TL;DR: In the majority of internal penetration tests, the path from standard domain user to Domain Admin takes hours, not days. The attack chain is well-documented — LLMNR/NBT-NS poisoning for initial credential capture, BloodHound for attack path mapping, Kerberoasting for service account compromise, and DCSync for full domain credential extraction. These techniques succeed because most organizations still run legacy broadcast protocols, use weak service account passwords, and grant excessive privileges across their Active Directory environment.
Why Active Directory Remains the #1 Internal Target
Active Directory is the central nervous system of enterprise IT. It manages authentication, authorization, group policy, DNS, and certificate services for virtually every Windows environment. Compromise AD and you control every system joined to the domain — workstations, servers, file shares, email, VPN, and cloud resources federated through Azure AD Connect or ADFS.
The fundamental challenge is that AD was designed in the late 1990s for usability and interoperability in trusted networks. Many of the protocols it relies on — NTLM, LDAP, Kerberos delegation, broadcast name resolution — were built before the assume-breach mindset existed. Twenty-five years of backwards compatibility means that even modern AD deployments carry legacy attack surface that pentesters exploit reliably in every engagement.
At Lorikeet Security, Active Directory compromise is the single most consistent finding in our internal network penetration tests. The techniques change incrementally — new tooling, new evasion — but the underlying weaknesses remain the same because organizations cannot easily disable legacy functionality without breaking production workflows.
Phase 1: Initial Credential Capture
LLMNR and NBT-NS Poisoning
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are broadcast protocols that Windows systems use as fallback when DNS resolution fails. When a user mistypes a hostname or a DNS record does not exist, the system broadcasts a query to the local network asking "Does anyone know where \\FILESERVRE is?"
An attacker on the same network segment responds to these broadcasts, claiming to be the requested host. The victim machine then sends its NTLMv2 authentication hash to the attacker. These captured hashes can be cracked offline using hashcat or relayed directly to other services via NTLM relay attacks. In a typical corporate network with hundreds of users, poisoning captures dozens of hashes within the first hour of testing.
Password Spraying
Password spraying tests a small number of commonly used passwords against every account in the domain — the inverse of brute-forcing, which tries many passwords against one account. With a list of valid usernames enumerated from LDAP (often available to any authenticated user), the attacker tries passwords like Company2026!, Welcome1, or SeasonYear! patterns. Spraying at one attempt per account per lockout interval avoids triggering account lockout policies while maintaining a high success rate against organizations without password complexity enforcement beyond basic Active Directory requirements.
NTLM Relay
Rather than cracking captured NTLM hashes, relay attacks forward the authentication directly to another target — typically a server that does not require SMB signing. The attacker intercepts an authentication attempt, relays it to a different server, and authenticates as the victim user. If the relayed user has local administrator rights on the target server, the attacker gains full control. NTLM relay to LDAP is particularly dangerous: it can be used to set resource-based constrained delegation, granting the attacker persistent access to specific services.
Phase 2: Enumeration and Attack Path Mapping
Once the pentester has a single set of domain credentials — even a low-privilege user — enumeration begins. Every authenticated domain user can query Active Directory for an extraordinary amount of information: all users, groups, computers, group memberships, service principal names, trust relationships, and ACL permissions.
BloodHound is the tool that changed AD pentesting. It ingests data collected by SharpHound (its data collector), maps every relationship in the domain — group memberships, local admin rights, session data, ACL abuse paths, delegation configurations — and calculates the shortest path from any compromised user to Domain Admin. What previously required hours of manual enumeration now takes minutes.
Common BloodHound findings include users with unintended local admin rights on servers, nested group memberships that grant Domain Admin through three or four levels of indirection, and service accounts with DCSync permissions that were granted years ago and never reviewed.
Phase 3: Privilege Escalation
Kerberoasting
Any authenticated domain user can request a Kerberos service ticket for any service registered with a Service Principal Name (SPN). The ticket is encrypted with the service account's password hash. The attacker requests tickets for all SPNs in the domain, extracts them, and cracks them offline. Service accounts with weak passwords — and many are set once during initial deployment and never rotated — crack in seconds.
The critical issue is that service accounts frequently hold elevated privileges: SQL Server service accounts with sysadmin rights, Exchange service accounts, backup service accounts with Domain Admin membership. A single cracked service account password often provides a direct path to domain compromise.
AS-REP Roasting
Accounts configured with "Do not require Kerberos preauthentication" allow any user to request an AS-REP response encrypted with the target account's hash — without providing any authentication. Like Kerberoasting, these hashes are cracked offline. While fewer accounts have this flag set, those that do are often legacy service accounts or test accounts with weak passwords.
