TL;DR
- ✓Active Directory penetration testing follows a repeatable arc: enumerate, gain credentials, move laterally, escalate, then establish domain dominance.
- ✓Kerberoasting and AS-REP roasting harvest crackable hashes from service and pre-auth-disabled accounts without ever touching a domain controller's alarms loudly.
- ✓BloodHound and SharpHound expose attack paths through group nesting, ACLs, and delegation that no manual review would catch.
- ✓ADCS misconfigurations (ESC1 through ESC8) have become one of the fastest routes from a low-privilege user to domain admin.
- ✓Domain dominance techniques like DCSync, golden tickets, and the krbtgt hash let an attacker forge access indefinitely, which is why detection and rotation matter.
Active Directory is the heart of nearly every enterprise network, and that makes it the prize in almost every internal engagement. An Active Directory penetration test maps how an attacker turns one foothold into total domain control, then hands you the exact misconfigurations to fix. The work is methodical: each phase produces the credentials or context the next phase needs.
This checklist organizes the whole engagement by attack phase, with the specific tools (BloodHound, Rubeus, impacket, mimikatz, Certipy) and techniques at each step. Use it as a tester's worksheet or a defender's threat model. It pairs directly with our internal network penetration testing guide, which covers getting that first foothold.
What is Active Directory penetration testing?
Active Directory penetration testing is the authorized assessment of an AD environment to find paths an attacker would use to escalate from a normal user to domain admin or to compromise the domain controllers outright. It focuses on identity: tickets, hashes, group memberships, ACLs, and the trust relationships that hold a forest together.
Because AD is built on Kerberos and NTLM, most attacks abuse legitimate protocol behavior rather than software bugs. There's often no CVE to patch. Instead you're hunting for accounts with weak passwords and SPNs, excessive delegation, dangerous ACLs, and certificate templates that let any user request a privileged cert. Defenders should read our companion on securing against Active Directory attacks.
How do you enumerate an Active Directory domain?
Enumeration is the foundation, and BloodHound is the single highest-value tool. Run SharpHound (SharpHound.exe -c All) or the Python collector to pull every user, group, computer, session, ACL, and trust, then query BloodHound for paths from your account to Tier 0.
Alongside the graph, enumerate the basics: nxc ldap <dc> -u user -p pass , users , groups with NetExec, the password policy (so you don't lock accounts when spraying), and the domain's certificate authority with Certipy (certipy find -u user@domain -p pass -dc-ip <ip>). Note every service account with a Service Principal Name; those are your Kerberoasting targets in the next phase.
Active Directory penetration testing checklist by phase
Enumeration
- ✓Collect the graph with SharpHound (-c All) and analyze in BloodHound
- ✓Enumerate users, groups, and password policy via NetExec LDAP
- ✓List SPNs and AS-REP-roastable accounts
- ✓Run Certipy find to inventory certificate templates and the CA
Credential access
- ✓Kerberoast SPN accounts with Rubeus or GetUserSPNs.py, crack mode 13100
- ✓AS-REP roast pre-auth-disabled accounts (mode 18200)
- ✓Password spray one weak password across all users to avoid lockouts
- ✓Dump LSASS with mimikatz on any compromised host
Lateral movement
- ✓Pass-the-hash with NetExec across the subnet
- ✓Remote exec via impacket psexec.py, wmiexec.py, smbexec.py
- ✓Hunt for cached creds and admin sessions flagged in BloodHound
- ✓Relay NTLM auth to unsigned SMB hosts with ntlmrelayx.py
Privilege escalation
- ✓Exploit ADCS ESC1-ESC8 with Certipy
- ✓Abuse ACLs: GenericWrite, WriteDACL, GenericAll
- ✓Abuse unconstrained and constrained delegation
- ✓Chain BloodHound's shortest path to Domain Admins
Persistence / Domain dominance
- ✓DCSync the krbtgt and all hashes via secretsdump.py
- ✓Forge golden and silver tickets
- ✓Plant AdminSDHolder or DSRM backdoors
- ✓Document for cleanup: rotate krbtgt twice, revoke forged certs
Which attacks harvest Active Directory credentials?
