Knowing what Kerberoasting is and being able to execute it fluently under engagement pressure are two different things. The gap between them is closed by one thing: lab repetition.
Active Directory is the attack surface that defines senior offensive security work. It is the backbone of 90% of enterprise networks worldwide. Compromise it and you own the organisation's entire identity infrastructure. That is why AD techniques dominate OSCP and CRTO exams, appear in almost every red team engagement, and are the area where most junior penetration testers are weakest when they walk into their first interview.
This guide is not about what the attacks are. It is about how to practise them in a structured, progressive way that builds the automatic execution that real engagements require.
Why Do Most Practitioners Underinvest in AD Lab Practice?
Because AD lab setup is genuinely hard. A realistic Active Directory environment requires at minimum a domain controller, one or more victim machines, and network configuration that allows the attacks to run as they would in a real environment. On local hardware, that means Windows Server licences, significant RAM, and hours of configuration before you can start practising.
TryHackMe solves this completely. The Jr Penetration Tester path includes a dedicated nine-room Active Directory module with a fully configured, multi-host AD lab environment in the browser. No Windows Server licence. No VM configuration. No network setup. Open a room and you are inside a live domain with real attack tooling pre-installed. The module covers the full foundational attack chain: AD basics and authentication, enumeration, breaching, credential harvesting, and lateral movement between hosts.
For practitioners who want a persistent local environment after building foundations on TryHackMe, the section on local lab setup is at the end of this guide. Start with TryHackMe.
How Should You Structure Your AD Lab Practice?
The difference between knowing AD attack techniques and being proficient with them under real engagement pressure comes down entirely to lab time. The most effective structure is four progressive stages, each with a clear competency target before moving on.
Stage 1: Enumeration Only
Before you run any attacks, practise enumeration until it is automatic. The goal of this stage is to be able to fully map an AD environment using BloodHound and native tooling without thinking about the commands.
BloodHound uses graph theory to visualise relationships within AD: users, computers, groups, permissions, and the attack paths between them. Run SharpHound to collect the data, import it, and work through the pre-built queries: Shortest Paths to Domain Admins, Kerberoastable Users, AS-REP Roastable Users, Dangerous Rights for Domain Users. This single "Shortest Path to Domain Admins" query has ended countless engagements in under an hour for experienced operators.
Do this on every new lab environment before doing anything else. Make enumeration the habit, not an afterthought.
Competency target: Given a domain user and a live AD environment, identify all Kerberoastable accounts, AS-REP Roastable accounts, and at least one attack path to domain admin within fifteen minutes without referring to notes.
Stage 2: Credential Attacks
With a BloodHound map of the environment, practise credential harvesting against the targets it identifies.
Kerberoasting: Request TGS tickets for all accounts with SPNs. Crack offline with Hashcat. Prioritise accounts where BloodHound shows a path to higher privilege.
bash
# Request all available TGS tickets
.\Rubeus.exe kerberoast /outfile:hashes.txt
# Crack with Hashcat
hashcat -m 13100 hashes.txt rockyou.txt
AS-REP Roasting: Identify accounts with preauthentication disabled. Extract and crack their AS-REP responses.
bash
python3 GetNPUsers.py target.local/ -usersfile users.txt -format hashcat -outputfile asrep.txt
Competency target: Given a BloodHound output identifying Kerberoastable and AS-REP Roastable accounts, extract and crack at least one hash to a plaintext credential within thirty minutes.
Stage 3: Lateral Movement
With credentials or hashes in hand, practise moving from your current foothold to other machines in the network.
Pass-the-Hash: Use NTLM hashes to authenticate without knowing the plaintext password.
bash
python3 psexec.py -hashes :8846f7eaee8fb117ad06bdd830b7586c administrator@10.10.10.5
Spray-and-check with NetExec: Identify which hosts your current credentials work on.
bash
nxc smb 10.10.10.0/24 -u administrator -H 8846f7eaee8fb117ad06bdd830b7586c
Competency target: Given a cracked hash from Stage 2, identify at least two hosts where it provides access and establish a session on both.
