Active Directory (AD) remains one of the most targeted environments in enterprise networks. This section covers offensive AD techniques from initial enumeration to full domain compromise, organized by attacker platform.
The same attack often looks very different depending on whether you are operating from a Linux/Kali machine (remote, unauthenticated or with stolen credentials) or from a Windows foothold (on-domain, local admin, or higher privileges). Understanding both perspectives is essential for both red teamers and defenders.
| Section | Description |
|---|
| From Kali / Linux | Remote enumeration and exploitation using Impacket, BloodHound, NetExec, Certipy and other Linux-native tools |
| From Windows | On-host attacks using PowerView, Rubeus, Mimikatz, SharpHound, and living-off-the-land techniques |
Disclaimer: For educational purposes only. Unauthorized access to computer systems is illegal.
Further Reading#
These notes are personal field references. For broader coverage, authoritative community resources:
| Resource | Description |
|---|
| WADComs | Interactive cheat sheet โ filter by OS, service, attack type, and what you have |
| HackTricks โ AD Methodology | Comprehensive AD attack methodology reference |
| HackTricks โ Pentesting AD | LDAP and AD enumeration techniques |
| AD Mindmap (SVG) | Full Active Directory attack mindmap โ open in browser or Excalidraw |
Attacking Active Directory from Linux means operating remotely โ typically with no domain-joined machine. The toolset revolves around Impacket, NetExec (nxc), BloodHound-python, Certipy, Kerbrute, and Responder.
The main constraint is that you cannot run Windows-native tools directly โ but nearly every critical attack has a Python/Linux equivalent.
Topic File Enumeration & Discovery enumeration Kerberos Attacks kerberos-attacks Credential Attacks & Relay credential-attacks Delegation Attacks delegation-attacks Lateral Movement lateral-movement Domain & Forest Trusts domain-trusts Persistence persistence Disclaimer: For educational purposes only. Unauthorized access to computer systems is illegal.
...
Attacking Active Directory from Windows means you already have a foothold โ a domain-joined machine, a shell, or stolen credentials. The toolset includes PowerView, Rubeus, Mimikatz, SharpHound, Certify, Seatbelt, and PowerShell AD cmdlets.
Windows-based attacks are often faster and stealthier โ you operate from within the domain, with access to Kerberos natively, and can leverage LOLBAS (Living Off the Land Binaries and Scripts) to reduce tool footprint.
Topic File Enumeration & Discovery enumeration Kerberos Attacks kerberos-attacks Credential Attacks credential-attacks Delegation Attacks delegation-attacks Lateral Movement lateral-movement Domain & Forest Trusts domain-trusts Persistence persistence Disclaimer: For educational purposes only. Unauthorized access to computer systems is illegal.
...