Two Kerberos attacks dominate the credential-access phase because they're quiet and effective. Kerberoasting requests service tickets for accounts with SPNs and cracks them offline, since the ticket is encrypted with the service account's password hash. AS-REP roasting targets accounts that have Kerberos pre-authentication disabled, pulling a crackable blob without any valid credentials at all.
With Rubeus: Rubeus.exe kerberoast and Rubeus.exe asreproast, or impacket's GetUserSPNs.py and GetNPUsers.py. Feed the output to hashcat (mode 13100 for Kerberoast, 18200 for AS-REP). Password spraying with NetExec is the other staple: try one weak password against every user to avoid lockouts. mimikatz and LSASS dumps round out the phase once you have a foothold on a host.
How do you escalate privilege through ADCS?
Active Directory Certificate Services has become one of the fastest privilege-escalation routes, cataloged as ESC1 through ESC8 by SpecterOps. The classic, ESC1, is a certificate template that lets a low-privilege user enroll and supply an arbitrary Subject Alternative Name, so you request a cert as the domain administrator and authenticate as them.
Certipy automates the whole chain: certipy find -vulnerable flags the abusable templates, and certipy req -ca <ca> -template <tpl> -upn administrator@domain mints the cert. ESC8 relays HTTP enrollment, while ESC6 abuses the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. Beyond ADCS, escalate through ACL abuse (GenericWrite, WriteDACL) and unconstrained or constrained delegation, all of which BloodHound surfaces directly.
Strobes insight
ADCS template misconfigurations now rival Kerberoasting as the quickest path to domain admin. Run Certipy find -vulnerable on every AD engagement; ESC1 alone has handed over more domains than any single 0-day.
What does domain dominance and persistence look like?
Domain dominance is the endgame: full control of the domain plus the ability to regain it at will. DCSync (mimikatz lsadump::dcsync /user:krbtgt or impacket's secretsdump.py) abuses replication rights to pull every password hash from a domain controller, including the krbtgt hash. With krbtgt, you forge a golden ticket and impersonate anyone, indefinitely.
Silver tickets forge service-specific access, and a DSRM or AdminSDHolder backdoor gives quiet long-term persistence. This is exactly why incident response after an AD breach insists on rotating krbtgt twice and rebuilding trust. Because these paths reappear as the directory changes, continuous validation matters; agentic pentesting re-walks these chains as group memberships and templates drift instead of waiting a year.
Frequently asked questions
What is Kerberoasting?
Kerberoasting requests Kerberos service tickets for accounts that have a Service Principal Name, then cracks them offline. The ticket is encrypted with the service account's password hash, so a weak password yields the plaintext. It needs only a valid domain user and rarely triggers alerts.
What is the difference between Kerberoasting and AS-REP roasting?
Kerberoasting targets service accounts with SPNs and requires a valid domain account to request the tickets. AS-REP roasting targets accounts with Kerberos pre-authentication disabled and needs no credentials at all, just the account name. Both produce hashes you crack offline with hashcat.
What are ADCS ESC1 to ESC8 attacks?
They are a set of Active Directory Certificate Services misconfigurations cataloged by SpecterOps that let attackers obtain privileged certificates. ESC1, for example, lets a low-privilege user enroll a certificate with an arbitrary subject name and authenticate as a domain admin. Certipy detects and exploits most of them.
What is DCSync?
DCSync abuses Active Directory replication rights to ask a domain controller for password hashes as if it were another DC. With the right permissions an attacker pulls the krbtgt hash and every account's hash without running code on the DC. Tools include mimikatz and impacket's secretsdump.py.
What is a golden ticket attack?
A golden ticket is a forged Kerberos ticket-granting ticket created using the krbtgt account's hash. Because the krbtgt key signs all tickets in the domain, an attacker who has it can impersonate any user indefinitely. The only real remediation is rotating the krbtgt password twice.
How do you defend Active Directory against these attacks?
Use strong, long passwords on service accounts, enable AES and pre-authentication, remove dangerous ACLs and delegation, lock down certificate templates, and deploy LAPS. Monitor for DCSync replication from non-DCs and rotate krbtgt regularly. Continuous attack-path testing keeps these controls honest.
Sources and references
L
Likhil Chekuri
Application Security Engineer, Strobes
Likhil Chekuri is an AppSec engineer at Strobes who has run hundreds of web, mobile, and cloud penetration tests for regulated industries.
