Active Directory and Internal Network Penetration Testing: Attack Paths from Kerberoasting to Domain Admin, and Defense

Quick answer: Internal penetration testing assumes the attacker already has a foothold in the network (for example a single employee machine compromised by phishing) and measures whether they can reach the highest privilege, Domain Admin in Active Directory. The typical chain is: network sniffing and LLMNR/NBT-NS poisoning for the first credential capture, attack-path mapping with BloodHound, cracking service-account passwords with Kerberoasting and AS-REP Roasting, Active Directory Certificate Services (ADCS) misconfigurations, abuse of unconstrained and constrained delegation, ACL and GPO abuse, lateral movement with Pass-the-Hash, and finally full domain takeover with DCSync or a Golden Ticket. According to Mandiant, the large majority of incident-response cases involve Active Directory in some way. Defense is built with a tiered admin model, Protected Users, LAPS, NTLM restriction, ADCS hardening and continuous attack-path auditing.

However good a company's perimeter security is (firewall, WAF, email filter), once attackers are inside, the real game is played on Active Directory. It is the central identity infrastructure governing who can access what in almost every enterprise network, which makes it the center of gravity for both defense and attack. Mandiant's annual M-Trends reports note that the overwhelming majority of investigated incidents involve Active Directory at some stage (initial access, persistence or privilege escalation). Internal penetration testing stages exactly this reality: our team does what a real attacker would do, in an authorized and controlled way, takes over the domain, proves by which path it did so and reports how to close that path.

This article covers internal testing that runs with an assumed breach scenario rather than external pentest. For the general process and pricing see the penetration testing process and when it is needed, for scope types see the black box, white box, grey box guide, and for how the services differ see red team vs pentest vs purple team.

What internal pentest is, and how it differs from external

External penetration testing targets the internet-facing surface (web sites, VPN, email, open ports). Internal pentest assumes the attacker has already crossed the perimeter and starts from a device placed inside the network or a given low-privilege user. The reason is realism: most modern breaches start with phishing, a stolen password or a supplier; the real damage comes from the attacker moving laterally and escalating privilege inside. The internal test answers "once someone is in, how far can they go, and will we notice."

There are two starting models. First, a fully credential-less start: the team plugs into the network and obtains the first credential itself through sniffing and poisoning, with no account given. Second, assumed breach: a standard employee account is given and "how far does an attacker who compromises this account get" is measured. The second model has become the standard because it focuses time and budget on the privilege-escalation stage where the attack creates real value. A modern attacker, rather than spending days breaking the perimeter, assumes a user fell to phishing and moves straight to lateral movement; the internal test reflects this reality.

What makes Active Directory this critical is the nature of its structure. Within a single forest, thousands of users, computers, groups and services are interconnected by a complex web of permissions and trusts. In this web administrators usually prioritize functionality over security: NTLM is left on for legacy compatibility, service accounts are over-permissioned, certificate templates are loosely configured. For the attacker each is a foothold; for the defender each is a path to close.

The attack path: from one user to Domain Admin

1. First foothold and network sniffing

An internal test usually starts with a device plugged into the network or a given user. The first goal is to understand what is on the network and obtain the first credential. In Windows networks, when a name cannot be resolved by DNS, a computer asks the network "who knows this name" via broadcast-based protocols such as LLMNR, NBT-NS and mDNS. The attacker answers these queries falsely, pulls the victim's authentication traffic to itself and captures the NTLM credential (challenge/response). MITRE ATT&CK defines this as T1557.001 (LLMNR/NBT-NS Poisoning and SMB Relay). In practice the network is sniffed with Responder; captured NetNTLMv2 hashes are either cracked offline or relayed directly to systems with SMB signing disabled. A relay to a server with SMB signing off can mean running commands on that server without ever cracking the password. This is where the first foothold lands in many internal tests.

2. Attack-path mapping with BloodHound

Once a valid user is held, the next question is "what is the shortest path from here to Domain Admin." BloodHound, developed by SpecterOps, models the relationships in Active Directory and Entra ID (who is a member of which group, who has a session on which machine, who has delegated rights to whom, who has write access over which object) as a graph and visualizes attack paths from a low-privilege foothold to high-value targets. For the attacker, BloodHound surfaces in seconds an escalation chain that would take days to find by hand; for the defender it is the map for closing those paths in advance. SpecterOps offers a free Community Edition and the commercial BloodHound Enterprise; the latter lets defenders continuously monitor attack paths.

