What makes Active Directory penetration testing different from standard network pentesting?

Active Directory penetration testing focuses specifically on the identity and access management layer that controls authentication and authorization for an entire organization. Standard network pentests may find exposed services or misconfigurations, but AD pentesting digs into attack paths like Kerberoasting, Pass-the-Hash, and delegation abuse that can lead directly to Domain Admin privileges. A full AD compromise means controlling every system and account in the domain.

What are the most common attack techniques used in Active Directory pentesting?

Common AD attack techniques include Kerberoasting (cracking service account passwords from Kerberos tickets), AS-REP roasting (attacking accounts without pre-authentication), BloodHound graph analysis to map privilege escalation paths, Pass-the-Hash and Pass-the-Ticket attacks, and abusing misconfigured delegation settings. Testers also look for ACL misconfigurations that allow low-privileged users to modify high-privilege objects.

How often should organizations perform Active Directory security assessments?

Organizations should assess their Active Directory security at least annually, and after any major infrastructure changes such as domain migrations, acquisitions, or significant configuration updates. Because AD environments tend to accumulate misconfigurations over time as roles and systems are added, regular assessments are critical. Many compliance frameworks including NIS2 and ISO 27001 also recommend periodic penetration testing of identity infrastructure.

What should a business expect to receive from an Active Directory penetration test report?

A professional AD pentest report should document all identified attack paths to Domain Admin or other sensitive accounts, the specific techniques used to demonstrate each vulnerability, and a risk-rated list of findings with concrete remediation recommendations. It should also include evidence of how far the tester escalated privileges during the engagement, helping the organization understand its actual exposure in a real attack scenario.

Active Directory penetration testing: techniques and...

Active Directory (AD) is the foundation of IT infrastructure in most organizations. It manages identities, authorization, and resource access. For attackers, it’s the primary target – AD compromise means full control over the environment.

AD penetration testing differs from standard infrastructure pentests. This article explains their specifics and key areas to verify.

Why AD is the Primary Target

Centralized Privileges

In a typical AD environment:

Domain Admins have full control over all systems
One compromised admin = access to the entire organization
Kerberos enables lateral movement between systems
GPO allows mass malware distribution

Configuration Legacy

Many AD environments have decades of history:

Old accounts with excessive privileges
Outdated GPOs with security gaps
Legacy systems requiring weak protocols
“Temporary” configurations from 2010

Complexity

AD is a complex ecosystem:

Hundreds of settings affecting security
Component interactions create non-obvious paths
Difficult to maintain visibility of entire configuration
Changes in one place affect others

📚 Read the complete guide: IAM / Zero Trust: Zarządzanie tożsamością i dostępem - od podstaw do Zero Trust

Types of AD Tests

1. Unauthenticated Assessment

Starting point: Network access but no credentials

Goal: Check if an attacker “from the street” can gain access

Typical techniques:

LLMNR/NBT-NS poisoning
Responder attacks
Null session enumeration
SMB signing verification
Zerologon and similar CVEs

2. Authenticated Assessment (Standard User)

Starting point: Regular domain user credentials

Goal: Explore privilege escalation paths

Typical techniques:

BloodHound enumeration
Kerberoasting
AS-REP Roasting
ACL abuse
Delegation attacks

3. Authenticated Assessment (Privileged)

Starting point: Credentials with some privilege level

Goal: Examine privilege separation and paths to DA

Typical techniques:

DCSync
AdminSDHolder abuse
GPO modification
Certificate attacks (ADCS)
Trust abuse

4. Assumed Breach

Starting point: Simulated workstation compromise

Goal: Test response and detection capabilities

Typical techniques:

Credential dumping
Lateral movement
Persistence mechanisms
C2 communication

Key Areas to Test

1. Kerberos Configuration

What to test:

Kerberoastable accounts (SPN on user accounts)
AS-REP Roastable accounts (no preauth)
Unconstrained delegation
Constrained delegation misconfigurations
Resource-based constrained delegation

Typical findings:

Service accounts with weak passwords and SPN
Technical accounts without preauth
Servers with unconstrained delegation

2. Password Policies

What to test:

Fine-grained password policies
Length and complexity
Account lockout settings
Password history
Reversible encryption

Typical findings:

Default policy too weak
No FGPP for privileged accounts
Password spray vulnerability

3. Privileged Access

What to test:

Membership in privileged groups
Nested groups
AdminCount and AdminSDHolder
Tiering model (if implemented)
PAW/SAW implementation

Typical findings:

Too many Domain Admins
Service accounts in Domain Admins
No tiering – admin logs into workstation

4. ACL/ACE Misconfigurations

What to test:

Dangerous permissions (WriteDACL, GenericAll, etc.)
Ownership of privileged objects
ACL on users and groups
Schema modification rights

Typical findings:

Help desk with password reset rights on DA
Nested group giving non-obvious privileges
GenericAll on OU with privileged accounts

5. Group Policy Security

What to test:

GPO modification rights
GPO link permissions
Credentials in GPO preferences
LAPS configuration
Security baselines

Typical findings:

Credentials in XML files (cpassword)
Missing LAPS or incomplete deployment
GPO modifiable by non-admins

6. Certificate Services (ADCS)

What to test:

Certificate templates vulnerabilities
Enrollment rights
ESC1-ESC8 attack vectors
CA backup permissions
NTLM relay to CA

Typical findings:

Templates with EKU allowing client auth + enrollment
ESC1/ESC4 vulnerabilities
Web enrollment without Extended Protection

7. Trusts

What to test:

Inter-forest trusts
SID history
Selective authentication
Trust transitivity

Typical findings:

Two-way trust with external forest
No SID filtering
Selective auth not implemented

AD Testing Tools

Enumeration

BloodHound – graph visualization of attack paths
SharpHound – collector for BloodHound
ADExplorer – AD browser
ldapdomaindump – AD information export

Exploitation

Rubeus – Kerberos attacks
Mimikatz – credential dumping
Certify – ADCS enumeration and attacks
PowerView – enumeration and exploitation

Lateral Movement

CrackMapExec – swiss army knife
Impacket – Python tools (psexec, wmiexec, etc.)
Evil-WinRM – WinRM shell
SharpRDP – RDP lateral movement

Typical Attack Paths

Path 1: Kerberoasting → Crack → Lateral Movement

Enumerate SPN on user accounts
Request TGS for kerberoastable account
Offline password cracking
Lateral movement to systems where account is admin
Repeat to escalate

Path 2: ACL Abuse → Delegation → DCSync

BloodHound finds path through ACL
Abuse WriteDACL on account with delegation
Configure resource-based constrained delegation
Impersonate privileged user
DCSync and full compromise

Path 3: ADCS → Certificate → Persistence

Enumerate certificate templates (Certify)
Identify vulnerable template (ESC1)
Request certificate for privileged user
Authentication with certificate
Persistence – certificates valid for years

Path 4: GPO → Code Execution → DA

Identify GPO modifiable by compromised account
Modify GPO – scheduled task/startup script
Wait for GPO application
Code execution on systems in OU
Credential harvest → DA

AD Test Deliverables

Technical Report

Detailed description of each attack path
Screenshots and proof-of-concept
Mapping to MITRE ATT&CK
Remediation prioritization

BloodHound Database

Database export for own analysis
Ability to track remediation progress
Baseline for comparison with future tests

Remediation Roadmap

Short-term: quick wins (password changes, ACL fixes)
Medium-term: architecture changes (tiering, LAPS)
Long-term: strategic improvements (PAM, MFA everywhere)

Attack Path Diagrams

Visualization of paths to DA
Understandable for management
Identification of “choke points” to secure

Most Common Configuration Mistakes

Service accounts in Domain Admins – classic
No tiering – DA logs into workstation
Legacy protocols – NTLMv1, SMB1, LLMNR enabled
Over-provisioned accounts – “just in case”
Stale accounts – unused but active accounts
GPO credentials – cpassword still present
Weak service account passwords – Kerberoastable
Unconstrained delegation – on non-DC servers
Vulnerable ADCS templates – default configurations
No LAPS – local admin password same everywhere

Summary

Active Directory penetration testing is a specialized discipline requiring:

Deep knowledge of AD internals
Specialized tools (BloodHound, Rubeus, etc.)
Understanding of complex attack paths
Ability to translate findings into recommendations

AD compromise = organization compromise. Regular testing is essential for environments where AD remains the identity management center.

Want to examine your Active Directory security? Contact us – we’ll conduct comprehensive tests and help secure critical infrastructure.

Learn key terms related to this article in our cybersecurity glossary:

IT Infrastructure Penetration Testing — IT infrastructure penetration testing is a controlled and ethical process of…
Wi-Fi Network Penetration Testing — Wi-Fi network penetration testing is the process of assessing the security of…
Penetration Testing — Penetration testing, also known as pentesting, is a controlled process of…
Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
Encryption — Encryption is the process of converting data from a human-readable format to…

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

Penetration Testing - identify vulnerabilities in your infrastructure
Red Team - advanced attack simulations

Explore Our Products

Solutions mentioned in this article that can help protect your organization:

RidgeBot — Ridge Security

Why AD is the Primary Target

Centralized Privileges

Configuration Legacy

Complexity

Types of AD Tests

1. Unauthenticated Assessment

2. Authenticated Assessment (Standard User)

3. Authenticated Assessment (Privileged)

4. Assumed Breach

Key Areas to Test

1. Kerberos Configuration

2. Password Policies

3. Privileged Access

4. ACL/ACE Misconfigurations

5. Group Policy Security

6. Certificate Services (ADCS)

7. Trusts

AD Testing Tools

Enumeration

Exploitation

Lateral Movement

Typical Attack Paths

Path 1: Kerberoasting → Crack → Lateral Movement

Path 2: ACL Abuse → Delegation → DCSync

Path 3: ADCS → Certificate → Persistence

Path 4: GPO → Code Execution → DA

AD Test Deliverables

Technical Report

BloodHound Database

Remediation Roadmap

Attack Path Diagrams

Most Common Configuration Mistakes

Summary

Want to examine your Active Directory security? Contact us – we’ll conduct comprehensive tests and help secure critical infrastructure.

Related Terms

Learn More

Explore Our Services

Explore Our Products

Tags:

Share:

Talk to an expert

Grzegorz Gnych

Want to Reduce IT Risk and Costs?