Active Directory Penetration Testing: Definition, Methodology, Cost, Tools, and Vulnerabilities

Active Directory penetration testing is an authorised security assessment that simulates a real-world attack to identify and exploit vulnerabilities within the AD environment (a centralised system for managing user access and resources). AD pentesting includes ethical hacking methods to detect vulnerabilities in AD configurations, permissions and authentication mechanisms. The active directory penetration testing methodology is a structured approach that includes reconnaissance and enumeration, vulnerability identification and exploitation, privilege escalation, persistence and reporting. Traditional AD pentesting can be resource-intensive and often takes days or weeks for comprehensive assessments, thus costing more (£125 to £350 per hour). But automated and AI-driven tools take less time for testing and are cost-effective, ranging from £500 to £1,000 per test. Pentesters use common Active Directory pentesting tools like BloodHound, Metasploit, Nmap and automated and AI-based frameworks (PentestGPT, Pentera) to find common vulnerabilities like misconfigurations, credential weaknesses, privilege escalation paths and persistence mechanisms.

What is Active Directory penetration testing?

Active Directory (AD) penetration testing is a security assessment that simulates a real-world attack on an organisation’s Active Directory environment (AD configurations, user permissions, authentication protocols and network services) to identify vulnerabilities such as misconfigurations, privilege escalation paths, operational weaknesses and credential exposures.

Active directory penetration testing is also known as active directory security assessment, AD pentesting, and active directory security audit. Active Directory is used for managing users, computers, and security policies, which makes it a prime target for malicious attackers. AD security testing assesses the effectiveness of security measures and policies within the AD environment, helping organisations identify vulnerabilities and reduce the risk of breaches.

According to O. Akinyokun et al in their research, ‘Penetration Testing Platforms for Active Directory Network Environment’ published on January 1, 2024, Active directory pentesting focuses on understanding different attacks and defence mechanisms used to attack active directory environments to help organisations understand security risks and plan effective remediation steps.

How does Active Directory penetration testing work?

Active directory penetration testing follows a structured process that includes scoping & rules of engagement, reconnaissance and enumeration, vulnerability identification, exploitation & escalation, persistence, reporting and remediation guidance. Penetration testers set the scope of Active Directory pentesting, which covers domain controllers, users and groups, security policies, network shares, and exposed interfaces.

The AD testing scope covers domain controllers, users and groups, security policies, network shares and externally exposed interfaces. Testers set the scope, enumerate the environment, and search for vulnerabilities and misconfigurations using automated tools and manual techniques to identify exploitable services and attack paths. Identified flaws are then exploited to gain unauthorised access or escalate privileges. The engagement concludes with a report including all findings, exploited attack paths, detection points, and prioritised remediation guidance.

The goal of active directory pentesting is to discover vulnerabilities and assess security measures by mimicking the real attacker’s techniques to gain unauthorised access or escalate privileges within the network, according to the Penetration Testing and Exploitation of Active Directory Configuration Vulnerabilities published by Zlatan Morić et al on September 17, 2024.

What are the features of Active Directory penetration testing?

Listed below are the 6 main features of Active Directory penetration testing.

• Realistic Attack Simulation: Active directory penetration testing involves simulating an unauthenticated attack to identify how an attacker can compromise an organisation and whether the attack detection or response controls are effective. Pen testers perform chain attacks to gain initial access, followed by credential gathering, lateral movement, privilege escalation and domain compromise. They use real attackers’ TTPs (Tactics, Techniques, Procedures), including Kerberos abuse, pass-the-hash/ticket, golden/silver tickets, ACL abuse, etc.
• Exploitation Techniques: Active directory pentesting includes safely demonstrating how identified vulnerabilities can be exploited to gain access, move laterally, escalate privileges or compromise the domain. Pen testers use common exploitation techniques, including kerberoasting, AS-REP roasting, pass-the-hash (PtH), DCSync, ACL abuse, lateral movement via WinRM/SMB/RDP, etc. Exploitation techniques for AD testing provide a Proof of Concept (POC) of identified AD vulnerabilities that can be exploited in real-world attacks and demonstrate how specific techniques chain together (with tools, commands and non-destructive POCs).
• Lateral movement analysis: AD pentesting shows how an attacker can move from one system to another within the network after an initial compromise. Pen testers simulate an attack using methods like network shares, compromised credentials or RDP access to identify weak segmentation or over-permissive trust. This analysis helps visualise how a single beach could spread across multiple domains or systems. Lateral movement analysis also tests detection and response capabilities against such internal movements.
• Credential security assessment: AD pentesting examines how securely credentials are protected and managed in the AD environment. Pen tester checks for password reuse, weak passwords, cached credentials and unprotected hashes. Pen testers perform this assessment to test attacks like Pass-the-Ticket, Pass-the-Hash and Kerberoasting to find insecure practices. The assessment ensures that sensitive credentials (especially privileged ones) are transmitted and stored securely.
• Trust relationship enumeration: AD pentesting identifies and analyses inter-domain and inter-forest trusts that connect different parts of an organisation’s AD infrastructure. Pen testers map trust directions and assess their security properties, like SID filtering and selective authentication. An improperly configured trust relationship can allow attackers to traverse from a less secure domain to a more privileged one. The goal of trust relationship enumeration is to ensure trust boundaries are properly restricted and monitored.
• Persistence mechanism detection: AD pentesting detects and demonstrates persistence techniques that attackers use to maintain long-term access into the network after compromise. Pen testers identify methods like silver tickets, golden tickets, rogue domain accounts or backdoors that give ongoing control. Testers also assess whether security teams can detect and remove such persistence.

What is Active Directory penetration testing methodology?

Listed below are the 12 steps of the Active Directory penetration testing methodology.

1. Define the Active Directory Pentesting scope and obtain authorisation

Defining the Active Directory pentesting scope and obtaining authorisation involves documenting which systems, domains, network segments, and AD components will be tested. Pen testers define which user accounts, servers, and services are in and out of scope after holding meetings with IT and the legal team to agree on the exact systems, domains, IP ranges, accounts, and time windows, as well as the type of attacks and tools permitted. Penetration testers create a written rules-of-engagement (RoE) that includes permitted testing methods, blackout periods, emergency contacts, and detection/monitoring arrangements. Ethical hackers obtain a signed authorisation from the legal counsel and perform legal and risk testing (including NDAs and insurance as needed) and refine technical details like jump hosts, privileged account provisioning and safe test windows with operations.

2. Perform OSINT and domain intelligence gathering

Open-source intelligence (OSINT) and the domain intelligence gathering process involve pen testers collecting publicly available and accessible details about the organisation using web archives, social networks, and public databases. OSINT is performed in active directory pentesting to enumerate authentication methods, find technical contacts, and discover exposed assets or misconfigurations that malicious attackers can exploit. For example, tools use public APIs of Azure AD to get information about the privileged users and authentication methods, which can disclose attack vectors like pass-the-hash or Golden-SAML attacks.

Domain intelligence gathering is the process of collecting and analysing information such as domain names, subdomains, DNS records, IP address ranges, and associated technologies about an organisation’s domain infrastructure. Pen testers can use this information to map the network, identify related assets, and check potential entry points for attackers.

3. Discover domain controllers and trust boundaries

Discovering domain controllers and trust boundaries in Active Directory pentesting finds the identity servers and the authentication/administrative boundaries in an Active Directory environment. Domain controllers manage authentication, authorisation and directory services within an AD environment. In AD pentesting, discovering domain controllers includes enumeration of network services and roles (such as the Primary Domain Controller (PDC) Emulator, Schema Master, and others), network reconnaissance and privilege escalation targeting.

Trust boundaries involve the relationships and access permissions between different AD domains or forests. Pen testers discover trust boundaries to assess how an attacker might move laterally or escalate privileges by mapping trust relationships and conducting attack path analysis. The goal of discovering domain controllers and trust boundaries is to prioritise defender focus, identify high-value targets, assess lateral escalation and realistic attack paths without exploitation, improve detection and response, and support remediation.

4. Enumerate AD objects, GPOs, services and ACLs

Enumerating Active Directory (AD) objects, Group Policy Objects (GPOs), services, and Access Control Lists (ACLs) reads and records the contents and security descriptors of the AD environment. It includes user and groups, service and managed service accounts, Group Policy Objects (GPOs) and their linked settings/scripts, scheduled tasks/services, service principal names (SPNs), and the Access Control Lists (ACLs) applied to AD objects and containers.

A penetration tester with read privileges exports AD object inventories (users, groups, service accounts, privileged groups, and computers), enumerates GPOs and linked OUs (including startup/logon scripts, scheduled tasks, and software deployments), and collects service data (service account names, SPNs, and services with elevated or interactive rights). They also inspect ACLs for delegated rights (e.g., Reset password, WriteDacl, WriteOwner, Full Control), correlate and model attack paths from these findings, and record detection points such as DC LDAP queries and privileged-change events.

