Active Directory Attack Lab

Overview

This repository documents a simulated Active Directory penetration testing lab built to demonstrate common techniques used to compromise enterprise Windows environments.

The project focuses on credential attacks, Active Directory enumeration, privilege escalation, and lateral movement techniques.

Lab Environment

System	Operating System	Role	IP Address
Domain Controller	Windows Server 2022	Active Directory / DNS	192.168.91.129
Workstation	Windows 11 Pro	Domain User Host	192.168.91.130
Attacker	Parrot Security OS	Penetration Testing Machine	192.168.91.128

Domain - corp.local

Network - 192.168.91.0/24

Attack Techniques Demonstrated

Attack	Description of the Attack
LLMNR Poisoning	Capturing NTLM authentication hashes
Kerberoasting	Extracting Kerberos service tickets for offline cracking
BloodHound Privilege Escalation	Identifying attack paths in Active Directory
Pass-the-Hash	Authenticating with captured NTLM hashes

Additional Attacks:

Attack	Description
AS-REP Roasting	Extracting authentication responses without pre-auth
SMB Share Enumeration	Discovering accessible network shares
DCSync	Extracting domain credential hashes
Golden Ticket	Forging Kerberos tickets using the krbtgt hash

Attack Walkthrough

Attack	Writeup
LLMNR Poisoning	View
Kerberoasting	View
AS-REP Roasting	View
BloodHound	View
Pass-the-Hash	View
DCSync	View
Golden Ticket	View
SMB Share Enumeration	View

Example Attack Evidence

Captured NTLM Hash (LLMNR Poisoning)

Kerberoasting Hash

BloodHound Attack Path

Tools Used

Tool	Purpose
Responder	LLMNR/NBT-NS poisoning and credential capture
Hashcat	Offline password cracking
CrackMapExec	Active Directory enumeration
BloodHound	Privilege escalation analysis
Impacket	Kerberos attacks and pass-the-hash

Detection Opportunities

Possible detection indicators include:

abnormal Kerberos ticket requests
repeated authentication failures
unusual LLMNR broadcast activity
suspicious SMB authentication attempts
privilege escalation events

Mitigation Strategies

Common defensive measures include:

disabling LLMNR and NBT-NS
enforcing SMB signing
strong password policies
multi-factor authentication
least privilege access control
Active Directory security auditing

Disclaimer

This lab was conducted in an isolated virtual environment for educational and defensive security research purposes only.

Name		Name	Last commit message	Last commit date
Latest commit History 10 Commits
extra		extra
individual-attacks		individual-attacks
screenshots		screenshots
README.md		README.md
ad-attack-lab-writeup.md		ad-attack-lab-writeup.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Active Directory Attack Lab

Overview

Lab Environment

Domain - corp.local

Network - 192.168.91.0/24

Attack Techniques Demonstrated

Additional Attacks:

Attack Walkthrough

Example Attack Evidence

Captured NTLM Hash (LLMNR Poisoning)

Kerberoasting Hash

BloodHound Attack Path

Tools Used

Detection Opportunities

Mitigation Strategies

Disclaimer

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Folders and files

Latest commit

History

Repository files navigation

Active Directory Attack Lab

Overview

Lab Environment

Domain - corp.local

Network - 192.168.91.0/24

Attack Techniques Demonstrated

Additional Attacks:

Attack Walkthrough

Example Attack Evidence

Captured NTLM Hash (LLMNR Poisoning)

Kerberoasting Hash

BloodHound Attack Path

Tools Used

Detection Opportunities

Mitigation Strategies

Disclaimer

About

Topics

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Packages