Home | Projects | Discord | Videos | Courses | Author | Contact
Welcome to the Active Directory Attacks Documentation for Red Teams!
This documentation serves as a comprehensive resource for understanding various attack techniques and vulnerabilities associated with Active Directory environments. Whether you are a security professional, system administrator, or simply interested in learning about cybersecurity, this documentation will provide valuable insights into the risks and countermeasures related to Active Directory attacks.
My aim is to help you understand the inner workings of these attacks, enabling you to identify vulnerabilities within your own Active Directory environment and implement effective security measures to protect against them. Additionally, we provide real-world examples and practical guidance to enhance your understanding of the attack vectors and their implications.
We encourage you to explore the various sections of this documentation, where you will find detailed explanations, step-by-step guides, and recommended best practices to secure your Active Directory infrastructure. Stay one step ahead of potential threats and bolster your organization's security posture with the knowledge gained from this documentation.
Remember, a well-informed defender is better equipped to safeguard their Active Directory environment against malicious actors. Let's dive in and strengthen our defenses against Active Directory attacks!
Happy learning and stay secure!
| Header 1 | Header 2 | Header 3 |
|---|---|---|
| Service and Port Numbers | Cell 2 | Cell 3 |
| Local Groups | Cell 5 | Cell 6 |
| Domain Groups | Cell 8 | Cell 9 |
| Domain Groups | Cell 8 | Cell 9 |
| Domain Groups | Cell 8 | Cell 9 |
| Domain Groups | Cell 8 | Cell 9 |
| Scenario | Description | LAB design |
|---|---|---|
| Windows Client | Cell 2 | Cell 3 |
| Windows Client with AD | Cell 5 | Cell 6 |
| Windows Server Standalone | Cell 8 | Cell 9 |
| Windows Server with AD | Cell 8 | Cell 9 |
| Active Direcory Environment | Cell 8 | Cell 9 |
| Active Direcory Multi Forest Environment | Cell 8 | Cell 9 |
Active Directory (AD) External Reconnaissance is a methodology used to gather information and assess the security posture of an organization's Active Directory infrastructure from an external perspective.
- Initial Compromise
- Host Reconnaissance
- Domain Enumeration
- Local Privilege Escalation
- Administrator Enumeration
- Lateral Movement
- Domain Admin privs
- Cross Trust Attacks
- Domain Persistence
- Exfiltrate
| Protocol | Port | Description |
|---|---|---|
| NetBIOS | Cell 2 | Cell 3 |
| DNS | 53 | Cell 6 |
| MsSQL | Cell 8 | Cell 9 |
| LDAP | Cell 8 | Cell 9 |
| Kerberos | Cell 8 | Cell 9 |
| Samba | 445 | Cell 9 |
| IIS | 80 / 443 | Cell 9 |
| Exchange | Cell 8 | Cell 9 |
| WinRM | Cell 8 | Cell 9 |
| SCCM | Cell 8 | Cell 9 |
| Tool | Description | Documentation |
|---|---|---|
| Nmap | 25 | Nmap |
| CrackMapExec | 30 | CrackMapExec |
| Rubeus | 40 | Rubeus |
| Certify | Text | Certify |
| Mimikatz | Text | Mimikatz |
| BloodHound | Text | BloodHound |
| DeathStar | Text | DeathStar |
| Metasploit | Text | Metasploit |
| Empire | Text | Empire |
| Covenant | Text | Covenant |
| Cobal Strike | Text | Cobal Strike |
| Tool | Text | Docs |
| Tool | Text | Docs |
| Tool | Text | Docs |
- Attack Privilege Requirements
- Kerbrute Enumeration — No domain access required
- Pass the Ticket — Access as a user to the domain required
- Kerberoasting — Access as any user required
- AS-REP Roasting — Access as any user required
- Golden Ticket — Full domain compromise (Domain Admin) required
- Silver Ticket — Service hash required
- Skeleton Key — Full domain compromise (Domain Admin) required
| Attack Technique | Description |
|---|---|
| Pass-the-Hash | An attack where an attacker steals the hash of a user's password and uses it to authenticate and impersonate the user. |
| Golden Ticket | A technique that allows an attacker to forge Kerberos tickets, granting them unauthorized access with domain-level privileges. |
| Kerberoasting | Exploits the weak encryption of Kerberos ticket-granting tickets (TGTs) to extract the password hashes of Active Directory service accounts. |
| BloodHound | A tool used to identify and exploit Active Directory trust relationships, exposing potential attack paths and lateral movement opportunities. |
| DCShadow | An attack that manipulates domain controllers to create a rogue domain controller, allowing attackers to stealthily inject changes into the Active Directory infrastructure. |
| Skeleton Key | A technique that allows an attacker to bypass authentication by injecting a backdoor password into Active Directory, granting them unauthorized access. |
| Silver Ticket | Similar to a Golden Ticket, but instead of compromising the Key Distribution Center (KDC), it targets specific service principals, granting unauthorized access to specific services. |
- Active Directory Penetration Testing
- Infrastructure Penetration Testing
- Networks Penetration Testing
- Web Applications Penetration Testing
- Wireless Security
- Ethical Hacking
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent