~/home / cybersecurity / projects / ad-pentest-lab
// Cybersecurity — Project

🏴 Active Directory Pentest Lab

A simulated enterprise Active Directory environment built from scratch to practice privilege escalation, lateral movement, Kerberoasting, and AD enumeration with real pentesting tools.

Active Directory Privilege Escalation BloodHound Mimikatz Impacket

📋 Project Overview

This project involves building a fully functional Active Directory lab environment from scratch using virtualization. The goal is to simulate a real enterprise network with domain controllers, workstations, and users — then attack it using real pentesting tools and methodologies.

The lab replicates common misconfigurations found in real corporate environments including weak passwords, over-privileged service accounts, unconstrained delegation, and AS-REP roasting vulnerabilities.

🖥️ Lab Environment

  • 🖥️ Windows Server 2019 — Domain Controller (DC01.corp.local)
  • 💻 Windows 10 — Workstation (WS01 / WS02)
  • 🐧 Kali Linux — Attacker machine
  • 🔧 VMware / VirtualBox — Hypervisor
  • 🌐 Internal NAT network — 192.168.1.0/24

⚔️ Attack Methodology

  1. Reconnaissance: Initial network discovery with Nmap, identifying live hosts, open ports, and running services. SMB enumeration to identify domain structure.
  2. Enumeration: BloodHound + SharpHound for AD enumeration — collecting users, groups, GPOs, trust relationships, and attack paths visualized as graphs.
  3. Initial Access: AS-REP Roasting attack against accounts without pre-authentication, obtaining TGTs for offline cracking with Hashcat.
  4. Kerberoasting: Requesting TGS tickets for SPNs from service accounts, then cracking the weak passwords offline.
  5. Lateral Movement: Pass-the-Hash (PtH) and Pass-the-Ticket (PtT) attacks using Impacket's psexec.py and wmiexec.py to move between machines.
  6. Privilege Escalation: Abusing ACLs (WriteDACL, GenericAll), exploiting misconfigured GPOs, and exploiting Unconstrained Delegation to achieve Domain Admin.
  7. Domain Compromise: DCSync attack using Mimikatz to dump all domain hashes. Golden Ticket creation for persistence.

📸 Screenshots

🔍 [ BLOODHOUND_ATTACK_PATH.png ]
💻 [ MIMIKATZ_DUMP.png ]
🏴 [ DOMAIN_ADMIN_OWNED.png ]

💾 Key Commands

# AS-REP Roasting — Get hashes for offline cracking
python3 GetNPUsers.py corp.local/ -usersfile users.txt -format hashcat -outputfile asrep.txt

# Kerberoasting — Request TGS tickets
python3 GetUserSPNs.py corp.local/user:password -outputfile kerberoast.txt

# BloodHound Collection
./SharpHound.exe -c All --zipfilename bloodhound_data.zip

# DCSync — Dump all hashes (requires DA)
mimikatz # lsadump::dcsync /domain:corp.local /all /csv

# Pass-the-Hash lateral movement
python3 psexec.py -hashes :NTLM_HASH corp.local/Administrator@192.168.1.10
// Tools Used
  • BloodHound / SharpHound
  • Mimikatz
  • Impacket Suite
  • CrackMapExec
  • Hashcat
  • Nmap
  • Rubeus
// Skills Demonstrated
  • AD Enumeration
  • Kerberoasting
  • AS-REP Roasting
  • Pass-the-Hash
  • DCSync Attack
  • Privilege Escalation
  • Lateral Movement
  • Persistence Techniques
// Environment
  • Windows Server 2019
  • Windows 10 Clients
  • Kali Linux Attacker
  • VMware / VirtualBox
  • Internal AD Domain
← Back to Cybersecurity