<\/h3>\n<p class=\"ds-markdown-paragraph\">You will learn how legacy name resolution protocols (LLMNR and NBT-NS) become attack vectors. Using Responder, you will capture NTLMv2 hashes from unsuspecting users simply by waiting for a typo or misconfiguration. You will see firsthand how &#8220;passive&#8221; attacks yield high-value credentials without triggering alarms. The module also covers how to analyse captured hashes, determine which are crackable, and understand the limitations of this attack in modern networks.<\/p>\n<h3>Module 4: SMB\/NTLM Relay<\/h3>\n<p class=\"ds-markdown-paragraph\">When hashes cannot be cracked, you will learn to relay them. Using ntlmrelayx.py, you will intercept authentication attempts and relay them to targets where the victim has privileges \u2014 gaining code execution, dumping SAM hashes, and escalating privileges without ever possessing the plaintext password. You will also learn how to configure SMB signing requirements and identify when relaying is possible versus when it is blocked.<\/p>\n<h3>Module 5: IPv6 DNS Takeover<\/h3>\n<p data-start=\"0\" data-end=\"331\">In this module, you will learn how IPv6 DNS takeover attacks work and why they are effective in modern networks where IPv6 is often enabled by default. You\u2019ll explore how attackers can introduce rogue router advertisements to position themselves as a DNS server, allowing them to intercept and redirect traffic from target systems.<\/p>\n<p data-start=\"333\" data-end=\"696\" data-is-last-node=\"\" data-is-only-node=\"\">You will also be introduced to LDAP relay techniques, where intercepted authentication attempts are forwarded to legitimate directory services. The module will demonstrate how these combined techniques can be used to manipulate Active Directory environments when protections like LDAP signing are not enforced, along with an overview of key mitigation strategies.<\/p>\n<h3 data-start=\"333\" data-end=\"696\">Module 6: AS-REP Roasting<\/h3>\n<div class=\"ds-message _63c77b1\">\n<div class=\"ds-markdown\">\n<p class=\"ds-markdown-paragraph\">AS-REP Roasting is an unauthenticated Kerberos attack that targets domain user accounts with the &#8220;Do not require Kerberos preauthentication&#8221; setting enabled. Unlike Kerberoasting (which requires an authenticated domain user), AS-REP roasting operates from a position of zero credentials\u2014an attacker simply requests a Kerberos Authentication Service Response (AS-REP) for any discovered user. If preauthentication is disabled, the domain controller returns an encrypted timestamp (the AS-REP hash) without validating the requestor&#8217;s identity. This hash can be cracked offline to recover the user&#8217;s plaintext password. The attack is stealthy because it generates no failed login events and works entirely over the Kerberos protocol.\u00a0AS-REP roasting can be used as a powerful initial foothold technique when misconfigured accounts exist in the environment.<\/p>\n<\/div>\n<\/div>\n<h3 data-start=\"333\" data-end=\"696\">Module 7: Domain Discovery<\/h3>\n<p data-start=\"333\" data-end=\"696\" data-is-last-node=\"\" data-is-only-node=\"\">Generate a clear attack strategy using the BloodHound tool from a low privileged domain user account. You will learn how to collect data, import it into BloodHound, and navigate its interface to identify attack paths, high-value targets, and hidden relationships such as shortest paths to Domain Admin or users with privileged group memberships.<\/p>\n<h3>Module 8: Shell Access<\/h3>\n<p class=\"ds-markdown-paragraph\">Gain command line access to compromised hosts, execute commands and browse the file system. You will practice obtaining different types of shells, including reverse shells and bind shells, and learn how to stabilise semi-interactive shells into fully functional command prompts by creating custom shellcode.<\/p>\n<h3>Module 9: File Transfers<\/h3>\n<p class=\"ds-markdown-paragraph\">Transfer files between compromised hosts and the attack box. Learn Python3 for file transfers over HTTP and learn how to set up your own SMB server to allow file transfers over SMB and use built-in Windows tools like certutil and bitsadmin to download payloads when outbound HTTP\/HTTPS is allowed but other ports are blocked.<\/p>\n<h3>Module 10: Post Exploitation<\/h3>\n<p class=\"ds-markdown-paragraph\">Compromised a host? Now what? Learn post exploitation techniques that will help you uncover information that will help you compromise more of the network. This includes enumerating local users, domain users, groups, installed software, running processes, scheduled tasks, network connections, and sensitive files. You will also learn how to identify whether the compromised host is a workstation, server, or domain controller, and how that influences your next moves. Dump LSASS memory from the local Windows machine to try and find privileged user account credentials\/NTLM hashes.