Common tools and techniques include LDAP/AD PowerShell modules, ADSI/LDAP queries, standard Windows APIs, bloodhound-style graph collectors (configured for read-only usage), Get-GPO, Get-ADUser/Group/Computer, and safe enumeration scripts.

5. Analyse misconfigurations and known vulnerabilities

Analysis of misconfigurations and known vulnerabilities in an Active Directory reviews and assesses the environment’s configuration and software state to identify weaknesses that an attacker could exploit. This includes insecure AD settings (delegation, ACLs, GPOs), improperly protected service accounts, weak or legacy authentication protocols, unpatched software on identity hosts, insecure network exposure of identity services, and other gaps that increase the possibility or impact of compromise. Analysis of misconfiguration includes identifying risky settings (such as group memberships, privilege assignments, and feature activations), experimental validation in which pen testers simulate attacks to gain unauthorised access to sensitive information or escalating privileges within Azure AD or on-premises AD and finally risk assessment in which testers evaluate the impact of each misconfiguration using standards like CCSS.

Analysis of known vulnerabilities involves vulnerability enumeration and attack-path mapping to show how misconfigurations and vulnerabilities can be chained for privilege escalation and lateral movement.

6. Compromise domain user accounts (initial access)

Compromising domain user accounts involves gaining unauthorised access to standard user accounts and obtaining valid credentials to establish a legitimate foothold in the target Active Directory environment. An authorised penetration tester uses authenticated presence inside the network to enumerate further. Methods for compromising domain user accounts include credential theft and cracking, NTLM relaying and pass-the-hash, enumeration and exploitation, phishing and social engineering and credential dumping.

In credential theft and cracking, pen testers use techniques like kerberoasting to request service tickets for accounts with Service Principal Names (SPNs) and then attempt to recover the plaintext password by cracking the ticket offline. Pen testers exploit weaknesses in authentication protocols by relaying NTLM authentication and use stolen password hashes to authenticate as domain users without possessing the actual password. In the enumeration and exploitation method, attackers enumerate domain accounts to identify valid usernames and potential targets using tools and techniques like SMB enumeration or Kerberos-based user enumeration. Attackers use phishing or social engineering attacks on users to gain credentials and or prompt multi-factor authentication bypass scenarios. In the credential dumping technique, attackers gain credentials for domain users by extracting password hashes from memory or AD database files (e.g., NTDS.dit).

7. Escalate privileges to the domain/enterprise admin

Privilege escalation to domain admins or enterprise admins in Active Directory pentesting is the process by which a penetration tester moves from a low-privilege to full administrative control over the Active Directory domain. Pen testers gain complete control over users, systems, and security policies within the AD domain, enabling them to create or modify accounts, edit AD objects, manage authentication, and own the identity layer of the organisation. Privilege escalation to domain or enterprise admins includes common techniques such as attack-path analysis & modelling, exploiting misconfiguration, credential escalation verification, service and SPN analysis, ACL abuse modelling and proof-of-risk.

Attack path analysis & modelling involves converting enumerated ACLs, group memberships, GPO links, SPNs, delegation settings and service account roles into a prioritised list of potential escalation chains. Exploiting misconfigurations comprises demonstrating misconfigurations by reading ACL entries and showing how particular rights (such as ResetPassword, GenericAll) on an object can increase privileges. In credential escalation verification, pen testers confirm escalation possibility using temporary, tightly scoped actions and then immediately destroying any artefacts. Service and SPN analysis involves identifying service accounts or SPNs that allow offline attacks (like Kerberos attacks). ACL abuse modelling and proof-of-risk is about collecting AD ACLs and object inventories and converting them into a graph that shows specific permissions (such as ResetPassword, GenericAll, and AddMember) and using that graph to look for a low-privilege principal linked to a privileged target (Domain/Enterprise Admin).

8. Traverse trusts to move across domains and forests

Traversing trust in active directory penetration testing exploits the trust relationships between domains or forests to determine whether a compromise in one security boundary can be used to access resources or escalate privileges in another. A trust relationship is established between AD domains and forests (such as parent-child, external, or forest trusts) to enable centralised management and resource sharing. Attackers or penetration testers use this trust relationship to move from a compromised account in one domain to access accounts, administrative privileges or resources in another domain or forest.

Penetration testers first collect trust metadata using read-only commands and APIs and passive discovery to enumerate trust objects and hybrid endpoints. Pentesters next inventory principals, group memberships and privilege accounts on both sides of each trust and inspect trust properties. Testers verify how credentials or delegated rights can be abused across trusts by modelling authentication flows and attack paths. Testers validate rechability by making safe, credentialed read-only queries from one domain to resources(permission required) in the trusted domain. Testers coordinate with ops/SOC, document detection points, and provide prioritised recommendations. Testing traverse trusts is important for understanding the full attack surface of an Active Directory environment because trust relationships often create overlooked or hidden paths for attackers.

