{"id":28,"date":"2026-04-10T04:23:46","date_gmt":"2026-04-10T04:23:46","guid":{"rendered":"https:\/\/cyberforcesecurity.org\/courses\/?post_type=lp_course&#038;p=28"},"modified":"2026-04-12T03:37:54","modified_gmt":"2026-04-12T03:37:54","slug":"active-directory-attacks","status":"publish","type":"lp_course","link":"https:\/\/cyberforcesecurity.org\/courses\/course\/active-directory-attacks\/","title":{"rendered":"Active Directory Attacks"},"content":{"rendered":"<h1>Pentesting AD<\/h1>\n<p>Welcome to <strong>Active Directory Attacks<\/strong> \u2014a hands-on, technical deep dive into the offensive security techniques that target the backbone of enterprise infrastructure.<\/p>\n<p class=\"ds-markdown-paragraph\">If you are here, you already know that <strong>Active Directory<\/strong> is everywhere. It powers authentication, authorization, and policy management for over <strong>90% of Fortune 1000 companies<\/strong>. It is the crown jewel of the corporate network\u2014and the single most valuable target for adversaries.<\/p>\n<p class=\"ds-markdown-paragraph\">This course is not about theory. It is about <strong>execution<\/strong>. Over the coming modules, you will learn to think like an attacker who has already breached the perimeter and now finds themselves inside a Windows domain. From initial enumeration to domain dominance and persistence, you will master the techniques that separate novice pentesters from seasoned red team operators.<\/p>\n<p><iframe loading=\"lazy\" title=\"I Live For This S*** | Mr. Robot\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/67gYEK4FtzA?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<hr \/>\n<h2>Why Active Directory?<\/h2>\n<p class=\"ds-markdown-paragraph\">Active Directory presents a unique security challenge: it was designed for <strong>usability and interoperability<\/strong>, not security. Its core protocols\u2014NTLM, Kerberos, SMB, LDAP\u2014were built in an era of trusted networks, where perimeter defenses were assumed to protect the interior.<\/p>\n<p class=\"ds-markdown-paragraph\">That assumption has failed.<\/p>\n<p class=\"ds-markdown-paragraph\">Today, a single compromised workstation can lead to <strong>full domain compromise<\/strong> within hours. Attackers exploit the very features that make AD efficient:<\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Name resolution fallbacks<\/strong> that broadcast credentials to the network<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Hash-based authentication<\/strong> that treats the password hash as the password itself<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Trust relationships<\/strong> that grant unintended access<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Legacy protocols<\/strong> that remain enabled for backward compatibility<\/p>\n<\/li>\n<\/ul>\n<p class=\"ds-markdown-paragraph\">This course teaches you to identify and exploit these design flaws\u2014not as an academic exercise, but as a practitioner preparing to defend real environments.<\/p>\n<hr \/>\n<h2>The Modern Attack Path<\/h2>\n<p class=\"ds-markdown-paragraph\">Before we dive into individual techniques, understand the <strong>kill chain<\/strong> that defines modern Active Directory attacks:<\/p>\n<div class=\"md-code-block md-code-block-light\">\n<pre>Initial Access \u2192 Discovery \u2192 Lateral Movement \u2192 Privilege Escalation \u2192 Persistence \u2192 Domain Dominance<\/pre>\n<\/div>\n<p class=\"ds-markdown-paragraph\">Each technique you will learn maps directly to this chain:<\/p>\n<div class=\"ds-scroll-area ds-scroll-area--show-on-focus-within _1210dd7 c03cafe9\">\n<div class=\"ds-scroll-area__gutters\">\n<div class=\"ds-scroll-area__horizontal-gutter\"><\/div>\n<div class=\"ds-scroll-area__vertical-gutter\"><\/div>\n<\/div>\n<table>\n<thead>\n<tr>\n<th>Phase<\/th>\n<th>Techniques Covered<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Initial Credential Capture<\/strong><\/td>\n<td>LLMNR Poisoning, SMB\/NTLM Relay<\/td>\n<\/tr>\n<tr>\n<td><strong>Lateral Movement<\/strong><\/td>\n<td>Pass the Hash, Impacket Tools (psexec, wmiexec, smbexec)<\/td>\n<\/tr>\n<tr>\n<td><strong>Privilege Escalation<\/strong><\/td>\n<td>ACL Abuse, Kerberoasting, Unconstrained Delegation, AD CS Attacks<\/td>\n<\/tr>\n<tr>\n<td><strong>Persistence<\/strong><\/td>\n<td>Golden Ticket, Sapphire Ticket<\/td>\n<\/tr>\n<tr>\n<td><strong>Domain Dominance<\/strong><\/td>\n<td>DCSync, NTDS.dit Extraction, Cross-Trust Attacks<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<hr \/>\n<h2>What You Will Learn<\/h2>\n<h3>Module 1: Enumeration<\/h3>\n<p>Learn to scope an Active Directory environment. Discover hosts, running services, open ports and generate a clear attack strategy using the BloodHound tool.