Security · Topic 27 of 23 · Part V — Specialized assessment targets

Active Directory and identity assessment

Active Directory remains the most exploited internal surface in enterprise environments — the path from low-privileged user to Domain Admin is short, well-documented, and an accurate gauge of whether hardening has held.

Syllabus: § Assessment of Infrastructure → Identity, directory services, and federation
Topic 27 · Identity assessment

The directory is the crown jewel — know every path to it

By the end of this topic you can:
  • Scope an Active Directory / identity assessment, distinguishing it from a generic internal pentest.
  • Enumerate an AD environment systematically and read the result.
  • Execute the standard Kerberos attack workflows — Kerberoasting, AS-REP roasting, delegation abuse, S4U, RBCD.
  • Identify and exploit ADCS misconfigurations (ESC1–ESC16).
  • Map an attack path with BloodHound and translate the graph into an actionable finding.
  • Extend the assessment to Entra ID and federated identity (Okta, Ping, ADFS).

Why AD is the dominant internal target

The reasons are structural, not historical.

  • AD is the authentication backbone for almost every internal service — file shares, RDP, SQL Server, Exchange, SharePoint, ticketing, on-prem apps. One privileged account unlocks most of the environment.
  • AD is old. NTLM and Kerberos carry decisions from the 1990s; backward compatibility keeps weak modes available.
  • AD is centrally rich and hard to harden. Twenty years of configuration drift — specific delegations, ACLs, nested group memberships — are the things attackers exploit.
  • AD is everywhere. Even cloud-first companies usually have an on-prem AD or Entra Domain Services tenant for legacy compatibility.
Tester value Fluency in AD assessment delivers the majority of the value on most internal engagements.

Scoping an AD / identity assessment

Scope questionWhy it matters
Which forest, domains, OUs?Multi-forest is common; inter-forest trusts are attack paths
Hybrid identity in scope?Entra ID, Entra Connect sync, PTA, or federation changes the surface
Starting position?External black-box vs. assumed-breach low-privilege vs. domain-joined workstation
Data plane access in scope?Reading shares / querying Exchange vs. path-finding only
Persistence in scope?Golden Ticket, Skeleton Key — extreme tests; must be scoped explicitly
Recovery & rollback agreementIf the tester cracks a service-account password — rotate or leave for client?

Reconnaissance from an unauthenticated position

Passive / low-noise

  • DNS enumeration — AD-integrated DNS leaks DC hostnames via SRV records (_kerberos._tcp.dc._msdcs.<domain>)
  • LDAP anonymous bind — disabled on most modern domains, but some still leak partial directory data
  • SMB null sessions — legacy DCs sometimes allow guest enumeration

Active / credential-producing

  • AS-REP roasting — accounts without Kerberos pre-auth return a crackable AS-REP with no credentials required
  • NTLM relay — LLMNR / NBT-NS / mDNS poisoning via Responder; relay captured auth to a target
  • mitm6 + Responder — IPv6 abuse against Windows clients to capture NTLM authentication
Key insight The unauthenticated phase often produces credentials directly. From there, the richer post-credential phase begins.

Enumeration with a domain account

  • Inventory the domainldapdomaindump, adidnsdump, enum4linux-ng, netexec, PowerView, ADRecon, SharpHound
  • Privileged groups — Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Server Operators, Backup Operators, DNS Admins, Print Operators, plus delegated groups
  • Service accounts with SPNs — every SPN-attached account is kerberoastable
  • Accounts without Kerberos pre-auth — AS-REP roastable
  • ACLs on AD objects — who can write to whom; this is BloodHound's core dataset
  • Computer-account permissions — who can modify msDS-AllowedToActOnBehalfOfOtherIdentity (RBCD)
  • GPO enumeration — delegated permissions; SYSVOL for legacy cpassword values
Output Feed everything into BloodHound for attack-path analysis.

Kerberos attack workflows — roasting

Kerberoasting T1558.003

Any authenticated user can request a TGS for a kerberoastable account. The TGS-REP is encrypted with the service account's password-derived key — crackable offline.

  • hashcat mode 13100
  • Service accounts frequently have weak, stale passwords
  • One of the most reliable paths to a privileged account

Tool: GetUserSPNs.py (Impacket), Rubeus

AS-REP roasting T1558.004

Accounts with "Do not require Kerberos pre-authentication" return an AS-REP encrypted with their password key — without any prior credential.

  • hashcat mode 18200
  • Often set on legacy service accounts or by misconfiguration
  • Works from an unauthenticated network position

Tool: GetNPUsers.py (Impacket), Rubeus

Mitigation gMSA (Group Managed Service Accounts) auto-rotate service-account passwords, defeating kerberoasting. Their adoption status is a maturity indicator.

Kerberos attack workflows — delegation and ticket forging

Delegation abuse

  • Unconstrained T1558.001 — compromised host stores TGTs of every user who authenticates; coerce a DC via PrinterBug / PetitPotam to get a DC TGT → Domain Admin
  • Classic constrained (msDS-AllowedToDelegateTo) — S4U2self + S4U2proxy to impersonate any user to specified services
  • RBCD (msDS-AllowedToActOnBehalfOfOtherIdentity) — if attacker can write this attribute on a computer account, arbitrary impersonation follows

Ticket forging

  • Silver Ticket — forge a TGS from the service account NTLM hash; bypasses the KDC; targets a specific service
  • Golden Ticket — forge a TGT from the krbtgt NTLM hash; arbitrary access until krbtgt is rotated twice
  • Diamond / Sapphire — modified TGTs that mimic KDC-issued tickets; harder to detect

Tools: ticketer.py, Rubeus, BloodHound

ADCS — Active Directory Certificate Services

SpecterOps "Certified Pre-Owned" (2021) exposed a class of template and CA misconfigurations that drive some of the shortest paths to Domain Admin in hardened environments.

ESCRoot misconfigurationImpact
ESC1Template: Enrollee-supplies-subject + Client Auth EKU + low-privilege enrolmentEnrol as any principal (e.g. Domain Admin) and authenticate
ESC4Vulnerable template ACLs — low-privilege user can modify the templateConvert any template to ESC1
ESC6CA flag EDITF_ATTRIBUTESUBJECTALTNAME2 — enrollee can supply arbitrary SANSame effect as ESC1 on any template
ESC8NTLM relay to CA web enrolment endpointCertificate for the relayed account without credentials
ESC2 / ESC3Any-purpose or enrollment-agent template misuseEnrol as any user via agent chain

ESC9 through ESC16 continue extending the catalogue. Tools: Certipy (Python), Certify (.NET).

NTLM relay and coercion

The relay chain

1Capture inbound NTLM auth — LLMNR / NBT-NS / mDNS poisoning (Responder), mitm6, SMB relay, HTTP NTLM
2Relay to a target that lacks SMB signing, LDAP signing, or channel binding (EPA)
3Write to LDAP / AD, authenticate to ADCS web enrolment (ESC8), or execute on SMB

Coercion techniques

  • PrinterBug (Spooler), PetitPotam (EFSRPC), DFSCoerce, ShadowCoerce, AuthCoerce — force a DC to authenticate to the attacker
  • Compound chain: PetitPotam coerces DC → relay to ADCS → get a DC certificate → full domain compromise in minutes
Controls to check SMB signing on all endpoints (not just DCs); LDAP signing; EPA on LDAPS and HTTPS; LLMNR / NBT-NS / mDNS disabled via GPO; NTLM auditing enabled.

BloodHound: the attack-path graph

What changed

Before BloodHoundWith BloodHound
DiscoveryManual; tester folkloreComprehensive; graph queries
PathsOnly well-known patternsPaths not seen manually surfaced
Defender useNone — output not sharableSame data drives remediation backlog

A modern AD finding

Structure "BloodHound shows this attack path; the specific weakness on the path is this ACL on this object; the remediation is this."

BloodHound CE / Enterprise extends to Entra ID via AzureHound — cloud identity joins the same graph.

The graph makes both the attack and the remediation explicit — the same output serves the offensive deliverable and the defensive backlog.