9. Compromise domain controllers and AD infrastructure

Compromising domain controllers and AD infrastructure in active directory penetration testing involves allowing attackers the highest level of control over the AD environment. Attackers gain unauthorised control over the identity fabric of an organisation, especially the servers and services that validate authentication and store directory data.

Common targets and weaknesses of compromising domain controllers and AD infrastructure include exposed or unpatched DCs, over-privileged service accounts and badly protected SPNs, misconfigured delegation and unconstrained delegation, writable or dangerous ACLs on privileged objects, poorly segmented management networks allowing large admin access, improperly protected sync or federation servers and weak endpoint protections that enable credential theft.

The penetration tester first inventories AD roles and infrastructure, and enumerates privileges, ACLs, GPOs, and service accounts to model potential attack paths. They obtain an initial foothold using authorised methods. Testers then attempt credential escalation or validation of escalation paths and validate high-impact risks to DCs while avoiding destructive actions. Penetration testers prefer read-only evidence at all times and only perform high-impact actions with backups, pre-approvals and forensic controls.

10. Establish persistence (tickets, backdoors, accounts)

Establishing persistence in active directory penetration testing involves forging Kerberos tickets, manipulating accounts and permissions or implanting backdoors that allow attackers to maintain long-term access to the environment. Persistence involves the inventory and analysis of all primitives that enable a return path.

Penetration testers first map available persistence primitives using read-only enumeration and modelling. They test which primitives could be used to persist and, if permitted, perform controlled proof-of-risk activities that do not leave behind access. They prioritise showing impact and detection signs instead of enabling persistent access. The goal of establishing persistence is to show which primitives allow long-term recovery and recommend fixes which include removing unnecessary delegation, implementing gMSA/PAM, restricting service account scopes, limiting GPO permissions, rotating credentials, applying LAPS for local admin and disabling unnecessary autoenrollment templates. Penetration testers provide detection guidance (which event IDs, EDR indicators and log sources show persistence attempts) and one-line remediations that break each persistence vector.

11. Extract NTDS.dit and other sensitive AD data

Extracting NTDS.dit and other sensitive AD data in active directory penetration testing involves copying the AD database, escalating privileges and extracting credentials that allow testers with broad access to user accounts, which leads to further compromising the network.

A penetration tester first identifies where AD database files and backups reside and checks whether actors with sufficient privileges can read those locations. The pentester evaluates the backup/restore process, permissions granted to backup operators, service accounts, and domain administrators, and determines whether shadow copies or export processes can be accessed. A responsible penetration test will model the risk first, as the data is extremely sensitive (demonstrating the chain of privileges and where access could occur) and perform extraction with high-level approval. Once authorised, the extraction involves working on isolated encrypted files, limiting access to the extracted artefacts, and destroying copies after analysis.

12. Cleanup artefacts and deliver a remediation report

Cleanup artefacts and deliver a remediation report in AD pentesting involves ensuring no residual risk from testing and providing a remediation report that has prioritised steps for addressing discovered vulnerabilities and strengthening AD security.

Penetration testers follow the RoE and cleanup checklist to remove (test accounts, files, groups, services, registry keys, scheduled tasks, temporary GPOs). They revoke the temporary credential and remove any SSH keys, certificates or service principals created for tests. Cleanup also involves removing uploaded files, reverting modified GPOs or configuring changes and restoring any overwritten files from verified backups if required. Testers run verification queries and confirm systems match baselines. Sensitive artefacts collected during test are transferred under an encrypted, access-controlled channel, retained only as long as RoE allows and destroyed per policy. Penetration testers prepare a pentesting report that includes an executive summary, technical findings, prioritisation, detection & monitoring playbook, validation checklist & retest plan.

How much does it cost to perform Active Directory penetration testing?

The cost of performing Active Directory penetration testing ranges from £500 to £1,000 for automated test runs, whereas a human penetration tester charges £125 to £350 per hour. The factors affecting the cost of Active Directory penetration testing include scope & complexity, depth of testing and permitted techniques, team composition, seniority & duration, reporting, remediation & retesting, compliance & vendor reputation, logistics & risk management.

The scope & complexity factor affecting the cost of penetration testing is primarily determined by what you include. A small, read-only audit of one domain with GPO/ACL and an inventory review costs less, whereas a credential test simulating lateral movement, privilege escalation, and limited exploitation costs more. An enterprise red team performing DC/NTDS validation, cross-forest trust traversal, persistence simulation or social engineering costs the most. The more domains/forests, DCs, hybrid (Azure AD Connect/AD FS) components, the more it increases the work and thus the price.

The cost increases with deeper testing, including active, high-impact tests (NTDS access, credential dumping, Kerberos forging, destructive verification, or social engineering), as these tests raise insurance, coordination, and professional requirements. Read-only or advisory engagements involve discovery and modelling, so they cost less. However, full exploitation requires experienced penetration testers, additional safeguards, and often longer engagements, which makes them more expensive.

Senior consultants and specialised red-teamers charge higher day-rates per engagement (£1,000–£1,500 per day), and the cost is multiplied by a longer team-based engagement (two or more testers for multiple weeks). Vendors also charge differently for insured, cybersecurity specialists with deep AD experience.

A basic report of findings costs less than the engagement that includes prioritised remediation plans, SOC playbooks, executive summaries and remediation validation. The project costs are added with follow-up retests and remediation verification for those services.

How much time does it take to perform Active Directory penetration testing?

Performing Active Directory penetration testing typically takes from 3 days to 6 weeks, depending on the size, complexity and scope of the environment. Small, focused AD audit, including read-only inventory and misconfiguration review, takes 1 to 3 days. Full internal Active Directory penetration test(escalation modelling, credential enumeration, limited exploit verification) takes from 3 to 10 days. Enterprise, deep AD assessment or red team (DC/NTDS validation, multi-domain, trust traversal, remediation validation and persistence simulation) takes from 2 to 6 weeks. Ongoing or continuous validation (Breach and Attack Simulation, pentest-as-service cadence), schedule runs take weeks to months or quarterly retests, depending on subscription.

A single-domain, small network with fewer domain controllers and no hybrid/cloud integrations can be assessed much faster (1-3 days for a focused audit) because discovery and modelling involve a smaller scope. A multi-forest enterprise with many domains, complex AD sites/subnets, hundreds of DCs, hybrid components (Azure AD Connect, AD FS, federation) and many trust relationships needs more mapping time to collect inventories, enumerate ACLs and model attack paths across trust boundaries, which can easily take several weeks.

The depth of testing and permitted techniques takes longer. Read-only or advisory engagements (only enumeration and modelling) are faster than credentialed exercises validating attack paths, and also faster than exploit validation that involves NTDS checks, controlled credential extraction or social engineering. Active, high-impact methods require extra coordination (SOC notification, backup/restore readiness) and more post-action cleanup and evidence handling, all of which increase the time for testing.

AI-driven and automated tools can accelerate penetration testing. For example, intelligent frameworks using reinforcement learning can provide effective attack strategies up to 50% faster than traditional methods, especially in medium-sized networks. Manual testing requiring human interaction or custom exploitation takes more time for testing than automated methods.

What tools are used to perform Active Directory penetration testing?

Active directory penetration testing tools are specialised frameworks that identify, assess and exploit security vulnerabilities within Microsoft Active Directory environments. Penetration testers use AD pentesting tools in various methods, like reconnaissance, enumeration, exploitation, privilege escalation, and persistence. Here are the 10 common AD penetration testing tools listed below.

Mimikatz– Mimikatz is a credential extraction AD penetration testing tool widely used to obtain authentication secrets from Windows systems and help pen testers extract plaintext passwords, Kerberos tickets, password hashes, and other sensitive credentials from memory, especially from the LSASS (Local Security Authority Subsystem Service) process. Mimikatz is used to perform credential dumping, pass-the-hash and pass-the-ticket attacks, privilege escalation, persistence and lateral movement in AD pentesting. Mimikatz enables attackers to extract credentials for privileged accounts (e.g., domain admins) and escalate their privileges to higher within the AD environment. Mimikatz is an open-source, sensitive (requires extreme care and authorisation) tool used to find misused credentials, insecure memory protection, credential material and lack of LSA/credential protections. Mimikatz is primarily used as a manual tool in Active Directory penetration testing, but it can also be integrated into automated workflows.

BloodHound– BloodHound is a graph-based AD penetration testing tool that targets the AD graph, including users, groups, ACLs, computers, trusts, and GPOs to map and analyse relationships, permissions, and attack paths within the AD environment. BloodHound collects AD data (such as user/group memberships, ACLs, and session information) and stores the collected data in a graph database and enabling this graph for complex queries and visualisations of relationships and attack paths. Key functions of BloodHound include attack path mapping, privilege escalation analysis and defensive assessment. In attack path mapping, BloodHound shows how users and groups are connected, exposing potential paths that can be used to escalate privileges and reach high-value targets like domain admins. Privilege escalation analysis involves BloodHound identifying misconfigurations and indirect routes that could allow privilege escalation or lateral movement. BloodHound is an open-source and primarily an automated tool for Active Directory penetration testing, but this tool also needs manual analysis and interpretation.

Impacket– Impacket is a collection of Python scripts and libraries for SMB/LDAP/SMBexec/PSExec/NTLM interactions used in AD penetration testing to create, manipulate and exploit network authentication protocols within Windows and Active Directory (AD) environments. Impacket is used to test vulnerabilities such as NTLM relay attacks, Kerberos pre-authentication weaknesses, and lateral movement techniques. Impacket is also used to exploit protocols, perform credential attacks, execute remote commands, and enumerate and extract data. Impacket supports low-level protocol exploitation, including NTLM, SMB, Kerberos, and LDAP. Impacket extracts sensitive data from AD, such as Kerberos tickets or password hashes, by enumerating users, shares, and domain information. Impacket is primarily a manual tool that requires user interaction, but it also enables automation through scripting and integration. Impacket is an open-source tool which is used mainly for custom tooling and exploitation frameworks, providing protocol-level testing and PoC development

CrackMapExec– CrackMapExe(CME) is a post-exploitation, AD penetration testing tool which acts as a “Swiss Army Knife” for Active Directory and allows security professionals or penetration testers to perform credential validation, command execution, and enumeration and lateral movement across Windows environments. In credential validation, CrackMapExe identify valid username/password or hash combinations by testing large sets of credentials across many hosts. CME provide post-exploitation activities and allows remote command execution on multiple systems. Enumeration by CME involves the collection of information about users, sessions, shares and domain configurations. This tool also uses techniques like pass-the-hash and pass-the-ticket for lateral movement within an AD environment. CrackMapExe is an open-source and primarily an automated tool that provides automation for many repetitive and complex operations in AD penetration testing, such as credential spraying, command execution and enumeration across multiple hosts, but it still requires manual input for configurations, interpreting results and making strategic decisions during an engagement.

PowerView – Powerview is a PowerShell or toolkit, used in AD penetration testing for Active Directory enumerations and reconnaissance. The function of this tool is to enumerate users, groups, computers, trusts, Access Control Lists, and delegation settings. It also queries Group Policy and domain configurations to help in mapping attack paths and to detect misconfigurations. PowerView targets Active Directory objects and permissions (Access Control Lists, Service Principal Names, Kerberos-related metadata) and misconfigurations like exposed service accounts, weak ACLs, excessive group membership and unconstrained delegation that can be used by attackers to privilege escalation. PoweView is a script-driven, interactive, and manual tool that can be automated using scripts. It is an open-source tool used by red teams and cyber analysts for deep AD reconnaissance.

Rubeus – Rubeus is an AD penetration testing tool written in C# language to interact and abuse the Kerberos protocol used to request, renew, extract and forge Kerberos tickets in Windows environments. The function of this tool is to perform overpass-the-hash, ticket extraction (TGT/TGS), kerberoasting request automation, and ticket forging (Golden Ticket/Pass-the-Ticket) to test Kerberos-related defences. Rubeus targets the Kerberos authentication workflows and service principal names (SPNs) to identify weak service account configurations, poor key management that enables ticket abuse, and delegation issues. It is a manual tool which can be used via the command line, but it also supports scripting and automation. It is an open source tool available on GitHub and is widely used by read teams for testing Kerberos security measures.

Responder – Responder is an AD penetration testing tool used in AD engagements to listen and to respond to LLMNR, NetBIOS-NS, and MDNS name resolution requests. This tool is commonly used to harvest NTLM hashes and credentials of a machine or account in an Active Directory. The function of Responder is to spoof name resolution responses and to serve as fake SMB/HTTP/LDAP endpoints to force authentication. Responder targets Windows hosts that use link-local name resolution and misconfigured network isolation. It helps red teamers to find vulnerabilities like unpatched clients that authenticate to unauthenticated services, usage of legacy name resolution, and misconfigured network segmentation that allows credential captures. It is an interactive and automated tool which runs as a daemon on the attacker’s machine (Kali Linux or any other Linux version). It is an open-source, easy-to-use tool for network-level credential harvesting and validating network hardening controls.

