← Back to services // Offensive

Active Directory Pentest

Kerberoasting, delegation abuse and privilege escalation in AD

€175 /hour CCV certified

Active Directory is the heart of virtually every enterprise environment - and a favourite target for attackers. We test your AD environment for misconfigurations, weak passwords, delegation abuse, Kerberoasting and attack paths toward Domain Admin.

What is an Active Directory pentest?

An Active Directory (AD) pentest is a specialised attack on the core of your Windows environment. AD manages identities, permissions and policies of virtually all users and systems in an enterprise network. Whoever has Domain Admin has everything. That is why AD is the primary target in targeted attacks and ransomware.

Our AD pentesters know the techniques that APT groups and ransomware operators use: Kerberoasting, AS-REP Roasting, unconstrained and constrained delegation abuse, DCSync, NTDS.dit extraction, ACL abuse, Golden Ticket and Silver Ticket attacks, PetitPotam and PrintNightmare relay attacks. We do not only test whether these attacks are technically possible, but document the full path from user to Domain Admin.

Why is Active Directory so vulnerable?

AD has existed since Windows 2000 and was designed for compatibility, not security. The default configuration is insecure. Virtually every AD environment we test contains a path toward Domain Admin:

  • NTLM authentication that enables relay attacks
  • Service accounts with weak passwords (Kerberoasting)
  • Historically grown ACL permissions that nobody oversees anymore
  • Trust relationships with legacy domains
  • GPOs with open permissions

Why should you get an Active Directory pentest?

In more than 80% of ransomware incidents, AD is the primary target. An AD pentest reveals:

  • Attack paths toward Domain Admin - concrete, exploitable paths that we actually follow.
  • Weak passwords - via password spraying and Kerberoasting we identify accounts with vulnerable passwords. We crack those passwords - that is the proof.
  • Misconfigurations - delegation, ACLs, SPNs, nested group memberships, outdated protocols.
  • Detection gaps - many organisations do not detect AD attacks. We tell you whether your SOC saw us coming.

Our approach

AD security is one of our specialities. We follow a methodical approach and share findings immediately:

  • AD Enumeration - mapping users, groups, computers, OUs, GPOs, trust relationships and SPNs with BloodHound, SharpHound and PowerView.
  • Credential attacks - Kerberoasting, AS-REP Roasting, password spraying and NTLM relay attacks. Cracking passwords with Hashcat.
  • Privilege escalation - delegation abuse (unconstrained, constrained, RBCD), ACL abuse (WriteDACL, GenericAll, GenericWrite), GPO abuse, group nesting.
  • Lateral movement - pass-the-hash, overpass-the-hash, pass-the-ticket, remote execution via WMI, PSRemoting and SMB.
  • Domain compromise - DCSync, NTDS.dit extraction, Golden/Silver Ticket. If the path exists, we follow it.
  • Reporting - fully documented attack path with concrete hardening recommendations. BloodHound visualisations of attack paths. Retest available on request.
Find something critical? You hear about it the same day. Not in a report, but via a call or message in our shared channel.

What does an Active Directory pentest cost?

Our hourly rate is €175 per hour. Indications:

  • Single domain, 100-500 users: approximately €7,000 - €12,000
  • Multi-domain/forest, complex trust relationships: approximately €12,000 - €25,000
  • Combined with infrastructure pentest: additional discount possible
After a scoping call - with the pentester, not a sales rep - you receive a fixed quote.

Methodology

1

Reconnaissance

Enumeration van gebruikers, groepen, GPO's en trust relationships.

2

Credential Attacks

Kerberoasting, AS-REP roasting en password spraying.

3

Privilege Escalation

Misbruik van delegation, ACL misconfiguraties en group nesting.

4

Lateral Movement

Pass-the-hash, overpass-the-hash en ticket-based aanvallen.

5

Rapportage

Volledig aanvalspad met concrete hardening-aanbevelingen.

Frequently asked questions

What is Kerberoasting and why is it dangerous?

Kerberoasting is an attack where a regular domain user requests TGS tickets for service accounts and cracks them offline with Hashcat. Many service accounts have weak passwords and high privileges. We find this in almost every AD pentest.

Can you also include Azure AD / Entra ID in the test?

Yes. Most organisations have a hybrid environment. We test the synchronisation via Azure AD Connect, conditional access policies and the attack paths between on-premises and cloud. See also our Azure / Entra ID Assessment.

What if you reach Domain Admin - isn't that dangerous?

We work in a controlled manner. The goal is to demonstrate the path exists, not to cause damage. We consult at risk moments and document every step. Upon reaching Domain Admin we stop escalating and report the path. And you hear about it immediately - not just in the final report.

How does an AD pentest differ from a regular internal pentest?

An internal pentest tests the broad network: segmentation, services, patches. An AD pentest specifically targets Active Directory: Kerberos attacks, delegation abuse, ACL analysis and domain compromise. The ideal approach combines both, and that comes with a discount.

Related services

// Offensive

Infrastructure Pentest

Internal and external network - from perimeter to domain admin

 // Offensive

Azure / Entra ID Assessment

Misconfigs, identity risks and privilege paths in your Microsoft cloud

 // Offensive

Penetration Testing

CCV certified - blackbox, greybox & whitebox

Ready to test your security?

Get in touch with our team for a no-obligation conversation about your security challenges.

Get in touch