Understanding Active Directory

For example, imagine you need to change a user’s password on their user account and there are over 100 devices in the network – this can be very challenging. Within Microsoft Windows Server, you will find many roles and features that can be installed and configured to help IT professionals provide many services and resources to everyone on a network. One such service within Microsoft Windows Server is known as Active Directory. This is a directory service that helps IT professionals centrally manage the users, groups, devices, and policies within the organization. ...

November 24, 2025 · 5 min · 1003 words · 0x-s0M3n4th

Understanding Kerberos

Kerberos is a network authentication protocol that runs on Windows Server, which enables clients to authenticate on the network and access services within the Windows domain. Kerberos provides single sign-on (SSO), which allows a user to authenticate once on a network and access resources without having to re-enter their user credentials each time they need to access a new resource, such as a mapped network drive. Kerberos supports delegated authentication, which allows a service running on a client’s computer to act on behalf of the authenticated domain user when it connects to other services on the network. Kerberos supports interoperability, which allows a Windows-based operating system to work in other networks that also use Kerberos as their authentication mechanism. When using Kerberos on a network, it supports mutual authentication, which allows two devices to validate the identity of each other. ...

November 24, 2025 · 5 min · 954 words · 0x-s0M3n4th

Attacking Active Directory

We will perform various Lateral movement and vertical movement . Vertical movement allows a penetration tester to escalate their privileges within a network, as compared to lateral movement, which focuses on using the same user privileges across multiple systems on the network. Lateral movement with crackmapexec: Power on kali, THEPUNISHER, Windows server 2022 . We will perform a pass the password attack using the password of the user fcastle across the entire domain. Make sure you have installed crackmapexec on your kali. Use the following command: crackmapexec smb 10.11.12.0/24 -u fcastle -d MARVEL.local -p Password1 crackmapexec performs SMB enumeration on the targeted network using the creds. Then it uses pwn3d syntax to show that the machine has been affected using the username and password 2. Retrieving the SAM database from the windows devices across the domain using the following command: ...

November 24, 2025 · 4 min · 769 words · 0x-s0M3n4th

Enumerating Active Directory

Power on your 4 machines : THE PUNISHER, THESPIDERMAN, WIN_2K22, KALI LINUX Then make sure your THEPUNISHER machine can identify the local network in my case it’s MARVEL.local Creating an Antivirus GPO on windows server 2022 , i made this inside win 2019 previously. Use the following commands inside your any windows server: PS C:\Users\Administrator> New-GPO -Name "DisableAVGPO" | New-GPLink -Target "DC=MARVEL,DC=local" 4. Next, use the following commands to link the DisableAVGPO policy on the MARVEL.local domain: ...

November 24, 2025 · 5 min · 906 words · 0x-s0M3n4th

BloodHound

BloodHound is an Active Directory data visualization application that helps penetration testers to efficiently identify the attack path to gain control over a Windows Active Directory domain and forest. In addition, it helps with identifying the misconfigurations and relationships that could be exploited by threat actors. Furthermore, BloodHound uses graph theory to reveal hidden relationships within an Active Directory environment, thus making it easier for penetration testers to visualize privilege escalation paths. Overall, the data in Active Directory must be collected from the organization using a collector such as BloodHound-Python, SharpHound, or AzureHound. Once the data has been collected, it has to be processed by BloodHound, which provides the attack path to domain takeover within an organization. ...

November 24, 2025 · 3 min · 508 words · 0x-s0M3n4th

Domain Dominance and Persistence

ON THIS SECTION WE WILL LEARN ABOUT 3 TECHNIQUES 1. GOLDEN TICKET , 2. SILVER TICKET AND 3. SKELETON KEY GOLDEN TICKET: A golden ticket is a special token that is created by penetration testers using the Security Identifier (SID) of the domain, the domain name, and the NTLMv1 hash of the Kerberos TGT. The golden ticket allows a penetration tester to gain access to any device within the domain by performing PTT(Pass The Ticket). This is possible because the golden ticket is encrypted using the hash of the Kerberos TGT account, which is the built-in krbtgt account on Active Directory. However, the golden ticket is not digitally signed by the krbtgt account hash but is encrypted only. This golden ticket allows anyone to impersonate any user with the privileges associated with the impersonated user on systems within the domain. To make this type of attack even more awesome, imagine that changing the password for the krbtgt account has zero effect on mitigating this attack on Active Directory. ...

November 24, 2025 · 4 min · 844 words · 0x-s0M3n4th

Leveraging Network-Based Trust in AD

While this section focuses on exploiting the trust of the Active Directory roles and services within a Windows environment, there are several types of attacks, such as pass-the-hash, that exploit the security vulnerabilities found within the protocols of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. When we talk about TCP/IP, we are often referring to network-related technologies and devices. However, the protocols within TCP/IP can be found in the operating system and the applications running on a host device as well. ...

November 24, 2025 · 9 min · 1895 words · 0x-s0M3n4th