Hybrid identity and Entra ID

The hybrid landscape

  • Entra Connect server is high-value — holds credentials capable of writing to both directories; compromise equals compromise of both
  • Password-hash sync — on-prem NT hash re-hashed to cloud; prem compromise = cloud compromise
  • Pass-through authentication (PTA) — agent on-prem validates cloud auth against AD; agent compromise = auth compromise
  • Federation (ADFS, Okta, Ping) — IdP compromise allows forging arbitrary tokens (Golden SAML)

Entra ID-specific attacks

  • Token theft — pass-the-cookie / pass-the-token; OAuth refresh tokens; primary refresh tokens (PRTs)
  • Illicit consent grant — attacker OAuth app requesting broad scopes
  • Conditional Access bypass — legacy auth protocols (IMAP, SMTP, POP3) exempt from MFA
  • Service principal abuse — over-privileged app registrations; persisted credentials
  • MFA fatigue / push-bombing

Tools: ROADtools, AzureHound, AADInternals, TokenTactics

Federation and IdPs

Attack surface

  • Admin access to the IdP — equivalent to forging any user; protected by separate MFA, dedicated accounts, IP allowlisting
  • SAML / OIDC configuration — assertion-signing key exposure, attribute mapping errors
  • Cross-tenant trust — partner federation, B2B / B2C arrangements; broad trust is broad risk
  • Provisioning (SCIM) — automatic account creation and group sync; over-grants are common
Golden SAML Compromise of the ADFS signing key (or equivalent IdP private key) allows forging valid SAML assertions for any user to any relying party. Recovery requires re-rolling all federation trust anchors.
Scoping note The SaaS IdP itself is typically out of scope under the provider's policy — test the configuration and integration, not the IdP platform.

Methodology summary

1Scope — forest / domain / tenant; starting position; hybrid inclusions; data plane; persistence
2Unauthenticated recon — LLMNR / mitm6 / Responder; AS-REP roasting; SMB null sessions
3Authenticated enumeration — SharpHound / BloodHound.py; ldapdomaindump; netexec
4Path analysis — BloodHound queries; identify shortest paths to Domain Admin
5Kerberos work — kerberoasting, AS-REP, delegation, S4U / RBCD chains
6ADCS — Certipy enumeration; ESC abuse chains
7NTLM relay & coercion — where signing is absent
8Hybrid / Entra ID — Entra Connect, token theft, conditional access, federation
9Report — paths, the specific weakness on each path, prioritised remediation

Check — SMB signing and NTLM relay scope

Scenario

A client has SMB signing required on Domain Controllers but not on member servers. What does this enable, and what does it fail to prevent?

Reveal answer

NTLM relay from captured client authentication to any member server without signing — write access to file-server shares as the relayed user, or code execution if the account has sufficient privilege. The DC's SMB signing protects DC-targeted relay only; the broader environment remains exposed. All SMB endpoints — not just DCs — must enforce signing for full coverage.

What you take home

  • AD is the authentication backbone for almost every internal service — its compromise is typically total environment compromise.
  • Scoping must resolve forest, starting position, hybrid identity, data plane, and rollback expectations before work begins.
  • Kerberoasting and AS-REP roasting are reliable first-paths; gMSA adoption is the structural fix.
  • Delegation abuse (unconstrained, constrained, RBCD) and ADCS misconfigurations (ESC1–ESC16) are the two other highest-yield attack classes.
  • NTLM relay is still effective in most environments; SMB signing on member servers — not just DCs — is the critical control.
  • BloodHound turns attack paths from tester folklore into data the defender can act on; deliver the graph with every AD engagement.
  • Hybrid identity means Entra Connect server, PTA agents, and federation signing keys are all Tier 0 assets, even when not managed as such.

Next: Topic 28 — Cloud infrastructure testing. The identity-graph discipline from this topic carries forward into IAM and cloud-specific attack paths.

END · TOPIC 27

Map the path. Name the weakness. Deliver the fix.

Before next session: run a BloodHound query against the lab environment and identify one attack path — document the specific weakness on the path and a one-line remediation.