3. Kerberoasting

In Active Directory, services (SQL Server, web applications, backup agents) often run under a service account, and these accounts are assigned an SPN (Service Principal Name). In the technique MITRE ATT&CK defines as T1558.003 (Kerberoasting), the attacker requests Kerberos service tickets (TGS) for SPN accounts and cracks them offline to recover the service account's cleartext password. Because service accounts are frequently high-privilege (even Domain Admin members) and weakly passworded for years, Kerberoasting is one of the most productive escalation paths in internal tests. It is also hard to detect since any authenticated user can request the ticket and the cracking is offline. Defense is to give service accounts random passwords of 25 characters or more (or group-managed service accounts, gMSA).

4. AS-REP Roasting

Some accounts have Kerberos pre-authentication disabled. MITRE ATT&CK T1558.004 (AS-REP Roasting) describes this weakness: the attacker requests encrypted AS-REP material for accounts with pre-auth disabled and cracks it offline. Unlike Kerberoasting, it does not require knowing the target's password; only the account's existence and disabled pre-auth are enough. Accounts with pre-auth disabled for legacy applications are an overlooked risk in many organizations.

5. ADCS: Active Directory Certificate Services attacks

The most productive new attack surface of recent years is Active Directory Certificate Services (ADCS). Misconfigured certificate templates can let a low-privilege user request a certificate on behalf of a high-privilege user (for example Domain Admin) and authenticate as that user with the certificate. These vulnerability families are numbered ESC1 to ESC8; for example a template letting the client specify the subject name (ESC1) or the web enrollment endpoint being open to NTLM relay (ESC8). ADCS attacks are an indispensable check item in internal tests because they can lead directly to domain takeover without any password cracking. Defense is to tighten the enrollment permissions and flags of certificate templates and protect web enrollment endpoints.

6. Delegation, ACL and GPO abuse

Active Directory's flexibility offers many abusable delegation mechanisms. If a server configured with unconstrained delegation is compromised, the ticket of every user who authenticates to it can be stolen, which can be coerced to capture a domain controller. Constrained delegation and resource-based constrained delegation (RBCD), when misconfigured, let the attacker impersonate another user. Beyond these, overly broad access control lists (ACLs) on objects can let an attacker reset a user's password, add themselves to a group or modify a GPO (Group Policy Object) to run code across a wide set of machines. This is exactly why BloodHound visualizes these chains.

7. Lateral movement with Pass-the-Hash

In NTLM authentication the hash of the password is used, not the password itself. In MITRE ATT&CK T1550.002 (Pass the Hash), the attacker uses an NTLM hash stolen from one machine to authenticate on other machines without ever cracking the password, moving laterally. If the local administrator password is the same on every machine, a single hash opens the whole network, which is why local admin passwords must be machine-specific and rotated. Lateral movement is the stage where the attacker hops from machine to machine toward high-value targets and usually offers the most opportunity for detection.

8. DCSync and Golden Ticket: full domain takeover

The end of the chain is full control of the domain. In MITRE ATT&CK T1003.006 (DCSync), the attacker abuses replication rights to impersonate a domain controller and pull password hashes, including historical ones, from Active Directory. The most critical target is the KRBTGT account hash: if it is captured, with MITRE ATT&CK T1558.001 (Golden Ticket) the attacker can forge valid Kerberos tickets for any account in the domain, that is impersonate any identity and persist. At this point the domain is fully compromised, and cleanup usually requires resetting the KRBTGT password twice at short intervals; a single reset is not enough because valid tickets keep working for a while.

Attack technique, MITRE ATT&CK and defense summary

Stage	Technique	MITRE ATT&CK	Primary defense
First credential	LLMNR/NBT-NS poisoning	T1557.001	Disable LLMNR/NBT-NS, SMB signing
Escalation	Kerberoasting	T1558.003	Long random service passwords, gMSA
Escalation	AS-REP Roasting	T1558.004	Enforce pre-authentication
Lateral movement	Pass-the-Hash	T1550.002	LAPS, Protected Users, NTLM restriction
Full takeover	DCSync	T1003.006	Audit replication rights
Persistence	Golden Ticket	T1558.001	KRBTGT protection, Tier 0 isolation

How findings are reported

The value of an internal pentest is not in listing techniques but in presenting each finding as a proven attack path. At DSET we report every chain with raw evidence (captured hash, BloodHound path graph, forged ticket, requested rogue certificate) and step-by-step reproduction; we do not present false positives. We explained why this matters in verified vulnerabilities and false-positive-free testing. The report is two-layered: it gives the executive the business risk and impact in plain language, and the technical team the full remediation steps and prioritization for each finding. Closure is confirmed with a retest after remediation.

