Chapter 17 Exercises: Active Directory Attacks

⚖️ Legal Note: All exercises must be performed in your Student Home Lab AD environment. Never test AD attacks against production environments without explicit written authorization.

Exercise 1: Build an AD Lab Environment

Difficulty: Beginner | Time: 90 minutes

Set up a vulnerable Active Directory lab for practicing the techniques in this chapter.

  1. Install Windows Server 2019/2022 as a Domain Controller (DC01).
  2. Promote it to a domain controller for a test domain (e.g., lab.local).
  3. Install AD Certificate Services on DC01.
  4. Join a Windows 10/11 workstation (WS01) to the domain.
  5. Create the following accounts: - 5 standard domain users - 1 service account (svc_sql) with an SPN and a weak password - 1 account with "Do not require Kerberos preauthentication" enabled - 1 account in Domain Admins
  6. Run BadBlood or manually create vulnerable configurations.

Deliverable: Functioning AD lab with documented vulnerable configurations.

Exercise 2: BloodHound Data Collection and Analysis

Difficulty: Beginner | Time: 30 minutes

  1. Install BloodHound and neo4j on your attack machine.
  2. Run SharpHound on WS01 to collect AD data.
  3. Import the data into BloodHound.
  4. Run the following pre-built queries: - "Find Shortest Paths to Domain Admins" - "Find Kerberoastable Accounts" - "Find AS-REP Roastable Users" - "Find Computers with Unconstrained Delegation"
  5. Write custom Cypher queries to find: - Users with DCSync rights - Accounts with password never expires - Computers where Domain Users are local admin

Deliverable: Screenshots of BloodHound attack paths and custom query results.

Exercise 3: Kerberoasting Attack

Difficulty: Intermediate | Time: 25 minutes

  1. Using PowerView, enumerate all domain accounts with SPNs.
  2. Request a TGS ticket for the svc_sql service account using Rubeus.
  3. Export the ticket in hashcat format.
  4. Crack the hash using hashcat with a wordlist.
  5. Verify the cracked password by authenticating as the service account.
  6. Repeat the exercise using Impacket's GetUserSPNs.py from Linux.

Deliverable: Documentation of the complete Kerberoasting workflow with evidence.

Exercise 4: AS-REP Roasting

Difficulty: Intermediate | Time: 20 minutes

  1. Identify accounts with "Do not require Kerberos preauthentication" using PowerView.
  2. Request AS-REP tickets using Rubeus.
  3. Crack the tickets using hashcat (-m 18200).
  4. Compare the cracking difficulty between AS-REP and Kerberoasting hashes.
  5. Fix the vulnerability by disabling the preauthentication flag.

Deliverable: AS-REP Roasting walkthrough with cracking metrics.

Exercise 5: Pass-the-Hash and Overpass-the-Hash

Difficulty: Intermediate | Time: 30 minutes

  1. Use Mimikatz to extract NTLM hashes from a compromised workstation.
  2. Perform Pass-the-Hash using Impacket's psexec.py to access another system.
  3. Perform Overpass-the-Hash using Rubeus to convert the NTLM hash to a TGT.
  4. Use the TGT to access resources via Kerberos.
  5. Compare the network traffic generated by each technique (use Wireshark).

Deliverable: Comparison of PtH vs. OPtH with network traffic analysis.

Exercise 6: Delegation Attack Lab

Difficulty: Advanced | Time: 45 minutes

  1. Configure a computer account with unconstrained delegation.
  2. Use SpoolSample to coerce DC01 to authenticate to the delegation server.
  3. Capture the DC01$ TGT using Rubeus monitor.
  4. Configure a service account with constrained delegation to a specific SPN.
  5. Use Rubeus S4U to impersonate a Domain Admin to the allowed service.
  6. Configure RBCD by creating a machine account and setting the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.

Deliverable: Complete delegation attack documentation covering all three types.

Exercise 7: DCSync Attack

Difficulty: Intermediate | Time: 20 minutes

  1. From a compromised Domain Admin session, use Mimikatz to perform DCSync.
  2. Extract the krbtgt hash and the Administrator hash.
  3. Repeat using Impacket's secretsdump.py from Linux.
  4. Verify the extracted hashes by performing Pass-the-Hash.
  5. Identify which non-default accounts have DCSync rights using BloodHound.

Deliverable: DCSync evidence and non-default DCSync rights audit.

Exercise 8: Golden Ticket Creation and Usage

Difficulty: Advanced | Time: 30 minutes

  1. Using the krbtgt hash from Exercise 7, create a Golden Ticket with Mimikatz.
  2. Inject the ticket and verify domain-wide access.
  3. Create a Golden Ticket for a non-existent user and verify it works.
  4. Create a Golden Ticket using Impacket's ticketer.py.
  5. Test access to file shares, remote execution, and other services.
  6. Reset the krbtgt password twice and verify the Golden Ticket is invalidated.

Deliverable: Golden Ticket creation and validation documentation.

Exercise 9: Silver Ticket Creation

Difficulty: Advanced | Time: 25 minutes

  1. Extract a computer account NTLM hash from a compromised system.
  2. Create a Silver Ticket for the CIFS service using Mimikatz.
  3. Access the target's file shares using the forged ticket.
  4. Create Silver Tickets for different service types (HOST, HTTP, LDAP).
  5. Compare Silver Ticket detection visibility with Golden Ticket.

Deliverable: Silver Ticket comparison with service-type analysis.

Exercise 10: AD CS ESC1 Exploitation

Difficulty: Advanced | Time: 40 minutes

  1. Install AD Certificate Services on your DC with default templates.
  2. Create a vulnerable certificate template (ESC1): enable ENROLLEE_SUPPLIES_SUBJECT, Client Authentication EKU, and allow Domain Users to enroll.
  3. Use Certify/Certipy to identify the vulnerable template.
  4. Request a certificate with the Administrator's UPN as the SAN.
  5. Use the certificate to authenticate as Administrator.
  6. Fix the template by disabling ENROLLEE_SUPPLIES_SUBJECT.

Deliverable: Complete AD CS ESC1 exploitation walkthrough.

Exercise 11: PowerView Enumeration Mastery

Difficulty: Intermediate | Time: 30 minutes

Using PowerView, perform the following enumeration tasks:

  1. List all domain users with their descriptions (searching for passwords in descriptions).
  2. Find all Kerberoastable accounts and their group memberships.
  3. Identify all computers with unconstrained or constrained delegation.
  4. Enumerate all domain trusts and their directions.
  5. Find all GPOs and identify which ones grant local admin rights.
  6. Check for ACLs that grant GenericAll, GenericWrite, or WriteDacl to non-admin users.

Deliverable: PowerView command reference with sample output.

Exercise 12: NTLM Relay Attack

Difficulty: Advanced | Time: 45 minutes

  1. Set up Responder to capture NTLM authentication on your lab network.
  2. Use ntlmrelayx to relay captured authentication to a target server.
  3. Demonstrate the impact: relay authentication to gain code execution.
  4. Combine with PetitPotam to coerce DC authentication for relay.
  5. Implement SMB signing and EPA as mitigations and verify the relay fails.

Deliverable: NTLM relay attack documentation with mitigation verification.

Exercise 13: AD Persistence Mechanisms

Difficulty: Advanced | Time: 30 minutes

Implement and detect the following AD persistence mechanisms:

  1. Create a Golden Ticket and verify persistence across password resets.
  2. Modify AdminSDHolder ACL and wait for SDProp to propagate.
  3. Add a backdoor entry to the domain's ACL granting DCSync rights.
  4. Create a Silver Ticket and compare its persistence with Golden Ticket.
  5. For each mechanism, document the detection method and cleanup procedure.

Deliverable: Persistence mechanism comparison with detection and cleanup procedures.

Exercise 14: Complete AD Attack Chain

Difficulty: Advanced | Time: 90 minutes

Starting from a standard domain user on WS01, achieve domain dominance:

  1. Enumerate the domain using BloodHound and PowerView.
  2. Identify at least two attack paths to Domain Admin.
  3. Execute the fastest attack path.
  4. Achieve DCSync and extract all domain hashes.
  5. Create a Golden Ticket for persistence.
  6. Write a professional penetration test report documenting the entire chain.

Deliverable: Complete penetration test report with executive summary and technical findings.

Exercise 15: AD Security Assessment Script

Difficulty: Intermediate | Time: 45 minutes

Write a Python script (using ldap3) that connects to AD and identifies:

  1. Accounts with SPNs (Kerberoastable)
  2. Accounts without preauthentication (AS-REP Roastable)
  3. Computers with unconstrained delegation
  4. Accounts with the "Password Never Expires" flag
  5. Machine Account Quota (can users create computer accounts?)

Reference: See code/example-01-ad-enumerator.py for a starting framework.

Deliverable: Working Python script with sample output.

🔵 Blue Team Exercise: AD Hardening Assessment

Difficulty: Advanced | Time: 60 minutes

  1. Run PingCastle or Purple Knight against your lab domain.
  2. Review the security score and all findings.
  3. Implement fixes for the top 10 findings.
  4. Re-run the assessment and verify improved scores.
  5. Deploy Microsoft Defender for Identity and trigger detection alerts.
  6. Configure tiered administration and verify enforcement.
  7. Set ms-DS-MachineAccountQuota to 0.
  8. Audit and fix all delegation configurations.

Deliverable: AD security assessment report with before/after scores.