ad-attack-chain

Modular Active Directory attack chain for authorized penetration testing engagements. Automates the handoff between reconnaissance, credential attacks, and post-exploitation so you spend time on analysis — not copy-pasting tool output between terminals.

Legal notice: For use only on systems you own or have explicit written authorization to test. Unauthorized use is illegal. The author assumes no liability for misuse.

---

What it covers

Module	Technique	Tools wrapped
recon.py	LDAP enumeration, BloodHound ingest	ldap3, bloodhound-python
kerberoast.py	SPN enumeration → TGS request → crack	impacket, hashcat
shadow_creds.py	msDS-KeyCredentialLink abuse → NT hash	pywhisker, PKINITtools
adcs_abuse.py	ESC1 / ESC8 template abuse → cert auth	certipy
post_exploit.py	Pass-the-Hash / Pass-the-Ticket → dump	impacket secretsdump
output.py	Loot aggregation, JSON + Markdown report	—

Each module is independently runnable and passes a shared loot dict to the next stage, so recon findings (e.g. users with GenericWrite) automatically feed shadow credential targeting.

---

Motivation

Built while working through HackTheBox Hard/Insane Windows AD machines (Logging, Eighteen, Garfield) and preparing for OSCP / HTB CPTS. Existing tooling requires significant manual chaining — this automates the inter-tool handoff while keeping full visibility into every command executed.

Key pain points this solves from real engagements:

• Kerberos clock skew — faketime context manager wraps all Kerberos operations automatically
• Tool output parsing — pywhisker → gettgtpkinit → getnthash pipeline is fully automated
• Target selection — shadow credential targets are pulled from BloodHound GenericWrite edges, not hardcoded
• Loot organization — all output lands in a structured loot/ directory with a final Markdown report

---

Requirements

Python 3.10+
impacket >= 0.12.0
ldap3 >= 2.9.1
certipy-ad >= 4.8.2
bloodhound >= 1.6.1
pyyaml >= 6.0.2
rich >= 13.7.1

External tools expected on PATH or at configured paths:

• pywhisker
• PKINITtools (gettgtpkinit.py, getnthash.py)
• hashcat
• libfaketime (for clock skew handling)

Install Python dependencies:

pip install -r requirements.txt

---

Setup

git clone https://github.com/J0stif/ad-attack-chain.git
cd ad-attack-chain
pip install -r requirements.txt
cp config.example.yaml config.yaml
nano config.yaml   # fill in your target, creds, and paths

---

Configuration

config.yaml is gitignored — only config.example.yaml ships with the repo. Fill in your engagement details:

target:
  domain: lab.local
  dc_ip: 10.10.10.5
  dc_hostname: DC01

auth:
  username: jdoe
  password: null        # plaintext, or leave null and use hash/ccache
  hash: null            # NTLM hash for PTH entry point
  ccache: null          # path to .ccache for ticket-based entry

options:
  faketime_offset: null # e.g. "+7h" if DC clock is ahead — measure with nmap
  output_dir: ./loot
  wordlist: /usr/share/wordlists/rockyou.txt
  threads: 4

modules:
  run: [recon, kerberoast, shadow_creds, adcs]

---

Usage

Full chain:

python3 chain.py -c config.yaml

Select specific modules:

python3 chain.py -m recon shadow_creds
python3 chain.py -m adcs

Dry run — print all commands without executing:

python3 chain.py --dry-run

Dry run output example:

[DRY RUN] bloodhound-python -u jdoe -p *** -d lab.local -dc DC01 -c All
[DRY RUN] GetUserSPNs.py lab.local/jdoe -dc-ip 10.10.10.5 -request -outputfile loot/kerberoast/hashes.txt
[DRY RUN] pywhisker --target svc_backup --domain lab.local --action add --filename loot/shadow_creds/svc_backup
[DRY RUN] certipy find -u jdoe@lab.local -dc-ip 10.10.10.5 -vulnerable -stdout

---

Attack flow

Entry (creds / hash / ticket)
        │
        ▼
   recon.py  ──── LDAP enum, BloodHound ingest, user/group/ACL mapping
        │
   ┌────┼────┐
   ▼    ▼    ▼
kerb  shadow  adcs   ──── parallel modules, each writes to loot/
   └────┼────┘
        ▼
   output.py  ──── JSON + Markdown report, next-step suggestions
        │
        ▼
 post_exploit.py  ──── PTH / PTT, secretsdump, pivot prep

---

Output

All loot lands in loot/ (gitignored):

loot/
├── recon/
│   ├── bloodhound/          # raw BloodHound JSON zips
│   └── ldap_dump.json       # users, groups, SPNs, ACLs
├── kerberoast/
│   └── hashes.txt           # TGS hashes for hashcat
├── shadow_creds/
│   ├── target.pfx           # certificate + key
│   └── target.ccache        # TGT
├── adcs/
│   └── admin.pfx            # cert obtained via ESC abuse
└── report.md                # full engagement summary

report.md is generated by output.py and includes every credential recovered, the attack path taken, and suggested next steps.

---

Clock skew handling

Many AD environments (especially HTB machines) have DCs with clocks significantly ahead of the attacker machine. Kerberos fails with KRB_AP_ERR_SKEW if the delta exceeds 5 minutes.

This tool wraps all Kerberos operations in a libfaketime context manager:

options:
  faketime_offset: "+7h"   # measure with: nmap -sV --script=clock-skew <DC_IP>

No manual faketime prefixing required — the offset is applied automatically to every subprocess call that touches Kerberos.

---

Tested on

• HTB: Logging (Hard Windows AD)
• HTB: Eighteen (Hard Windows AD)
• HTB: Garfield (Hard Windows AD)
• Local GOAD lab (Game of Active Directory)

---

Disclaimer

This tool is intended for:

• Authorized penetration testing engagements
• Personal lab environments (HTB, GOAD, custom AD labs)
• OSCP / CPTS / CWES certification preparation

It is not intended for use against systems without explicit written authorization.

---

Author

J0stif — penetration tester, bug bounty hunter PNPT · PWPA · CEH · OSCP (in progress) · HTB CPTS (in progress) · HTB CWES (in progress)

HTB Profile · Writeups & Notes · X social