Unconstrained Delegation Abuse
Servers configured for unconstrained Kerberos delegation cache the TGTs of any user who authenticates to them. If an attacker compromises a server with unconstrained delegation and can coerce a Domain Admin to authenticate to it — through the printer bug (SpoolSample), PetitPotam, or other coercion techniques — they capture the Domain Admin's TGT and use it to authenticate as that user anywhere in the domain.
Phase 4: Lateral Movement
Pass-the-Hash: With an NTLM hash (from credential dumping on a compromised host), the attacker authenticates to other systems without knowing the plaintext password. NTLM authentication accepts the hash directly. Any system where the compromised user has local admin rights is accessible.
Overpass-the-Hash: The attacker uses a captured NTLM hash to request a Kerberos TGT, then uses standard Kerberos authentication. This is stealthier than pass-the-hash because it generates Kerberos authentication events rather than NTLM events, blending with normal traffic.
Token Impersonation: On a compromised host, the attacker can impersonate the security tokens of other logged-in users. If a Domain Admin has an active session on a compromised workstation — common when IT staff use privileged accounts for daily work — the attacker steals their token and operates with Domain Admin privileges immediately.
Phase 5: Domain Compromise and Persistence
DCSync
DCSync uses the Directory Replication Service protocol to impersonate a domain controller and request the password hash of any account — including the krbtgt account. Any account with Replicating Directory Changes and Replicating Directory Changes All permissions (held by Domain Admins, Enterprise Admins, and the domain controller computer accounts by default) can execute DCSync. No malware on the DC is required — the attack runs from any domain-joined workstation.
Golden Ticket
With the krbtgt account's hash obtained via DCSync, the attacker forges a Kerberos TGT — the Golden Ticket. This TGT can impersonate any user with any group membership, including non-existent users. The forged ticket is valid until the krbtgt password is changed twice (to flush both the current and previous key). Many organizations have never rotated their krbtgt password, meaning a Golden Ticket provides indefinite persistence.
Silver Ticket and Skeleton Key
Silver Tickets forge service tickets for specific services using the service account's hash — useful for targeted, stealthy persistence against individual servers. The Skeleton Key attack patches the LSASS process on a domain controller to accept a master password for any account alongside the legitimate password, providing a backdoor that persists until the DC is rebooted.
Common Misconfigurations We Find
| AD Attack Technique | Difficulty | Frequency Found | Impact |
|---|---|---|---|
| LLMNR/NBT-NS Poisoning | Low | Very High (~90%) | Initial credential capture |
| Kerberoasting | Low | High (~75%) | Service account compromise, often DA |
| Password Spraying | Low | High (~70%) | Multiple account compromise |
| NTLM Relay | Medium | High (~65%) | Lateral movement, privilege escalation |
| Unconstrained Delegation | Medium | Medium (~40%) | Domain Admin via TGT capture |
| DCSync | Low (with DA) | High (post-escalation) | Full domain credential extraction |
| AS-REP Roasting | Low | Medium (~35%) | Account compromise via offline cracking |
| GPO Abuse | Medium | Medium (~30%) | Code execution across OUs |
Beyond individual techniques, the systemic issues we identify include: excessive Domain Admin membership (organizations with 20+ DA accounts when 3-5 would suffice), service accounts with Domain Admin privileges that were never scoped down, LAPS not deployed (meaning every workstation shares the same local admin password), privileged accounts used for daily workstation login creating token theft opportunities, and stale accounts that have not logged in for years but retain elevated permissions.
Defending Your Active Directory
Disable LLMNR and NBT-NS via Group Policy. This single change eliminates the most common initial access vector in internal pentests. Test thoroughly in your environment first — some legacy applications may depend on these protocols.
Enforce strong service account passwords — 25+ character random passwords for all accounts with SPNs. Better yet, migrate to Group Managed Service Accounts (gMSA), which rotate passwords automatically and are immune to Kerberoasting.
Require SMB signing on all servers and domain controllers to prevent NTLM relay attacks. Enable Extended Protection for Authentication (EPA) on web services that use Windows authentication.
Deploy LAPS (Local Administrator Password Solution) to ensure unique, rotated local admin passwords on every workstation. This breaks lateral movement via pass-the-hash with local admin accounts.
Implement tiered administration: Tier 0 (domain controllers and AD infrastructure), Tier 1 (servers), Tier 2 (workstations). Privileged accounts should never authenticate to lower tiers. Use Privileged Access Workstations (PAWs) for Tier 0 administration.
Monitor with BloodHound defensively. Run SharpHound regularly to identify new attack paths before an attacker does. Track changes in DA membership, ACL modifications, and new delegation configurations.
Test Your Active Directory Defenses
Lorikeet Security's internal network penetration tests include comprehensive Active Directory attack path testing — from initial credential capture through domain compromise. Find out how far an attacker gets before your defenses stop them.
