Before you can enumerate or spray anything in an AD environment, your tooling needs to work. This is the setup layer most tutorials skip.
C2 frameworks replace raw shells
A raw reverse shell dies the moment your terminal closes. A C2 implant like Sliver has reconnect logic built in, encrypts all traffic, and queues tasks asynchronously. You leave instructions, you read results.
Get an interactive overview with quizzes
Use beacons, not sessions
Sessions maintain a persistent connection, exactly what EDR looks for. Beacons sleep between check-ins and add random jitter to their intervals. No consistent pattern, no persistent socket, far less visible.
proxychains only intercepts TCP
UDP traffic bypasses the proxy entirely. Force Kerberos and DNS over TCP using tool-specific flags. ICMP also bypasses it, so use nmap -sT for host discovery instead of ping. Statically linked binaries bypass it too — use tun2socks for those, it routes at the OS level.
Enumerate usernames before spraying passwords
Kerbrute validates usernames by reading Kerberos AS-REQ responses. No authentication attempt means no lockout risk. Build your valid user list first, then choose one candidate password and spray slowly.
Password spraying targets many accounts, not one
One password across hundreds of users keeps you under the per-account lockout threshold. Know the domain's lockout policy before you start. A locked account is loud. A slow spray is silent.
Full post: https://niklas-heringer.com/penetration-testing/active-directory-pentesting-part-02/
All attacks performed against private lab environments with explicit permission. Lab used: Game of Active Directory
Top comments (0)