Steps to PenTesting Active Directory w/ PTES Methodology

1. Pre-Engagement Interactions

Before any testing begins:

• Define scope (e.g., AD forest, trusts, domain controllers, member servers).

• Set rules of engagement (password spraying thresholds, exploitation depth).

• Confirm goals (compliance, red team realism, vulnerability discovery).

⚙️ Tools / Activities:

• Scoping checklist

• NDA, ROE, legal documentation

• Scoping scripts (collect CIDR ranges, domains, OU structures from client)

2. Intelligence Gathering (Reconnaissance)

Goal: Collect as much information as possible about the AD environment without direct interaction.

Steps:

• Identify domain controllers, DNS records, and public-facing services.

• Gather leaked credentials from paste sites, GitHub, or OSINT.

⚙️ Tools:

• nslookup / dig → Identify AD-related DNS records.

• Shodan / Censys → External footprinting.

• HaveIBeenPwned / LeakCheck → Credential leaks.Bottom Line

3. Threat Modeling

Map potential attack paths based on the intelligence gathered.

Steps:

• Define likely initial access vectors (phishing, VPN, weak exposed services).

• Identify high-value AD targets (Domain Admins, KRBTGT account, GPOs).

• Build an attack graph for escalation paths.

⚙️ Tools:

• Threat modeling diagrams (AttackIQ, Threat Dragon, or even BloodHound in theory).

4. Vulnerability Analysis

Actively enumerate AD systems, accounts, and trust relationships to find exploitable weaknesses.

Steps:

• Enumerate domain info, users, groups, and policies.

• Identify Kerberoastable accounts, delegation issues, and unpatched systems.

⚙️ Tools:

• NetExec (previously CrackMapExec):

  • netexec smb <target> -u guest -p '' --shares → SMB shares

  • netexec ldap <DC> -u user -p pass --users → User enumeration

• BloodHound / SharpHound → Attack path discovery

• ldapsearch / enum4linux-ng → LDAP/Samba enumeration

• PowerView → In-domain enumeration

5. Exploitation

Leverage identified vulnerabilities to gain access to AD.

Steps:

• Attempt password spraying or weak credential attacks.

• Capture and relay NTLM hashes.

• Exploit service misconfigurations or patchable vulnerabilities.

⚙️ Tools:

• NetExec:

  • netexec smb <targets> -u users.txt -p passwords.txt → Password spraying

  • netexec smb <target> -u user -p pass --exec "whoami" → Remote command execution

• Responder → NTLM hash capture

• Metasploit Framework → Windows service exploits

• Evilginx2 → Phishing with MFA bypass

6. Post-Exploitation (Privilege Escalation & Lateral Movement)

Expand from an initial foothold to domain dominance.

Privilege Escalation Steps:

• Perform Kerberoasting and AS-REP roasting.

• Dump credentials or tickets from memory.

• Abuse weak ACLs and delegation.

Lateral Movement Steps:

• Reuse hashes/tickets for remote logins.

• Move to high-value servers (file servers, DCs).

⚙️ Tools:

• Impacket (GetUserSPNs, secretsdump, wmiexec, psexec)

• Rubeus → Ticket extraction and forging

• Mimikatz → Credential dumping, Golden Tickets

• NetExec:

  • netexec smb <target> -u user -H <hash> --lsa → Dump local creds

  • netexec smb <target> -u user -p pass --ntds → Dump AD database

7. Reporting (The most critical Phase)

Document findings and remediation steps.

Deliverables:

• Executive summary (impact, risk rating, business context).

• Technical report (steps, tools, evidence, commands used).

• Remediation roadmap (prioritized fixes for AD security).

⚙️ Reporting Tips:

• Include BloodHound path screenshots for visual impact.

• Provide NetExec command output snippets for reproducibility.

• Map findings to MITRE ATT&CK (Enterprise / Windows / Credential Access / Lateral Movement).

Key Takeaways

• AD penetration testing is most effective when structured under a recognized methodology like PTES.

• NetExec, BloodHound, Impacket, and Mimikatz form the core toolkit for AD exploitation and post-exploitation.

• Success isn’t just about complete compromise, it’s delivering a clear remediation plan to strengthen AD against real-world adversaries.