Active Directory Penetration Testing
Posted in: Active Directory

Active Directory Penetration Testing: Methodology

Today I am writing about Active Directory penetration Testing methodology, this is part of my study for eCPPTv2 by eLearningSecurity. Active Directory is a service to manage corporate domains

active directory architecture
active directory architecture

Active Directory Port Numbers

53/TCPDNS Server
139/tcpNetBIOS SSN
636/tcpLDAP SSL

Tools Arsenal


  • Scan Network
  • Scan Host
  • Detect Public Shares
  • Detect Users
  • Extract Hashes
  • Crack Passwords
  • Escalate Privileges
  • Escalate to Domain Admin

Scanning an Active Directory

Finding Hosts Running Windows clients or Active Directory Servers

What information do I need to collect?

Windows client machines, windows server machines, and respective IPs, how the authentication is managed, public available shares, DNS domain records, usernames, and passwords.

Ping Scan

nmap -sP -p

Classic Scan

nmap -sP -sC -sV -oG nmap.output -Pn

Full Scan

nmap -PN -sC -sV -p- -oG nmap.output -Pn

UDP Scan

nmap -sU -sC -sV -oG nmap.output

How to Find Domain Control IP?

nslookup -type=SRV _ldap.tcp_.dc._msdcs.domain.test
nmcli dev show tun0

Enumerating Active Directory

Is Port 53 Open?

dig @$DOMAIN -x  $TARGET 

DNS Zone Transfer

dig axfr donain.test @nameserver

How to Find Usernames?

Null Sessions




How to find Passwords?

Password Hashes?

Crack Active Directory Hashes

HashHashcat Command
LMhashcat -m 3000 -a 3 hash.txt
NTLMhashcat -m 1000 -a 3 hash.txt
NetNTLMv1hashcat -m 5500 -a 3 hash.txt
NetNTLMv2hashcat -m 5600 -a 3 hash.txt rockyou.txt
Kerberos 5 TGShashcat -m 13100 -a 3 hash.txt rockyou.txt
Kerberos 5 TGS AES128hashcat -m 19600 -a 0 spn.txt hash.txt rockyou.txt
Kerberos 5 TGS AES256hashcat -m 19700 -a 0 spn.txt hash.txt rockyou.txt
Kerberos ADREPhashcat -m 18200 -a 0 spn.txt hash.txt rockyou.txt
MsCache 2hashcat -m 2100-a 0 mscache-hash.txt hash.txt rockyou.txt
Hash to crack Windows Hashes

Active Directory Attacks

  • Zerologon
  • Petitepotam
  • Poisoning
  • Replay Attacks
  • MiTM

LLMNR/NBT-NS Poisoning

Vulnerabilities Scanning

Discover SMB Vulnerabilities using Nmap

nmap -PN --script smb-vuln* -p139,445

ZeroLogon AD Attack


Active Directory Penetration Testing: Methodology

Leave a Reply

Back to Top