Active Directory Hacking Lab

In this article, I’m going to create a simulated, Active Directory Hacking Lab, and then assess some methods to uncover Active Directory “secrets”

In fact, Active Directory – AD – is a key component to manage Entreprise wide networks. It is frequently reaching a high degree of complexity in Companies, who have thousands of workstations, servers, and devices to manage. This complexity brings Security risks

Because it is a high profile target, Active Directory is therefore often attacked. Several tools have been developed to achieve this goal

As it is not OK to attack a real Active Directory, I will therefore create a simplified Hacking Lab, and then check different methods to explore the AD

Active Directory basics

There are many good resources available out there, to discover the basics of AD. I suggest this one :, and also this one :

So, I will not go into details. In a nutshell, bear in mind the four main components of an AD

Domain, Forest, Tree, ObjectsAn Active Directory Domain is a collection of objects within a Microsoft Active Directory network

An Object can be a single user or a group or it can be a hardware component, such as a computer or printer

The Active Directory framework that holds the objects can be viewed as a number of levels

The forest, tree, and domain are the logical divisions in an Active Directory network
Directory ServicesActive Directory is a database that organizes your company’s users and computers

It provides a Data Store for storage of directory data and a Directory Service with an LDAP Directory Service Interface

The Active Directory database is stored in C:\Windows\NTDS\NTDS.DIT
Access Rights ManagementsWhen a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password against a Hash signature, and determines whether the user is a system administrator or a normal user

A Domain Controller is a server on the network that centrally manages access for users, PCs and servers on the network, via the Active Directory configuration

Kerberos is used to manage credentials securely (authentication) while LDAP is used for holding authoritative information about the accounts, such as what they’re allowed to access (authorization), the user’s full name and UID
Group Policy ObjectMicrosoft’s Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users

SYSVOL is a folder that exists on all domain controllers. It is the repository for all of the active directory files. It stores all the important elements of the Active Directory group policy

A File Replication Service (FRS) allows the replication of the SYSVOL folder among domain controllers

Implementation of the Active Directory Hacking Lab

Architecture & Installation

I’m going to implement the following architecture, using Virtual Machines (I use Oracle VirtualBox as Hypervisor)

The attacker will be using Kali Linux. The “network” to attack is made of an Active Directory Domain Controller, implemented on Windows Server 2016 Essentials, and a Workstation implemented on Windows 10 Enterprise

To proceed with the installation of each VM, I downloaded the ISO files of each OS – Microsoft provides evaluation versions – and initialized each VM. Here is a YouTube video to help you proceed with the installation if needed (example : Windows 10)

You will need to adjust the RAM memory allocated to each VM, and make sure this does not overshoot the RAM of your PC. Make sure to keep enough memory margin, to avoid saturating your PC, and face heavy performance losses or even crashes

After installation, I grouped the VMs in the Group “Active Directory Hacking Lab”

Here are the three VMs, all fired up, after installation :

Here below some parameters I defined during the installation, which are of interest for the next steps

Windows Server 2016Admin#01
Windows Server 2016Administrator
Windows 10Bob
Usersee above

Our Domain is configured as follows. During the installation of Windows Server, I also promoted this machine as Domain Controller

Configuration of the Network

Now, let’s make sure that each VM can talk to each other, and can also access Internet. For this, close down the VMs and go in the parameters of each individual VM. Then open the Network tab. You shall select, for each VM, the “Bridged Adapter”

This will make sure that each VM is accessible in the local network and identified with a unique IP adress. VirtualBox will allocate the IP adresses of each VMs, for you

For further detailed overview of each network options and the way each VM will communicate to each other, here is a good summary

Source :

After doing this, you can restart each VMs, and discover the IP allocations, and ping each VM with the others, to check that your VMs network is working

In Kali Linux, open the Terminal, and type “ip addr show“, then use the ping command

In the Windows VMs, open Powershell, and type “ipconfig“, then use the ping command

Here is a summary of the IP adresses allocated by VirtualBox in my Lab

Virtual MachineIP allocation
Kali Linux192.168.1.45
Windows 10 Enterprise192.168.1.44
Windows Server 2016 Essentials192.168.1.46
IP location of each VM in the local network

Kali Linux (ping the Windows Server VM in this screen)

Windows 10 Enterprise (ping the Windows Server VM in this screen)

Windows Server 2016 (ping back the Kali Linux VM in this screen)

Shared Folders

To share files easily between each VM and your Host PC, you shall install shared folders in each VM. The necessary steps are different between Windows VMs and Linux VMs

For Windows, follow these steps :

For Linux, on the menu bar, go to Devices >Insert Guest Additions CD Image (as done on the Windows VMs). Then, open your file explorer. You will see that a virtual CD drive has been mounted with the following content

Open the Terminal, and follow these steps to run the installer

You should get the following messages

Then, restart the VM, open the Terminal and check that the installation is successfull, as follows

Implementation of Active Directory

Now, let’s proceed with the installation of a basic Active Directory structure. Let’s open the VM Windows Server 2016 and launch the Server Manager

Follow this sequence : Add roles and features -> Next (take care of the warnings and proceed with the necessary configurations before moving on) -> Role-based or feature-based installation -> Select a server from the server pool (choose the available server creared during the installation of Windows Server 2016) -> Active Directory Domain Services -> Next

Now, let’s create objects inside our Active Directory. For this, right click on the Domain, click New, and choose the object you want to create

I created a basic corporate organization and user names, as follows

OrganizationUserPasswordJob title
HACKERONE-SOCBob SinclairTest1234Analyst
HACKERONE-SOCMike DelphinoTest5678Manager
HACKERONE-CERTAnnie DelordKlom987Analyst
HACKERONE-CERTNicolette PhraserKlom654Manager
HACKERONE-AUDITLuc Canama468OklmLead Auditor
HACKERONE-AUDITPaulina Harter248GreyManager

Then, we link our Windows 10 Workstation in our Domain : Windows Settings -> System -> About -> Join a domain -> Type in the domain name and User name/Password

Discovering the Active Directory

Now let’s explore some key components of Active Directory, using mimikatz. First of all, you need to know the process lsass


This process is the Local Security Authority Subsystem Service. It is an essential part of any Windows device. It has a key role during authentification, whatever its nature. As soon as a user logs in, authentification informations are sent to the process lsass. Inside this process, authentification management services, so called SSP – Security Service Provider, are here to manage every different type of authentifications

It is possible to dump the content of lsass, just right clicking on the process lsass in the Task Manager

Here is a good blog post documenting the different possible ways to dump the content of lsass :

Windows hashes

The passwords stored in Windows are Hashed. Here is a very good explanation about password hashes in Windows

Source : DarthSidious

Windows Authentification

Here is a summary of Windows authentification mechanisms between AD level and local level, and what could be extracted

Active Directory authentification

Credentials of the accounts in the Domain ( hashes LM:NTLM)
Group Policy Preferences
Local Administration passwords

Silver and Golden Tickets to be cracked

Local authentification

Credentials of the local accounts / hashes LM:NTLM

Sessions of the latest connected users / hashes to be cracked
Secrets LSA
Credentials linked to services
Reversible passwords until Windows Server 2012

Credential Manager
Credentials in the web browsers or other targets in the network
Access Token
Delegation tokens from an interactive connexion on the machine
Credentials WiFi, VPN,…from the master keys
Miscellaneous Services
Passwords saved (FileZilla, WinSCP,…) or reversibles (VNC)

Here is also a good flowchart about identification mechanisms inside Windows

Source :


Now, let’s run mimikatz. The installation is easy but Windows Defender is going to treat this as a virus. In fact, this hacking tool is very efficient, but so famous now, that its signature is blocked by all main antivirus programs. I deactivated Defender for this exercise. For the installation, just download the zip from here :

The lsass dump has to be in the same directory as mimikatz

You shall run the mimikatz.exe as administrator. We can get password hashes, Kerberos tickets, and more, using the below commands

sekurlsa :: logonPasswords

Lists all available login credentials. This usually shows recently logged on user and computer credentials

sekurlsa :: tickets / export

Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD

sekurlsa uses memory reading and can access tickets of others sessions (users)

lsadump :: lsa /patch

Ask LSA server to retrieve SAM/AD. Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file

