Physical attacks
Mobile Apps Pentesting

Active Directory

Basic overview

Active Directory allows network administrators to create and manage domains, users, and objects within a network. For example, an admin can create a group of users and give them specific access privileges to certain directories on the server. As a network grows, Active Directory provides a way to organize a large number of users into logical groups and subgroups, while providing access control at each level.

The Active Directory structure includes three main tiers: 1) domains, 2) trees, and 3) forests. Several objects (users or devices) that all use the same database may be grouped in to a single domain. Multiple domains can be combined into a single group called a tree. Multiple trees may be grouped into a collection called a forest. Each one of these levels can be assigned specific access rights and communication privileges.

Main concepts of an Active Directory:

  1. Directory – Contains all the information about the objects of the Active directory

  2. Object – An object references almost anything inside the directory (a user, group, shared folder...)

  3. Domain – The objects of the directory are contained inside the domain. Inside a "forest" more than one domain can exist and each of them will have their own objects collection.

  4. Tree – Group of domains with the same root. Example: dom.local,, www.dom.local

  5. Forest – The forest is the highest level of the organization hierarchy and is composed by a group of trees. The trees are connected by trust relationships.

Active Directory provides several different services, which fall under the umbrella of "Active Directory Domain Services," or AD DS. These services include:

  1. Domain Services – stores centralized data and manages communication between users and domains; includes login authentication and search functionality

  2. Certificate Services – creates, distributes, and manages secure certificates

  3. Lightweight Directory Services – supports directory-enabled applications using the open (LDAP) protocol

  4. Directory Federation Services – provides single-sign-on (SSO) to authenticate a user in multiple web applications in a single session

  5. Rights Management – protects copyrighted information by preventing unauthorized use and distribution of digital content

  6. DNS Service – Used to resolve domain names.

AD DS is included with Windows Server (including Windows Server 10) and is designed to manage client systems. While systems running the regular version of Windows do not have the administrative features of AD DS, they do support Active Directory. This means any Windows computer can connect to a Windows workgroup, provided the user has the correct login credentials.


Active Directory Recon

You can find some commands that you can use to perform a basic recon here. Also, you could use PowerView


This will help you to find possible ways to become a domain admin by exploiting some "flaws" on the permissions of the objects inside the Active Directory.

BloodHound example tutorial:

runas /netonly /user:domain\user "powershell.exe -exec bypass"

Attacking Active Directory

For this purpose, you will find very interesting the post about pentesting Kerberos.

Password Spraying

Once you have found one or several computers inside the Domain, or some AD, and you have find several valid usernames.You can find them brute forcing them, or if you have a valid domain user you can extract all the usernames of the domain -all -dc-ip With this usernames you can try the most common passwords to see if you find any valid credentials inside some of the hosts you attack. You can get the password policy using a valid user with crackmapexec or enum4linux: crackmapexec <IP> -u 'user' -p 'password' --pass-pol

enum4linx -u 'username' -p 'password' -P <IP>

Then you can use the smb_login module of metasploit to test the passwords

You could also use the PS1 script: DomainPasswordSpray.ps1

Several lists of common usernames could also be useful:

So have to be very careful with password spraying because you could lockout accounts. To brute force taking this into mind, you can use spray:

apt-get install spray
spray -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <Domain>

Active Directory Credentials - NTDS.dit

The Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.

The important NTDS.dit file will be located in: %SystemRoom%/NTDS/ntds.dit This file is a database Extensible Storage Engine (ESE) and is "officially" composed by 3 tables:

  • Data Table: Contains the informatino about the objects (users, groups...)

  • Link Table: Informatino about the relations (member of...)

  • SD Table: Contains the security descriptors of each object

More information about this:

Windows uses Ntdsa.dll to interact with that file and its used by lsass.exe. Then, part of the NTDS.dit file could be located inside the lsass memory (you can find the lastet accessed data probably because of the performance impruve by using a cache).

Decrypting the hashes inside NTDS.dit

The hash is cyphered 3 times:

  1. Decrypt Password Encryption Key (PEK) using the BOOTKEY and RC4.

  2. Decrypt tha hash using PEK and RC4.

  3. Decrypt the hash using DES.

PEK have the same value in every domain controller, but it is cyphered inside the NTDS.dit file using the BOOTKEY of the SYSTEM file of the domain controller (is different between domain controllers). This is why to get the credentials from the NTDS.dit file you need the files NTDS.dit and SYSTEM (C:\Windows\System32\config\SYSTEM).

You can find ways to obtains the NTDS.dit file here.

Extracting hashes from NTDS.dit

Once you have obtained the files NTDS.dit and SYSTEM you can use tools like to extract the hashes: -ntds ntds.dit -system SYSTEM LOCAL -outputfile credentials.txt

You can also extract them automatically using a valid domain admin user: -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER>

Finally, you can also use the metasploit module: post/windows/gather/credentials/domain_hashdump or mimikatz lsadump::lsa /inject


You need to be a domain admin


It allows the attacker to pretend to be a Domain Controller and ask other DC’s for user password data.

How the DCSync Attack Works

The following is a summarization of how the attack works:

  1. An attacker compromises an account with the rights to perform domain replication (e.g. Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups by default)

  2. Once the proper privileges are obtained, the attacker leverages the Mimikatz DCSync command to retrieve account password hashes from Active Directory

  3. Once obtained, the attacker can create forged Kerberos tickets to access any resource connected to Active Directory

mimikatz# lsadump::dcsync /domain:dom.local /usr:krbtgt

In order to launch this attack you can also use Invoke-DCSync: Invoke-DCSync -PWDumpFormat Or other tools:

Important Notes about DCSync:

  • The DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.

  • While Domain Replication capabilities are controlled by the Replicating Changes permissions set on the domain (specifically Replicating Changes All and Replicating Directory Changes) and are limited to the Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups by default, it is possible for any account or group to be granted these rights.

  • If any account passwords are stored with reversible encryption, an option is available in Mimikatz to return the password in clear text

DCShadow attack

You need to be a domain admin


DCShadow enables an attacker (using Mimikatz) to create a fake Active Directory Domain Controller (DC) that can replicate malicious changes to legitimate DCs.

How the DCShadow Attack Works

The following is a summarization of how the attack works:

  1. An attacker obtains Domain Admin rights and wants to make changes that will not be detected to create persistence.

  2. Using DCShadow (a feature of Mimikatz) the attacker will register the computer it is run from (such as a workstation) as a Domain Controller in Active Directory by making changes to the AD’s Configuration schema and the workstation’s SPN values. Now AD thinks this workstation is a Domain Controller and it is trusted to replicate changes.

  3. A change is crafted by the attacker. The workstation makes this change available to a legitimate Domain Controller through replication.

  4. Replication is triggered by DCShadow and the change is replicated and then committed by a legitimate Domain Controller

More information and how to exploit this can be found here:

Important Notes about DCShadow:

  • Because the changes are committed through replication, these changes are not logged to the event log how other changes would be. That is normally done on the Domain Controller where the changes originated, but in this case there is no actual DC where the changes originated from.

    • This makes it difficult to detect

  • The DCShadow attack uses native features of Active Directory, so it is not a vulnerability and cannot be patched.

    • This makes it difficult to prevent

Skeleton Key


There are several methods for compromising Active Directory accounts that attackers can use to elevate privileges and create persistence once they have established themselves in your domain. The Skeleton Key is a particularly scary piece of malware targeted at Active Directory domains to make it alarmingly easy to hijack any account. This malware injects itself into LSASS and creates a master password that will work for any account in the domain. Existing passwords will also continue to work, so it is very difficult to know this attack has taken place unless you know what to look for.

Not surprisingly, this is one of the many attacks that is packaged and very easy to perform using Mimikatz. Let’s take a look at how it works.

Requirements for the Skeleton Key Attack

In order to perpetrate this attack, the attacker must have Domain Admin rights. This attack must be performed on each and every domain controller for complete compromise, but even targeting a single domain controller can be effective. Rebooting a domain controller will remove this malware and it will have to be redeployed by the attacker.

Performing the Skeleton Key Attack

Performing the attack is very straightforward to do. It only requires the following command to be run on each domain controller: misc::skeleton. After that, you can authenticate as any user with the default password of Mimikatz.

Injecting a skeleton key using the misc::skeleton into a domain controller with Mimikatz

Here is an authentication for a Domain Admin member using the skeleton key as a password to get administrative access to a domain controller:

Using the skeleton key as a password with the misc::skeleton command to get administrative access to a domain controller with the default password of Mimikatz

Note: If you do get a message saying, “System error 86 has occurred. The specified network password is not correct”, just try using the domain\account format for the username and it should work.

Using the domain\account format for the username if you get a message saying System error 86 has occurred The specified network password is not correct

If lsass was already patched with skeleton, then this error will appear:

More Tools