Key Takeaways
- Active Directory compromise is almost always a misconfiguration chain, not a zero-day. Kerberoasting, AS-REP roasting, ACL abuse, and unconstrained delegation are the recurring themes.
- BloodHound + SharpHound are the single highest-ROI tools in AD pentest. They convert thousands of permissions into a single visual graph of attack paths to Domain Admin.
- Kerberoasting against service accounts with weak passwords is the #1 finding in Indian enterprise AD pentests. Service accounts with SPNs and 8-character passwords are everywhere.
- Pass-the-Hash and Pass-the-Ticket abuse NTLM and Kerberos primitives to move laterally without ever cracking a plaintext password.
- Hardening is achievable. Tiered admin model, LAPS, gMSA, removing legacy NTLM, and disabling SMBv1 cut 80 percent of the AD attack paths we exploit.
Why Active Directory Pentest Matters
Almost every Indian enterprise above 200 employees runs Active Directory. Most ransomware operators that hit Indian targets in 2024 and 2025 (Akira, LockBit affiliates, BlackByte, Royal, BlackSuit, Medusa) achieved full domain compromise within hours of initial access. The path from a phished user laptop to Domain Admin is rarely a software exploit. It is a sequence of legitimate AD primitives being used against the directory the way it was designed to be used.
An AD pentest reproduces that exact attack chain. We sit at the privilege level of an average domain user (assumed-compromise model) and demonstrate which paths to Domain Admin exist, how many steps each takes, and what specifically to fix. Done right, an AD pentest is the single highest-value engagement for any Windows-shop in India.
Methodology: Assumed Compromise, Graph-Driven
Our methodology assumes the attacker already has standard domain-user credentials. This is realistic. Indian phishing campaigns achieve initial access in roughly 5 to 15 percent of targeted users, depending on training and email hygiene. Starting from zero-credential is interesting but not the dominant real-world scenario.
From assumed compromise, the engagement runs in four phases: enumeration, attack-path identification, privilege escalation, and persistence. At each phase we use a combination of BloodHound graph queries, PowerView and ActiveDirectory module commands, Impacket toolkit for protocol-level abuse, Rubeus and Mimikatz for Kerberos and credential operations, and Certify or Certipy for AD Certificate Services abuse.
Need a Pentest Engagement?
Codesecure runs manual, OSCP-led VAPT for Indian businesses across web, API, mobile, network, cloud, AD, IoT, wireless and thick client. ISO/IEC 27001:2022 certified delivery with named consultants and a free retest within 90 days.
See Pentest Services →Enumeration: BloodHound, SharpHound, PowerView
Step one is silent enumeration. SharpHound (.NET) or BloodHound.py (Python, often safer to run from Linux) collects users, groups, computers, group memberships, sessions, ACLs, GPOs, OU structure and trusts via authenticated LDAP and SMB. The output is a JSON bundle ingested into BloodHound CE or Legacy for graph analysis.
BloodHound transforms tens of thousands of permission edges into a single navigable graph. Built-in queries answer the question every AD attacker asks first: shortest path from owned user to Domain Admin. Custom Cypher queries answer the questions defenders should be asking: how many users can reach Domain Admin in three or fewer hops, which Tier 0 assets sit on the same OU as Tier 1 service accounts, which GPOs are writeable by non-Tier-0 principals, and which Kerberos delegation configurations create unconstrained or constrained risk.
PowerView (legacy PowerShell, still useful) and the AD PowerShell module provide quick targeted enumeration where running SharpHound is too noisy or blocked by EDR. Get-DomainUser, Get-DomainGroup, Get-DomainGPO, Get-DomainTrust and Find-DomainShare are the core verbs.
Kerberos Attacks: Kerberoasting, AS-REP Roasting, Delegation
Kerberos was designed for a friendlier era. Several of its primitives now translate cleanly into attack techniques.
Kerberoasting requests TGS tickets for service accounts with SPNs registered. The TGS portion encrypted with the service-account NTLM hash is extracted and brute-forced offline with Hashcat in mode 13100. Indian enterprise AD has service accounts with simple weak passwords (Welcome@123, Service@2024, vendor names) almost universally; Kerberoasting succeeds against at least one high-value account in roughly 80 percent of engagements.
AS-REP Roasting targets users with Do Not Require Pre-Authentication set. The AS-REP is encrypted with the user's NTLM hash and crackable offline (Hashcat mode 18200). Less prevalent than Kerberoasting but trivially exploited where present.
Unconstrained Delegation lets a compromised server collect TGTs of every user who authenticates to it, including the Domain Admin who logs into a misconfigured print server. Constrained Delegation with protocol transition (S4U2Self, S4U2Proxy) lets an attacker with control of a service account impersonate any user to any service the account is trusted for. Both are surfaced cleanly by BloodHound's TRUSTED_TO_AUTH_FOR_DELEGATION and ALLOWED_TO_DELEGATE edges.
Credential Attacks: Pass-the-Hash, Pass-the-Ticket, OverPass
Pass-the-Hash uses the NTLM hash of a user directly to authenticate to remote SMB, WMI, WinRM and RPC services without ever knowing the plaintext password. Mimikatz, Impacket's psexec.py, wmiexec.py and crackmapexec are the standard tools.
Pass-the-Ticket re-injects a captured Kerberos TGT into the attacker's logon session. OverPass-the-Hash uses an NTLM hash to request a new TGT from the KDC, bridging NTLM and Kerberos worlds.
Local admin credential reuse is the dominant accelerator. If the same local Administrator password is on every workstation, then a single dumped SAM hash lets the attacker move freely across the estate. Microsoft LAPS (Local Administrator Password Solution) makes this attack impossible by randomising the local Administrator password per-host. Deploying LAPS is a one-week project with outsize impact.
Stuck on Scope or Compliance Pressure?
Whether you need pentest for SOC 2, ISO 27001, RBI, a customer questionnaire or pure proactive testing, our VAPT lead is available for a 30-minute free scoping call. No obligation, no slideware.
Talk to a Pentest Lead →AD Certificate Services Abuse (ESC1 through ESC11)
The 2021 SpecterOps research on AD Certificate Services (Certified Pre-Owned) opened a major new attack surface. Misconfigured Certificate Templates allow domain users to request certificates that authenticate as arbitrary other users, including Domain Admins. The technique families are tracked as ESC1 through ESC11 plus ESC13 (CertifyKit) and ongoing additions.
Certify (Cobalt Strike adjacent) and Certipy (Python, cross-platform) automate enumeration. ESC1 (templates that allow SAN specification by a low-privilege requester) and ESC8 (NTLM relay to AD CS web enrolment) are the most common high-impact findings in Indian enterprise environments running AD CS without auditing certificate templates. A clean ESC1 finding typically delivers Domain Admin in under 10 minutes.
Lateral Movement and Persistence
Once Domain Admin or near-Tier-0 credentials are obtained, lateral movement happens over SMB, WMI, WinRM, RDP and PowerShell Remoting. Persistence techniques include Golden Ticket (forged TGT signed with the krbtgt hash), Silver Ticket (forged TGS for a single service), Skeleton Key (in-memory backdoor on the DC), DCSync (replicate krbtgt or any user hash via legitimate replication API), and ACL backdoors (granting DCSync rights or Replicating Directory Changes rights to a controlled object).
Each technique is included in our engagement output not for shock value but to demonstrate the failure mode. The single most important defensive lesson is that recovery from full domain compromise is a krbtgt rotation (twice, 10 hours apart) plus a tier-rebuild, not just a password reset. We document this in every AD report.
Hardening Recommendations That Actually Move the Needle
Our reports always close with prioritised hardening: deploy LAPS across all workstations and servers, migrate service accounts to gMSA with 30-day rotation, enforce tiered admin model (Tier 0 / 1 / 2 with separate accounts and PAWs), disable NTLM where Kerberos suffices, disable SMBv1 estate-wide, audit and tighten AD CS templates against ESC1 through ESC11, enable LDAP signing and channel binding, deploy Microsoft Defender for Identity or equivalent for honeytoken accounts and lateral-movement detection.
Re-test within 90 days validates that the controls are in place. We re-run BloodHound against the same forest and produce a before-and-after attack-graph delta. Customers use this delta in board reports.
Frequently Asked Questions
Is an AD pentest safe for our production domain?
Yes. The vast majority of our AD pentest activity is read-only enumeration. The few write actions (Kerberoasting requests, certificate template testing, controlled lateral movement) are scoped, scheduled, and run with a dedicated bridge call. We do not run live in-domain ransomware-style payloads or DC takeover routines without a written tabletop scenario and customer sign-off.
How long does an AD pentest take?
A single-forest, single-domain engagement typically runs 2 to 3 weeks. Larger multi-forest, multi-tenant environments with hybrid Entra ID (Azure AD) coverage run 3 to 5 weeks. The depth of the report scales with the size of the forest.
Do you also test Entra ID / Azure AD and hybrid?
Yes. Modern Indian enterprises are almost all hybrid. We extend the AD methodology with Entra ID enumeration (AzureHound, ROADrecon), Conditional Access bypass testing, OAuth consent grant abuse, hybrid join attack chains, and Pass-the-PRT scenarios on Entra-joined endpoints.
What is the difference between an AD pentest and an AD security audit?
An AD audit is a control-based review against ISO 27001, CIS or Microsoft baseline configurations. An AD pentest is adversarial: it produces a real attack path from low-privilege user to Domain Admin. Most clients run an audit annually and a pentest annually, with the pentest tightening the controls the audit defined.
Will an AD pentest set off our EDR?
Often, intentionally. Visible detection events are a useful product of the test. Where the customer wants stealth (purple team or red team objective), we use OPSEC-tuned tooling (.NET in-memory, no Mimikatz on disk, JEA bypass through legitimate API patterns) and document detection misses. Both modes have their place.
What does AD pentest cost in India?
A single-forest engagement runs INR 4 to 9 lakh depending on size, hybrid coverage, and depth. Multi-forest enterprise engagements at large banks or conglomerates run higher. Codesecure publishes fixed-price proposals after a 30-minute scoping call.
Find Your Path to Domain Admin Before Attackers Do
Codesecure runs AD pentests for Indian banks, fintechs, hospitals, SaaS firms and manufacturing groups. ISO/IEC 27001:2022 certified delivery, named OSCP consultants, before-and-after attack-graph delta, free retest within 90 days.
