Active Directory Penetration Testing
Active Directory Penetration Testing

Active Directory Penetration Testing: Methodology

Today I am writing about Active Directory penetration Testing methodology, this is part of my study for CRTP by Pentester Academy.

Active Directory is a service to manage corporate domains it can handle all types of Microsoft services and objects applying for permissions while handling all accounting centralized.

My goal in this article is to describe how AD works and identify what should be enumerated on each AD service inside a single Domain Controller.

active directory architecture

Microsoft Permissions can be checked here:

Active Directory Port Numbers

53/TCPDNS Server
139/tcpNetBIOS SSN
636/tcpLDAP SSL

Basic AD Functions

Tools Arsenal


  • Scan Network
  • Scan Host
  • Detect Public Shares
  • Detect Users
  • Extract Hashes
  • Crack Passwords
  • Escalate Privileges
  • Escalate to Domain Admin

Scanning an Active Directory

Finding Hosts Running Windows clients or Active Directory Servers

What information do I need to collect?

Windows client machines, windows server machines, and respective IPs, how the authentication is managed, public available shares, DNS domain records, usernames, and passwords.

Ping Scan

The ping scan functionality in Nmap is a way to determine which hosts on a network are active and reachable.

nmap -sn -Pn

Classic Scan

nmap -sP -sC -sV -oG nmap.output -Pn

Full Scan

nmap -PN -sC -sV -p- -oG nmap.output -Pn

UDP Scan

nmap -sU -sC -sV -oG nmap.output

How to Find Domain Control IP?

Ask the network

nslookup -type=SRV _ldap.tcp_.dc._msdcs.domain.test

Verify in your machine:

nmcli dev show tun0

Enumerating Active Directory

Is Port 53 Open?

dig @$DOMAIN -x  $TARGET 

DNS Zone Transfer

dig axfr donain.test @nameserver

How to Find Usernames?

Null Sessions




How to find Passwords?

Password Hashes?

Crack Active Directory Hashes

HashHashcat Command
LMhashcat -m 3000 -a 3 hash.txt
NTLMhashcat -m 1000 -a 3 hash.txt
NetNTLMv1hashcat -m 5500 -a 3 hash.txt
NetNTLMv2hashcat -m 5600 -a 3 hash.txt rockyou.txt
Kerberos 5 TGShashcat -m 13100 -a 3 hash.txt rockyou.txt
Kerberos 5 TGS AES128hashcat -m 19600 -a 0 spn.txt hash.txt rockyou.txt
Kerberos 5 TGS AES256hashcat -m 19700 -a 0 spn.txt hash.txt rockyou.txt
Kerberos ADREPhashcat -m 18200 -a 0 spn.txt hash.txt rockyou.txt
MsCache 2hashcat -m 2100-a 0 mscache-hash.txt hash.txt rockyou.txt
Hash to crack Windows Hashes

Active Directory Penetration Testing

LLMNR/NBT-NS Poisoning

Vulnerabilities Scanning

Discover SMB Vulnerabilities using Nmap

nmap -PN --script smb-vuln* -p139,445

ZeroLogon AD Attack