Active Directory & Entra ID Pentesting
BloodHound, NetExec, Impacket, Rubeus — owning AD and Azure AD.
Active Directory (and its cloud sibling Entra ID / Azure AD) is the crown jewel of most enterprise environments. The AD attack-graph toolkit went through major changes 2023–26: BloodHound got a CE GUI rewrite, CrackMapExec was sunset and forked into NetExec. For exploitation frameworks see Exploitation Frameworks. For cloud-side AD see Cloud Pentesting. On the defense side: Server Hardening, SIEM (Wazuh), Detection (Sigma / YARA / ATT&CK).
Attack graph — the must-have
- ★ ★ BloodHound CE (SpecterOps) — graphs AD / Entra ID privilege paths; "shortest path from any user to Domain Admin." 2024 CE rewrite gave it a modern web UI, Neo4j-or-Postgres backend, and unified ingestor. CE is free; BloodHound Enterprise paid adds continuous monitoring and remediation tracking.
- SharpHound — the .NET collector; runs from a domain-joined host.
- AzureHound — collector for Entra ID / Azure AD / Azure RBAC.
- bloodhound.py / RustHound-CE — cross-platform / faster collectors.
- Legacy "BloodHound 4.x" still floats around; CE is the path forward.
AD enumeration / abuse swiss-army
- ★ ★ NetExec (nxc) — community fork / successor of CrackMapExec; SMB / WinRM / LDAP / MSSQL / RDP / SSH / FTP enumeration and command execution. Default "I have a credential, what can I do?" tool 2024–26. Free.
- CrackMapExec (CME) — original; archived; use NetExec instead.
- ★ ★ Impacket (Fortra/SecureAuth) — Python AD swiss-army:
secretsdump,psexec,wmiexec,smbexec,getNPUsers,GetUserSPNs,ntlmrelayx,mssqlclient. Underpins half of AD pentesting workflows. Free. - Kerbrute — username enumeration + password spraying via Kerberos pre-auth.
- adidnsdump / adexplorer — AD-integrated DNS dumping / live AD browser.
- PowerView / PowerSploit (legacy PowerShell recon) — superseded by SharpView, SharpHound, and Rubeus.
Kerberos abuse
- ★ Rubeus (HarmJ0y) — .NET Kerberos toolkit: AS-REP roasting, Kerberoasting, S4U2Self / Constrained Delegation, ticket import/export. Still the reference. Free.
- Impacket: GetUserSPNs / GetNPUsers — Python equivalents.
- Mimikatz (gentilkiwi) — credential extraction / pass-the-ticket / DCSync / DCShadow / Skeleton Key. Heavily detected; useful for understanding.
- certipy (Olive Linder) — AD CS abuse (ESC1–ESC11+); 2023–26's hottest AD escalation path.
- Certify / ForgeCert — .NET equivalents.
- Ticketer.py / Silver Ticket Script — forged tickets.
NTLM / coercion
- PetitPotam, PrinterBug, ShadowCoerce, DFSCoerce, MS-EFSR — coercion primitives.
- ntlmrelayx (Impacket) — relay coerced NTLM auth to LDAP / ADCS / SMB.
- Coercer — automates coercion technique discovery.
- Responder (Laurent Gaffié) — LLMNR / NBT-NS / mDNS poisoner; collect NetNTLM hashes.
- inveigh — Responder for Windows / PowerShell.
AD audit (defensive / pre-engagement)
- ★ PingCastle — free AD security audit; gives a maturity score; reports prioritised by risk. Run quarterly.
- Purple Knight (Semperis) — free AD posture scan.
- ADRecon — read-only AD enumeration → Excel / HTML report.
- ADExplorer (Sysinternals) — point-in-time AD snapshots; you can diff with
AdExplorerSnapshot.py. - Forest Druid — Tier 0 attack-path discovery.
Entra ID / Azure AD specific
- ★ AzureHound — BloodHound collector for Entra ID + Azure RBAC.
- ROADtools / roadrecon — Entra ID enumeration.
- MicroBurst (NetSPI) — Azure red-team toolkit.
- AADInternals — PowerShell AAD (Entra ID) abuse.
- BARK (BloodHound Attack Research Kit) — Az / Entra abuse primitives.
- Stormspotter (sunset → ROADtools) — Microsoft's old red-team tool.
- TokenSmith / TokenTactics — token impersonation.
Password spraying / cred attacks
- kerbrute / NetExec --spray — Kerberos / SMB / LDAP / WinRM spraying.
- trevorspray — modern Python sprayer.
- MSOLSpray / MSOLSprayer — O365 password sprayers.
- DomainPasswordSpray (PowerShell) — classic.
- See also Password Cracking for offline crack of dumped hashes.
Local lab targets
- GOAD (Game of Active Directory) — Vulnerable AD lab; brilliant practice ground. Free.
- Vulnerable-AD (Safebuffer) — quick PowerShell AD lab setup.
- DetectionLab — defensive lab with logging.
- HackTheBox / TryHackMe AD paths — see Security Training Platforms.
Pick this if…
- Default AD attack-path mapper: BloodHound CE.
- Default "I have a credential" enumerator: NetExec.
- Need anything Kerberos / NTLM in Python: Impacket.
- Kerberos abuse on Windows endpoint: Rubeus.
- AD CS / certificate-based escalation: certipy.
- Quarterly defensive AD audit: PingCastle.
- Entra ID / Azure AD red team: AzureHound + ROADtools + MicroBurst.
- Lab to practice: GOAD.