<\/p>\n<h3>Module 2: LLMNR Poisoning<\/h3>\n<p class=\"ds-markdown-paragraph\">You will learn how legacy name resolution protocols (LLMNR and NBT-NS) become attack vectors. Using <strong>Responder<\/strong>, you will capture NTLMv2 hashes from unsuspecting users simply by waiting for a typo or misconfiguration. You will see firsthand how &#8220;passive&#8221; attacks yield high-value credentials without triggering alarms.<\/p>\n<h3>Module 3: SMB\/NTLM Relay<\/h3>\n<p class=\"ds-markdown-paragraph\">When hashes cannot be cracked, you will learn to <strong>relay<\/strong> them. Using <strong>ntlmrelayx.py<\/strong>, you will intercept authentication attempts and relay them to targets where the victim has privileges\u2014gaining code execution, dumping SAM hashes, and escalating privileges without ever possessing the plaintext password.<\/p>\n<h3>Module 4: Pass the Hash<\/h3>\n<p class=\"ds-markdown-paragraph\">Armed with captured NTLM hashes, you will learn to authenticate to remote systems without ever cracking a password. You will use <strong>Impacket&#8217;s psexec.py, wmiexec.py, and smbexec.py<\/strong> to move laterally across the network, executing commands and establishing footholds on domain-joined systems.<\/p>\n<h3>Module 5: Privilege Escalation<\/h3>\n<p class=\"ds-markdown-paragraph\">Compromising a standard user is only the beginning. You will learn to enumerate AD misconfigurations\u2014overly permissive ACLs, unconstrained delegation, Kerberoastable accounts, and Certificate Services vulnerabilities\u2014to escalate to <strong>Domain Admin<\/strong> privileges.<\/p>\n<h3>Module 6: Lateral Movement<\/h3>\n<p class=\"ds-markdown-paragraph\">Throughout the course, you will develop proficiency with <strong>Impacket<\/strong>, the industry-standard Python library for Active Directory exploitation, and <strong>NetExec<\/strong>, the industry-standard network service exploitation tool. You will learn not just individual commands, but how to chain them together for automated, multi-stage attacks that mirror real adversary behavior.<\/p>\n<h3>Module 7: Domain Persistence<\/h3>\n<p class=\"ds-markdown-paragraph\">Once you achieve Domain Admin, you will learn the ultimate persistence technique: the <strong>Golden Ticket<\/strong>. Using Impacket&#8217;s <strong>ticketer.py<\/strong> and Mimikatz, you will forge Kerberos tickets that grant you unlimited, undetectable access to any resource in the domain\u2014even if every password is changed.<\/p>\n<h3>Module 8: Domain Compromise<\/h3>\n<p>In this module you will learn how to dump the contents of the Active Directory central database (NTDS.dit) to retrieve password hashes for all users in the domain.<\/p>\n<hr \/>\n<h2>Course Philosophy<\/h2>\n<p class=\"ds-markdown-paragraph\">This course is built on three principles:<\/p>\n<h3>1. Practice Over Theory<\/h3>\n<p class=\"ds-markdown-paragraph\">Each technique is accompanied by a <strong>hands-on lab<\/strong> in an isolated Active Directory environment. You will execute every attack yourself\u2014not just watch demonstrations. By the end, you will have a personal lab environment to continue testing and refining your skills.<\/p>\n<h3>2. Understand Before Automating<\/h3>\n<p class=\"ds-markdown-paragraph\">We will use tools like Responder, Impacket, and Mimikatz\u2014but we will also dissect what they do. You will learn the underlying protocols (NTLM, Kerberos, SMB) so you can adapt when automated tools fail or need customization.<\/p>\n<h3>3. Think Like an Adversary<\/h3>\n<p class=\"ds-markdown-paragraph\">This is not a &#8220;vulnerability scanning&#8221; course. You will learn to think in terms of <strong>attack paths<\/strong>: how a low-privileged user becomes a Domain Admin, and how to identify those same paths in your own organization&#8217;s environment.<\/p>\n<hr \/>\n<h2>Prerequisites &amp; Tools<\/h2>\n<h3>What You Should Know<\/h3>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\">Basic Windows system administration (users, groups, permissions)<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\">Familiarity with networking concepts (TCP\/IP, DNS, SMB)<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\">Comfort with command-line interfaces (Linux terminal, PowerShell)<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\">Basic Python understanding (helpful but not required)<\/p>\n<\/li>\n<\/ul>\n<h3>Tools You Will Master<\/h3>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Responder<\/strong> \u2014 LLMNR\/NBT-NS poisoning<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Impacket<\/strong> \u2014 psexec, wmiexec, smbexec, ntlmrelayx, secretsdump, ticketer<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Mimikatz<\/strong> \u2014 credential extraction, golden tickets<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>BloodHound<\/strong> \u2014 Active Directory enumeration and attack path mapping<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>CrackMapExec \/ NetExec<\/strong> \u2014 Multi-protocol lateral movement<\/p>\n<\/li>\n<\/ul>\n<h3>Lab Environment<\/h3>\n<p class=\"ds-markdown-paragraph\">You will have access to:<\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\">A fully configured Active Directory domain with Domain Controller and workstations<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\">Attack machine (Kali Linux) preloaded with all necessary tools<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\">Isolated virtual network for safe, legal practice<\/p>\n<\/li>\n<\/ul>\n<hr \/>\n<h2>A Note on Ethics<\/h2>\n<p class=\"ds-markdown-paragraph\">This course teaches offensive techniques for one purpose: <strong>defense<\/strong>. Every attack demonstrated is a technique used by real adversaries. Understanding how these attacks work is the only way to effectively detect, prevent, and respond to them.<\/p>\n<p class=\"ds-markdown-paragraph\"><strong>You are responsible for how you use this knowledge.<\/strong> Never apply these techniques against systems you do not own or have explicit written permission to test. The line between pentesting and malicious activity is authorization\u2014and crossing it has real consequences.<\/p>\n<hr \/>\n<h2>What You Will Achieve<\/h2>\n<p class=\"ds-markdown-paragraph\">By the end of this course, you will be able to:<\/p>\n<ul>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Enumerate<\/strong> Active Directory environments to identify attack paths<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Capture<\/strong> credentials using LLMNR poisoning and SMB relay attacks<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Move laterally<\/strong> using Pass the Hash and Impacket tooling<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Escalate privileges<\/strong> from standard user to Domain Admin<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Establish persistence<\/strong> with Golden Ticket attacks<\/p>\n<\/li>\n<li>\n<p class=\"ds-markdown-paragraph\"><strong>Compromise<\/strong> an AD Domain dumping the central user database<\/p>\n<\/li>\n<\/ul>\n<p class=\"ds-markdown-paragraph\">Whether you are an aspiring penetration tester, a system administrator looking to defend your environment, or a red team operator sharpening your skills, this course will give you the practical knowledge to <strong>own the domain<\/strong>\u2014and then secure it.<\/p>\n<hr \/>\n<h2>Ready to Begin?<\/h2>\n<p class=\"ds-markdown-paragraph\">Turn on your lab. Open your terminal. The domain is waiting.<\/p>\n<p class=\"ds-markdown-paragraph\">Let&#8217;s attack.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Pentesting AD Welcome to Active Directory Attacks \u2014a hands-on, technical deep dive into the offensive security techniques that target the&hellip;<\/p>\n","protected":false},"author":1,"featured_media":997,"comment_status":"closed","ping_status":"closed","template":"","course_category":[2],"course_tag":[],"class_list":["post-28","lp_course","type-lp_course","status-publish","has-post-thumbnail","hentry","course_category-training","course"],"_links":{"self":[{"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/lp_course\/28","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/lp_course"}],"about":[{"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/types\/lp_course"}],"author":[{"embeddable":true,"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/comments?post=28"}],"version-history":[{"count":24,"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/lp_course\/28\/revisions"}],"predecessor-version":[{"id":970,"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/lp_course\/28\/revisions\/970"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/media\/997"}],"wp:attachment":[{"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/media?parent=28"}],"wp:term":[{"taxonomy":"course_category","embeddable":true,"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/course_category?post=28"},{"taxonomy":"course_tag","embeddable":true,"href":"https:\/\/cyberforcesecurity.org\/courses\/wp-json\/wp\/v2\/course_tag?post=28"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}