Active Directory Pentest Roadmap
Use this roadmap as the main entry point for Active Directory pentesting notes on this site. The order is designed for authorized labs and assessments: enumerate first, validate access carefully, map attack paths, then move into focused exploitation and reporting.
Read in This Order
| Step | Topic | Why It Matters |
|---|---|---|
| 1 | Active Directory Enumeration Checklist | Build the domain map before running noisy actions. |
| 2 | NetExec Commands Cheatsheet | Validate SMB, LDAP, WinRM, password spraying, and access checks. |
| 3 | Kerberos Attack Techniques for OSCP | Understand Kerberoasting, AS-REP roasting, tickets, and trust boundaries. |
| 4 | GetNPUsers.py — Deep Dive | Target AS-REP roastable users safely and document the exposure. |
| 5 | GetUserSPNs.py — Deep Dive | Enumerate SPN accounts and collect Kerberoast material. |
| 6 | BloodHound Attack Path Cheatsheet | Turn raw AD data into attack paths and remediation priorities. |
| 7 | AD CS Attack Notes — ESC1-ESC16 Summary | Learn the certificate services attack surface. |
| 8 | Certipy AD CS Attack Guide | Run practical AD CS checks such as ESC1, ESC8, and Shadow Credentials. |
| 9 | ntlmrelayx.py — Deep Dive | Connect SMB signing, relay targets, LDAP relay, RBCD, and AD CS ESC8. |
| 10 | RBCD Attack Guide | Understand delegation abuse and how to report it clearly. |
| 11 | secretsdump.py Guide | Validate DCSync, NTDS.dit, SAM, LSA Secrets, and post-compromise evidence. |
| 12 | Mimikatz Commands Cheatsheet | Interpret LSASS, Kerberos tickets, Pass-the-Hash, and DCSync outputs. |
| 13 | Lateral Movement — OSCP Summary | Move from credential validation to controlled lateral movement. |
| 14 | Windows Privilege Escalation — Full Analysis | Tie host privilege escalation back into domain compromise paths. |
Fast Paths
| Goal | Start Here | Then Read |
|---|---|---|
| I have one domain user and need a plan | AD Enumeration Checklist | NetExec, BloodHound |
| I found SMB signing disabled | ntlmrelayx.py | AD CS, Certipy |
| I found SPN or preauth issues | Kerberos Attacks | GetUserSPNs.py, GetNPUsers.py |
| I have local admin or replication rights | secretsdump.py | Mimikatz, Lateral Movement |
| I need report-ready remediation | BloodHound | AD CS, Windows PrivEsc |
Practical Workflow
- Confirm scope, domain names, domain controllers, and allowed test windows.
- Enumerate DNS, SMB, LDAP, Kerberos, WinRM, MSSQL, and AD CS exposure.
- Check password and lockout policy before any spray or authentication testing.
- Validate credentials with strict failure limits and record where access works.
- Collect BloodHound data and prioritize paths by business impact.
- Test one attack path at a time, starting with the lowest-impact proof.
- Convert each finding into a remediation item: policy, ACL, delegation, certificate template, credential hygiene, or monitoring.
Related Writeups
These boxes are useful companion reads because they contain AD-style enumeration or credential workflows: