Beyond Domain Admin: Exploiting Active Directory Misconfigurations

TLDR: This post breaks down common, high-impact Active Directory misconfigurations that lead to full domain compromise. We cover how to identify and exploit anonymous enumeration, Kerberoasting, and unconstrained delegation, and how to use tools like Impacket and Certipy to pivot from low-privileged access to domain dominance. If you are performing internal network assessments, these techniques are essential for demonstrating real-world risk to your clients.

Active Directory remains the backbone of most enterprise environments, and despite years of security hardening, it is still frequently misconfigured. During a recent engagement, I saw a team spend weeks trying to find a complex zero-day, while the domain was wide open to basic, well-documented attacks. If you are a pentester, you know that the path to domain admin is rarely about finding a single exploit; it is about chaining together small, often overlooked configuration errors.

The Power of Anonymous Enumeration

Many administrators assume that requiring authentication for network access is enough to stop an attacker. However, if the Pre-Windows 2000 Compatible Access group contains the Anonymous Logon or Everyone group, you have a massive information disclosure vulnerability.

Using CrackMapExec, you can query the domain controller without any credentials. This allows you to pull a list of all domain users, which is the first step in any targeted attack. Once you have the user list, you can begin password spraying or identifying accounts that are susceptible to Kerberoasting.

crackmapexec smb <DC_IP> -u '' -p '' --users

The fix here is simple but often ignored: remove the Everyone and Anonymous Logon groups from the Pre-Windows 2000 Compatible Access group. If you are on an engagement, this is the first thing you should check. It provides the map you need to navigate the rest of the domain.

Kerberoasting and Service Principal Names

Kerberoasting is a classic technique that remains highly effective because it targets the way Windows handles service authentication. When a user requests a service ticket for a service with a Service Principal Name (SPN), the domain controller returns a ticket encrypted with the service account's password hash.

If you have a valid user account, you can request these tickets for any service account in the domain. Once you have the ticket, you can take it offline and crack it using Hashcat.

impacket-GetUserSPNs -request -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD>

The vulnerability here is weak service account passwords. If an account has a weak password, you will crack it in minutes. To defend against this, enforce long, complex, and random passwords for all service accounts. If you are a researcher, look for service accounts that are members of high-privileged groups, as these are your primary targets for escalation.

Unconstrained Delegation and Impersonation

Unconstrained delegation is a dangerous configuration where a server can impersonate any user who authenticates to it. If a domain admin authenticates to a server configured for unconstrained delegation, that server caches the admin's Ticket Granting Ticket (TGT).

If you compromise that server, you can dump the memory using Mimikatz and extract the admin's TGT. With that ticket, you can impersonate the domain admin and move laterally throughout the entire network.

# Using Mimikatz to export tickets
sekurlsa::tickets /export

To mitigate this, move away from unconstrained delegation entirely. Use constrained delegation or resource-based constrained delegation instead. These configurations limit the services that a server can impersonate, significantly reducing the blast radius of a server compromise.

AD Certificate Services (ADCS) Misconfigurations

ADCS is often the "hidden" path to domain admin. If a certificate template is misconfigured to allow Enrollment Rights for low-privileged users and has the ENROLLEE_SUPPLIES_SUBJECT flag set, you can request a certificate for any user in the domain, including the domain administrator.

Using Certipy, you can identify these vulnerable templates and request a certificate for a high-privileged account.

certipy find -u <USER>@<DOMAIN> -p <PASSWORD> -dc-ip <DC_IP>
certipy req -u <USER>@<DOMAIN> -p <PASSWORD> -target <CA_SERVER> -template <TEMPLATE_NAME> -upn administrator@<DOMAIN>

Once you have the certificate, you can use it to authenticate as the administrator and dump the domain secrets. This is a critical OWASP A01:2021-Broken Access Control issue. If you are auditing an environment, always check the ADCS configuration. It is frequently the most overlooked attack vector in modern Windows environments.

Final Thoughts for the Field

Active Directory security is not about implementing a single "silver bullet" solution. It is about consistent, rigorous hygiene. As a pentester, your goal is to show the business that these small, seemingly minor misconfigurations can be chained together to achieve total control.

When you are on an engagement, do not just look for the "big" vulnerabilities. Look for the gaps in the GPOs, the service accounts with passwords that haven't been changed in years, and the ADCS templates that allow for unauthorized enrollment. These are the paths that lead to the domain controller, and they are the paths that you need to master to be effective in your work. Keep testing, keep documenting, and keep pushing the boundaries of what you can achieve in these environments.