Often these accounts are members of Domain Admins (or equivalent) or a Domain Admin was recently logged on to the computer an attacker dump credentials from. Using these credentials, an attacker can gain access to a Domain Controller and get all domain credentials, including the KRBTGT account NTLM hash which is used to create Kerberos Tickets


From all this, we can now crack the hashes and read the passwords in clear. There is a good built in Kali Linux facility for this : hashcat ->

Here is an example with the Active Directory user declared above “Bob Sinclair” -> we find – very quickly, less than 1 second ! – the password “Test1234”


mimikatz is being detected by Windows Defender and almost all popular anti-virus. Lsassy has been implemented with stealth in mind. It has the following characteristics :

  • dump lsass remotely, using default Windows tools such as WMI
  • analyze lsass dumps remotely, without downloading the whole dump

Here is a basic way to extract secrets by using lsassy, demonstrating its capability

In the example below, we can recover the LM:NTLM hash. This is not spectacular but shows the potential of lsassy


This tool allows to map the Active Directory in a graphical manner, which is very usefull as soon as your AD gets complex. This facility also allows to track the compromized machines in the network and therefore plot the progress of an attacker

At first, let’s install bloodhound on my Kali Linux machine, and launch the neo4j console

The launch of neo4j triggers the events below and launches the event listener on the localhost:7474

Once the listener is active, you need to open a web page and configure neo4j to listen on the localhost

Once this is done, you need to dump the Active Directory objects from the Windows Machine, in this case Windows Server 2016, using a module called SharpHound.exe

Then, it is easy to dump the objects and transfer them back to Kali Linux, for analysis in bloodhound. Then, we can generate a bunch of different graphs and analysis

Find Shortest Paths to Domain Admins

Shortest Paths from Domain Users to High Value Targets

Additionallly, we can gather many details about our Domain Controller

This is definitely a tool to master to reckon an Active Directory


It is a tool used to recover some informations from the Active Directory and more actions such as persistence, based upon Windows Powershell. Attackers are using PowerSploit, including some commands in their exploitation scripts

For the purpose of this article, I have just installed PowerSploit inside the Windows Server machine, to discover the main functions. For installation, check this good video

Here below, we can see all the modules are installed inside System32

Now, let’s make sure the PowerSploit module is imported inside the PowerShell ISE

Now, we can start some basic reconnaissance of the Domain HACKERONE.local

PowerSploit allows you to search for “interesting” files, using some keywords or other search criteria. For example, I use the keyword “Admin”

We can identify the logged users

We can also get a bunch of interesting informations about the users of our Domain

Overall, PowerSploit is rather good to extract some key informations about our Domain

Ping Castle

This tool allows to get an overview of the safety situation of your Active Directory. Installation is made directly on the Windows Server 2016. There is an .EXE file that launches some scripts. We have to choose between several options

The data collection is started and done fairly quickly

We get a PDF report with some KPI and rankings, providing an overall rating

We also get a much detailed report about configuration issues and potential remediations

We also get some further details about our administrator accounts


This Python framework is very modular, and allows to automate a number of tasks to collect dumps on several machines. Installation is pretty straightforward

Here below all the available modules. We can see some tooling to inject shellcode, mimikatz in Python, lsassy as seen above, some scripts similar to PowerSploit to dump the AD, integration with bloodhound,…


We have learned to setup a basic Active Directory Hacking Lab and local network, with communications made possible between Kali Linux, Windows Server 2016, Windows 10 machines. We have configured a basic Active Directory infrastructure, and explored its objects with several hacking tools, either based upon C, C#, Java, Python, PowerShell

We have seen that Active Directory configuration is a complex topic and that the AD is really the backbone of any Windows based network. This complexity brings some significant risks. It is quite astonishing to see all the informations that can be recovered with the available hacking tools. However, I want to say that my Lab lacks some realism and I just scratched the surface of the network exploration, as most of the tools I used were detected by Windows Defender and I could not go through all the manipulations I had planned for initially

In any case, it is a very good way to understand Windows network infrastructure !