<\/p>\n<h3>Module 11: Lateral Movement<\/h3>\n<p class=\"ds-markdown-paragraph\">Throughout the course, you will develop proficiency with Impacket, the industry-standard Python library for Active Directory exploitation, and NetExec, the industry-standard network service exploitation tool. You will learn not just individual commands, but how to chain them together for automated, multi-stage attacks that mirror real adversary behavior. This includes using pass-the-hash, pass-the-ticket, and overliving-off-the-land techniques to move between hosts without writing new tools to disk.<\/p>\n<h3>Module 12: Privilege Escalation<\/h3>\n<p class=\"ds-markdown-paragraph\">Compromising a standard user is only the beginning. You will learn to enumerate AD misconfigurations \u2014 overly permissive ACLs, unconstrained delegation, Kerberoastable accounts, and Certificate Services vulnerabilities \u2014 to escalate to Domain Admin privileges. Each technique is taught with practical examples, including how to request and crack service tickets, abuse ACL entries like GenericAll or WriteDacl, and exploit common PKI misconfigurations in Active Directory Certificate Services.<\/p>\n<h3>Module 13: Domain Persistence<\/h3>\n<p class=\"ds-markdown-paragraph\">Once you achieve Domain Admin, you will learn the ultimate persistence technique: the Golden Ticket. You will forge Kerberos tickets that grant you unlimited, undetectable access to any resource in the domain \u2014 even if every password is changed.<\/p>\n<h3>Module 14: Domain Compromise<\/h3>\n<p class=\"ds-markdown-paragraph\">In this module you will learn how to dump the contents of the Active Directory central database (NTDS.dit) to retrieve password hashes for all users in the domain. You will cover multiple methods, including volume shadow copy techniques, using ntdsutil, and remote dumping with Impacket&#8217;s secretsdump.py. The module also teaches you how to extract hashes without touching disk where possible, and how to crack or pass those hashes to compromise every machine and user in the environment.<\/p>\n<hr \/>\n<h2>Course Philosophy<\/h2>\n<p class=\"ds-markdown-paragraph\">This course is built on three principles:<\/p>\n<h3>1. Practice Over Theory<\/h3>\n<p class=\"ds-markdown-paragraph\">Each technique is accompanied by a <strong>hands-on lab<\/strong> in an isolated Active Directory environment. You will execute every attack yourself\u2014not just watch demonstrations. By the end, you will have a personal lab environment to continue testing and refining your skills.<\/p>\n<h3>2. Understand Before Automating<\/h3>\n<p class=\"ds-markdown-paragraph\">We will use tools like Responder and Impacket\u2014but we will also dissect what they do. You will learn the underlying protocols (NTLM, Kerberos, SMB) so you can adapt when automated tools fail or need customization.<\/p>\n<h3>3. Think Like an Adversary<\/h3>\n<p class=\"ds-markdown-paragraph\">This is not a &#8220;vulnerability scanning&#8221; course. You will learn to think in terms of <strong>attack paths<\/strong>: how a low-privileged user becomes a Domain Admin, and how to identify those same paths in your own organization&#8217;s environment.<\/p>\n<hr \/>\n<h2>Prerequisites &amp; Tools<\/h2>\n<h3>Technical Prerequisites<\/h3>\n<ul>\n<li>Terraform<\/li>\n<li>Microsoft Azure<\/li>\n<li>Azure CLI<\/li>\n<li>Kali Linux (VM or Bare Metal)<\/li>\n<li>OpenVPN Client<\/li>\n<\/ul>\n<h3>What You Should Know<\/h3>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\">Basic Windows system administration (users, groups, permissions)<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\">Familiarity with networking concepts (TCP\/IP, DNS, SMB)<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\">Comfort with command-line interfaces (Linux terminal, PowerShell)<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\">Basic understanding of programming concepts (helpful but not required)<\/p>\n<\/li>\n<\/ul>\n<h3>Tools You Will Master<\/h3>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Responder<\/strong> \u2014 LLMNR\/NBT-NS poisoning<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Impacket<\/strong> \u2014 psexec, wmiexec, smbexec, ntlmrelayx, secretsdump, ticketer<\/p>\n<\/li>\n<li><strong>NetExec<\/strong> \u2014 Multi-protocol lateral movement<\/li>\n<li><strong>Powerview<\/strong>\u00a0&#8211; Active Directory domain discovery<\/li>\n<li><strong>BloodHound<\/strong> \u2014 Active Directory enumeration and attack path mapping<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>lsassy<\/strong>\u2014 Local credential extraction<\/p>\n<\/li>\n<li><strong>Certipy<\/strong> &#8211; A tool for enumerating and abusing Active Directory Certificate Services (AD CS)<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Seatbelt<\/strong> \u2014 a C# project that performs a number of security oriented host-survey &#8220;safety checks&#8221; relevant from both offensive and defensive security perspectives<\/p>\n<\/li>\n<\/ul>\n<h3>Lab Environment<\/h3>\n<p class=\"ds-markdown-paragraph\">You will have access to:<\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\">A fully configured Active Directory domain with Domain Controller and workstations<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\">Attack machine (Kali Linux) preloaded with all necessary tools<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\">Isolated virtual network for safe, legal practice<\/p>\n<\/li>\n<\/ul>\n<hr \/>\n<h2>A Note on Ethics<\/h2>\n<p class=\"ds-markdown-paragraph\">This course teaches offensive techniques for one purpose: <strong>defense<\/strong>. Every attack demonstrated is a technique used by real adversaries. Understanding how these attacks work is the only way to effectively detect, prevent, and respond to them.<\/p>\n<p class=\"ds-markdown-paragraph\"><strong>You are responsible for how you use this knowledge.<\/strong> Never apply these techniques against systems you do not own or have explicit written permission to test. The line between pentesting and malicious activity is authorisation\u2014and crossing it has real consequences.<\/p>\n<hr \/>\n<h2>What You Will Achieve<\/h2>\n<p class=\"ds-markdown-paragraph\">By the end of this course, you will be able to:<\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Enumerate<\/strong> Active Directory environments to identify attack paths<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Capture<\/strong> credentials using LLMNR poisoning and SMB relay attacks<\/p>\n<\/li>\n<li><strong>Gain access to the network<\/strong> through IPv6 DNS Spoofing and LDAP relay attacks<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Move laterally<\/strong> using Pass-the-Hash and Impacket tooling<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Escalate privileges<\/strong> from standard user to Domain Admin<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Establish persistence<\/strong> with Golden Ticket attacks<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Compromise<\/strong> an AD Domain dumping the central user database<\/p>\n<\/li>\n<\/ul>\n<p class=\"ds-markdown-paragraph\">Whether you are an aspiring penetration tester, a system administrator looking to defend your environment, or a red team operator sharpening your skills, this course will give you the practical knowledge to <strong>own the domain<\/strong>\u2014and then secure it.<\/p>\n<hr \/>\n<h2>Ready to Begin?<\/h2>\n<p class=\"ds-markdown-paragraph\">Turn on your lab. Open your terminal. The domain is waiting.<\/p>\n<p class=\"ds-markdown-paragraph\">Let&#8217;s attack.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Pentesting AD Welcome to Active Directory Attacks \u2014a hands-on, technical deep dive into the offensive security techniques that target the&hellip;<\/p>\n","protected":false},"author":1,"featured_media":997,"comment_status":"closed","ping_status":"closed","template":"","course_category":[2],"course_tag":[],"class_list":["post-28","lp_course","type-lp_course","status-publish","has-post-thumbnail","hentry","course_category-training","course"],"_links":{"self":[{"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/lp_course\/28","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/lp_course"}],"about":[{"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/types\/lp_course"}],"author":[{"embeddable":true,"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/comments?post=28"}],"version-history":[{"count":83,"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/lp_course\/28\/revisions"}],"predecessor-version":[{"id":1399,"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/lp_course\/28\/revisions\/1399"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/media\/997"}],"wp:attachment":[{"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/media?parent=28"}],"wp:term":[{"taxonomy":"course_category","embeddable":true,"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/course_category?post=28"},{"taxonomy":"course_tag","embeddable":true,"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/course_tag?post=28"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}