Hashcat – Hashcat is a password-recovery, high-performance tool (GPU-accelerated) used in AD pentests to crack password hashes obtained from dumps or captures from responder or other tools. The function of this tool is to crack hashes like NLTM hash and Kerberos hash using dictionary, rule-based, combinator and other brute force attacks. Hashcat targets the hashes stored or collected to assess the password strength. It identifies issues like poor hashing practices, weak or common password usages, and weak password policies, which can lead to account compromise. It is an automated hash-cracking tool which requires a high GPU. It is an extremely fast, highly configurable and open-source tool for offline hash cracking.

John the Ripper – John the Ripper is also a password cracking tool used to recover passwords in plain text from password hashes (NTLM, Kerberos) during an AD engagement. The features of John the Ripper, an AD penetration tool, include wordlist attacks, incremental/markov modes and format support via plugins. John the Ripper targets hashes dumped from AD credential stores or captured from the network to test the effectiveness of the password policy. It helps to identify reused, weak or easily guessed passwords, which can be used for further movement or privilege escalation in the network. This is an open-source tool which supports both manual and automated workflows. It also comes with a pro commercial edition with more features. It is a user-friendly and easy-to-use tool for command-line users for small-to-medium cracking tasks.

Metasploit – Metasploit is an exploitation framework and post-exploitation framework used in AD pentests to validate vulnerabilities identified and to exploit them. It offers modules for different functions like scanning, exploitation, privilege escalation, pivoting and payload delivery. Metasploit targets misconfiguration and vulnerable services in an AD environment and demonstrates how a basic misconfiguration can lead to domain compromise. It identifies exploitable software vulnerabilities, weak service configurations and missing mitigations. It is mainly an automated and semi-automated framework (requires the user’s guidance) and offers both open-source and commercial editions. It is one of the best tools for exploit validation and chained attacks.

What are the common vulnerabilities found in Active Directory penetration testing?

Common vulnerabilities in Active Directory are protocol weaknesses, recurring configuration flaws or operational gaps that enable attackers to gain credentials, escalate privileges, move laterally or persist in the Active Directory environment. 

The common 12 Active Directory vulnerabilities are listed below.

1. Over-permissive ACLs (ResetPassword/GenericAll) – Delegated permissions on sensitive objects enable non-admin principals to reset passwords or gain access without direct credentials.
2. Excessive administrative privileges- Too many users (or service accounts) in a privilege group leads to an attacker finding a high-value account. 
3. Misconfigured delegation- Credential forwarding or impersonation across services can be enabled by delegation settings that increase the reach of attackers.
4. Weak or legacy protocols enabled (NTLMv1, SMBv1, LDAP w/o signing)- Lower attacks, credential capture or replay can be caused by old protocols.
5. Poor password hygiene & long-lived service accounts- Weak, reused or non-rotated passwords for service accounts can cause offline cracking and lateral movement.
6. Kerberos weakness (ASREP-Roastable, weak crypto)- Weak encryption or accounts without preauth allow Kerberoasting and ticket theft/cracking.
7. GPOs with writable settings or scripts containing secrets- Writable GPOs or scripts can be used to reveal credentials or deploy persistence. 
8. Exposed or unsegmented domain controllers- DCs reachable from user segments or the internet can lead to full domain compromise.
9. Unprotected backups/ accessible NTDS or snapshot stores- Snapshot containing NTDS.dit or backup access allows credential extraction. 
10. Misconfigured trusts and SIDHistory- SIDHistory allowances or misconfigured trust settings enable compromise across domains/forests. 
11. Improper monitoring & logging- Malicious activities (like credential theft and ACL changes) go undetected by missing/poorly tuned auditing. 
12. Improper handling of privileged workstation use- Admin using unmanaged or internet-facing hosts increases exposure to credential theft. 

The vulnerabilities found during Active Directory penetration testing are resolved by the organisation’s IT or security operations team. They work in coordination with system administrators and identity management teams. They implement remediation steps such as patching systems, restricting permissions, implementing MFA and applying a secure configuration baseline based on the penetration tester’s remediation report of Active Directory pentesting.

How does Cyphere help organisations address Active Directory vulnerabilities?

Cyphere helps organisations address Active Directory vulnerabilities through their technical knowledge of Active Directory, simulating real-world Active Directory attacks (LLMNR poisoning, kerberoasting, pass-the-hash attack) and providing remediation support. Cyphere’s AD penetration testing methodology uses real-world techniques and tools (Impacket toolkit, mimikatz, BloodHound) to identify misconfiguration, less secure permissions, privilege escalation and credential exposures, which are often overlooked in traditional Active Directory security assessments. Cyphere provides organisations with a clear picture of the active directory security posture and demonstrates how an attacker can move laterally and compromise domain controllers by examining the AD environment from both an attacker’s and defender’s perspective.

