← Back to services // Offensive

Active Directory Pentest

Kerberoasting, delegation abuse and privilege escalation in AD

€175 /hour CCV certified

Active Directory is the heart of virtually every enterprise environment. That is why it is often a favourite target for attackers. We test your AD environment for misconfigurations, weak passwords, delegation abuse, Kerberoasting and attack paths towards Domain Admin.

What is an Active Directory pentest?

An Active Directory (AD) pentest is a specialised attack on the core of your Windows environment. AD manages identities, rights and policy rules of virtually all users and systems in an enterprise network. Whoever has Domain Admin has everything. That is why AD is the primary target in targeted attacks and ransomware.

Our pentesters know the techniques that APT groups and ransomware operators use: Kerberoasting, AS-REP Roasting, unconstrained and constrained delegation abuse, DCSync, NTDS.dit extraction, ACL abuse, Golden Ticket and Silver Ticket attacks, PetitPotam and PrintNightmare relay attacks. We not only test whether these attacks are technically possible, but document the full path from user to Domain Admin, so the client can resolve it.

Why should you get an Active Directory pentest?

In many ransomware incidents, AD is the primary target. An AD pentest maps the following, among other things:

  • Attack paths towards Domain Admin - concrete, exploitable paths that we actually follow.
  • Weak passwords - via password spraying and Kerberoasting we identify accounts with vulnerable passwords.
  • Misconfigurations - delegation, ACLs, SPNs, nested group memberships, outdated protocols.
  • Detection gaps - many organisations do not detect AD attacks. We tell you whether your SOC saw us.

Our approach

AD security is one of our specialities. We follow a methodical approach and share findings directly:

  1. AD Enumeration - users, groups, computers, OUs, GPOs, trust relationships and SPNs mapped with BloodHound, SharpHound and PowerView.
  2. Credential attacks - Kerberoasting, AS-REP Roasting, password spraying and NTLM relay attacks. Cracking passwords with Hashcat.
  3. Privilege escalation - delegation abuse (unconstrained, constrained, RBCD), ACL abuse (WriteDACL, GenericAll, GenericWrite), GPO abuse, group nesting.
  4. Lateral movement - pass-the-hash, overpass-the-hash, pass-the-ticket, remote execution via WMI, PSRemoting and SMB.
  5. Domain compromise - DCSync, NTDS.dit extraction, Golden/Silver Ticket. If the path exists, we follow it.
  6. Reporting - fully documented attack path with concrete hardening recommendations. BloodHound visualisations of the attack paths. Retest available on request.

Do we find something critical? Then you hear about it the same day. Not in a report, but via a call or message in our shared channel.

What does an Active Directory pentest cost?

Our hourly rate is €175 per hour. Indications:

  • Single domain, 100-500 users: approximately €7,000 - €12,000
  • Multi-domain/forest, complex trust relationships: approximately €12,000 - €25,000
  • Combined with infrastructure pentest: efficient investigation possible, so lower costs

After a scoping call with the pentester you receive a fixed quote.

Methodology

1

Reconnaissance

Enumeration of users, groups, GPOs and trust relationships.

2

Credential Attacks

Kerberoasting, AS-REP roasting and password spraying.

3

Privilege Escalation

Abuse of delegation, ACL misconfigurations and group nesting.

4

Lateral Movement

Pass-the-hash, overpass-the-hash and ticket-based attacks.

5

Reporting

Full attack path with concrete hardening recommendations.

Frequently asked questions

What is Kerberoasting and why is it dangerous?

Kerberoasting is an attack where a regular domain user requests TGS tickets for service accounts and cracks them offline with Hashcat. Many service accounts have weak passwords and high privileges. We find this in almost every AD pentest.

Can you also include Azure AD / Entra ID in the test?

Yes. Most organisations have a hybrid environment. We test the synchronisation via Azure AD Connect, conditional access policies and the attack paths between on-premises and cloud. See also our Azure / Entra ID Pentest.

What if you reach Domain Admin, is that not dangerous?

We work in a controlled manner. The goal is to demonstrate that the path exists, not to cause damage. We consult at risk moments and document every step. When reaching Domain Admin we stop escalating and report the path. And you hear about it directly, not only in the final report.

How does an AD pentest differ from a regular internal pentest?

An internal pentest tests the broad network: segmentation, services, patches. An AD pentest is specifically focused on Active Directory: Kerberos attacks, delegation abuse, ACL analysis and domain compromise. The ideal approach combines both.

Related services

// Offensive

Infrastructure Pentest

Internal and external network, from perimeter to domain admin

 // Offensive

Azure / Entra ID Pentest

Misconfigurations, identity risks and privilege paths in your Microsoft cloud

 // Offensive

Penetration Testing

CCV certified - blackbox, greybox & whitebox

Ready to test your security?

Get in touch with our team for a no-obligation conversation about your security challenges.

Get in touch