Stage 4: Full Kill Chain (No Hints)
Run the entire attack chain from domain user to domain admin without guidance. Enumerate the environment, identify attack paths, harvest credentials, move laterally, escalate privileges, execute DCSync.
This is the stage most practitioners skip too early. CRTP candidates who succeed report 3 to 4 weeks of focused lab time where they documented every attack path like a battle plan and repeated the chain until mind-mapping and repetition made the concepts automatic. That repetition is what produces automatic execution under exam and engagement pressure.
Competency target: Enumerate a live AD environment, identify a viable attack chain, and reach domain admin without hints, in under two hours.
The Progressive Practice Reference Table
| Stage | Techniques to drill | Primary tools | Competency target | TryHackMe |
|---|---|---|---|---|
| 1. Enumeration | BloodHound graph analysis, user/group/SPN enumeration, attack path identification | BloodHound, SharpHound, PowerView | Full environment map in 15 minutes, attack path to DA identified | Jr Penetration Tester path |
| 2. Credential attacks | Kerberoasting, AS-REP Roasting, offline hash cracking | Rubeus, Impacket, Hashcat | Extract and crack at least one hash to plaintext in 30 minutes | Jr Penetration Tester path |
| 3. Lateral movement | Pass-the-Hash, Pass-the-Ticket, SMB/WMI lateral movement, spray-and-check | Impacket, NetExec, Mimikatz | Establish sessions on multiple hosts from a single credential | Jr Penetration Tester path |
| 4. Full kill chain | End-to-end: enumeration, credential access, lateral movement, DCSync, domain compromise | Full toolset, no hints | Domain admin in under 2 hours from domain user, unguided | Red Teaming path |
Do You Need a Local Lab?
Not to start. TryHackMe's browser-based AD module covers Stages 1 through 3 thoroughly. The capstone challenges in the Jr Penetration Tester path provide Stage 4 practice in unguided format.
A local lab becomes valuable when you want persistent, custom environments you control completely: additional machines, specific misconfigurations, or the ability to practise with C2 frameworks at Stage 4 and above. Game of Active Directory (GOAD) is the community standard for local multi-domain lab setup and deploys a realistic multi-machine environment using Vagrant and VirtualBox. It is a meaningful time investment. Do it after you have completed Stages 1 through 3 in TryHackMe's guided environment.
FAQ
What is a red team vs blue team exercise? A red team exercise is a simulated attack conducted against an organisation's real systems with explicit permission, designed to test whether defences hold against a realistic adversary. The blue team is the organisation's defenders who monitor for and respond to those attacks. In a combined exercise, both teams operate in parallel - the red team attacks while the blue team tries to detect and contain the activity. The findings from both sides inform security improvements that neither could produce independently.
How do I start learning red teaming from scratch? Build penetration testing foundations first. Red teaming is an advanced discipline that sits on top of solid offensive fundamentals across web application exploitation, network penetration, and Active Directory attacks. TryHackMe's Jr Penetration Tester path builds those foundations systematically across 89 rooms and 17 modules. Complete it, sit PT1, and then move into the Red Teaming path for tradecraft: C2 frameworks, OPSEC, evasion, and advanced AD techniques.
How do I learn exploit development for beginners? Exploit development starts with understanding how memory works: stack structure, buffer overflows, instruction pointer control, and shellcode execution. The prerequisite skills are C programming and a basic understanding of x86 assembly. TryHackMe's Jr Penetration Tester path covers buffer overflow fundamentals that establish the mental model before moving into more advanced exploitation. From there, the Seeley series of resources and practice on intentionally vulnerable binaries builds the deeper skills.
What are the best Windows security courses for Active Directory attacks? TryHackMe's Jr Penetration Tester path is the most structured browser-based option, covering the full AD attack chain across a dedicated nine-room module rebuilt for 2026. For mid-level practitioners targeting certification, CRTO from Zero-Point Security is the most practically oriented credential for enterprise AD tradecraft and C2 operation. CRTP from Altered Security covers AD attack paths in depth and is a strong stepping stone between junior-level foundations and CRTO. All three work in sequence.
Nick O'Grady