Cyphere’s experts manually validate all the findings, map them with the attack paths and assign them a severity based on the potential business impact, rather than offering an automated scan report. Cyphere’s USP in AD penetration testing is to combine offensive security with defensive strategy to help organisations build a secure Active Directory infrastructure.

How can Cyphere’s AD pentesting secure Active Directory?

Cyphere’s Active Directory penetration testing helps organisations to secure their Active Directory environment by identifying the hidden weaknesses and then providing the roadmap for improving those weak areas. AD Penetration Testing reveals weak configurations, excessive privileges, unsecured credentials and exploitable trust relations which can be exploited in real-world scenarios. Cyphere not only provides a list of vulnerabilities but also explains how those vulnerabilities help attackers compromise the domain controller and how organisations can effectively remediate them.

Organisations can improve their resilience against attacks like golden ticket attacks, silver ticket attacks, token impersonation and kerberoasting by identifying and addressing the security flaws detected by Cyphere’s team. Cyphere’s approach reduces the overall attack surface, resulting in a controlled and secure authentication and authorisation process for an organisation.

Why is Active Directory security important?

Active Directory (AD) security is the backbone of identity and access management in most organisations, controlling authentication, authorisation and access to critical systems, data and resources. According to Carolyn Crandall et al, in their research ‘How to stop attackers from owning your Active Directory’ published on June 1, 2022, more than 90% organisations use Active Directory (AD) as their identity management system.

AD is a primary target for cybercriminals as it manages user identities, permissions, and access to nearly all networked resources. Attacks on Active Directory can result in full domain takeovers, data theft, ransomware deployment, business disruption and AD-specific attacks that are often missed by traditional security tools. Organisations can also face legal and financial penalties due to the compromised Active Directory, which leads to a violation of data protection regulations (e.g., GDPR, HIPAA).

Gia-Huy Nguyen et al state in their research, ‘Automated Framework for Active Directory Security and Compliance through Continuous Monitoring and Attack Path Validation,’ published on January 29, 2025, that compromising Active Directory can lead to major security breaches and regulatory issues and require continuous monitoring and attack path validation to improve the security posture of the organisation.

What are the best practices for securing Active Directory?

Best practices for securing Active Directory involve preventing privilege escalation, ransomware, data breaches and protecting organisational assets. AD is a prime target for attackers as it contains sensitive information about users, computers, permissions, and network resources. Thus, it is important to secure Active Directory by implementing layered security controls, minimising privileges, and continuous monitoring. Below are the six best practices for securing Active Directory.

• Implement the principle of least privilege by restricting admin group memberships and using secure administrative workstations for privileged tasks.
• Secure domain controllers and service accounts with minimal privileges, strong credentials, and isolation from user networks.
• Keep systems updated, patch vulnerabilities promptly, and disable legacy protocols like NTLMv1 and SMBv1.
• Continuous monitoring through logging and SIEM alerts helps detect suspicious activities early.
• Regular backups, incident response plans, and system-state recovery ensure resilience.
• Use Multi-Factor Authentication (MFA) for privileged accounts, segregate administrative and user accounts, and document delegations and group memberships to prevent hidden privileges or misconfigurations.

How do you follow a checklist to secure Active Directory?

A comprehensive active directory penetration testing checklist is a systematic approach that penetration testers follow during Active Directory assessment to ensure consistent coverage from scoping and reconnaissance through exploitation simulation, remediation guidance, cleanup and reporting. The Active Directory penetration checklist contains pre-engagement preparation (define scope, objectives, rules of engagement and gather information about the AD environment), reconnaissance (identify AD domain controllers, DNS servers, enumerate user accounts, groups, and policies), active scanning (identify live hosts, services and scan for vulnerabilities, misconfiguration and weaknesses), enumeration and exploitation (enumerate users and groups and exploit vulnerabilities and misconfigurations), post exploitation (persistence, escalate privileges and lateral movement), reporting (document findings, provide recommendations and remediations), clean-up and closure(remove tools used during testing and restore system to their original state if needed), verification (verify recommended remediations has been implemented), documentation and review, compliance and legal (ensure compliance with relevant regulations and laws).

The Active Directory penetration testing checklist is listed below.

1. Pre-engagement preparation
2. Reconnaissance
3. Active scanning
4. Enumeration and exploitation
5. Post exploitation
6. Clean-up and closure
7. Verification
8. Documentation and review
9. Compliance and legal