Defense: closing the attack paths

1. Tiered admin model. Microsoft's enterprise access model separates privileged accounts into tiers (Tier 0 domain controllers and identity infrastructure, Tier 1 servers, Tier 2 clients), prevents credentials in one tier from compromising another and applies Zero Trust (explicit validation, least privilege, assume breach). Never logging Tier 0 accounts onto a client largely closes the path to a Golden Ticket.
2. Protected Users group. Accounts in this group use only Kerberos AES and cannot use NTLM, credential delegation or cached plaintext credentials, limiting credential theft such as Pass-the-Hash.
3. Windows LAPS. Generates machine-specific local admin passwords and rotates them; Microsoft explicitly describes it as protection against pass-the-hash and lateral movement.
4. Disable LLMNR/NBT-NS and enforce SMB signing. Turning off broadcast name resolution and requiring SMB signing largely stops poisoning and relay attacks.
5. NTLM restriction and strong service-account passwords. Restricting NTLM where possible and giving service accounts long, random passwords or group-managed service accounts reduces Kerberoasting and relay yield.
6. ADCS hardening. Review the enrollment permissions and flags of certificate templates, disable templates that let the client specify the subject name and protect web enrollment endpoints against NTLM relay.
7. Continuous path auditing. Running BloodHound on the defensive side regularly closes newly formed attack paths before the attacker; this should be a continuous discipline, not a static audit.

How we work at DSET

We run internal tests in an authorized way with scope defined in writing; for the legal framework see the penetration testing contract and legal authorization. Our domestic autonomous engine KAOS accelerates findings, but every critical finding is verified by a human expert. For our methodology see the PTES seven-stage standard and the pentest standards comparison. To also test the web and API layer see our web application penetration testing and API security penetration testing.

Frequently Asked Questions

Does an internal pentest replace an external one? No, they measure different surfaces. The external test measures the perimeter, the internal test measures lateral movement and escalation risk after the perimeter is crossed. A mature program includes both.

Will the test break the network? With proper scope and Rules of Engagement, risk is managed; destructive techniques (such as wide-scale service disruption or KRBTGT reset) are not run without written approval and a maintenance window.

Will you really take over Domain Admin? That is the goal and it is reachable in most first tests; the real value is proving by which path it was reached and how to close that path.

How often should it be done? At least once a year and after a significant change in Active Directory (a new trust, a new certificate authority, a major migration). Tools such as BloodHound Enterprise can be used for continuous monitoring.

Can the attack be detected? Yes; Kerberoasting ticket requests, DCSync replication requests and anomalous certificate requests can be detected with proper logging and monitoring. The internal test also indirectly probes this detection capability.

Sources

• MITRE ATT&CK, Kerberoasting (T1558.003): https://attack.mitre.org/techniques/T1558/003/
• MITRE ATT&CK, AS-REP Roasting (T1558.004): https://attack.mitre.org/techniques/T1558/004/
• MITRE ATT&CK, Pass the Hash (T1550.002): https://attack.mitre.org/techniques/T1550/002/
• MITRE ATT&CK, DCSync (T1003.006): https://attack.mitre.org/techniques/T1003/006/
• MITRE ATT&CK, Golden Ticket (T1558.001): https://attack.mitre.org/techniques/T1558/001/
• MITRE ATT&CK, LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001): https://attack.mitre.org/techniques/T1557/001/
• SpecterOps, BloodHound: https://specterops.io/bloodhound-overview/
• Microsoft, enterprise access model (tiered admin): https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model
• Microsoft, Protected Users security group: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
• Microsoft, Windows LAPS: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
• Mandiant, M-Trends 2026: https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026

To prove whether an attacker can reach Domain Admin in your internal network, contact DSET.