Pentest Active Directory: Kerberoasting, ACL Abuse, AD CS
Pentest profundo em AD on-prem e híbrido. Kerberoasting, AS-REP roast, ACL abuse, AD CS (ESC1-15), DCSync, golden/silver ticket.
Why now
The real pain
AD é a espinha dorsal de 90% das empresas brasileiras. Mal configurado, vira Domain Admin em horas para qualquer pentester sério. ACL com WriteDACL pra Domain Users, ESC1 ativo, DC com SMB signing desligado — é o playbook de toda gang de ransomware.
Applicable frameworks
/attack-surface
Pentest Active Directory
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
Kerberoasting e AS-REP Roast
Identificação de SPNs, account com DontReqPreauth, crack offline com hashcat.
ACL abuse e BloodHound
WriteDACL, GenericAll, GenericWrite, AddSelf, ForceChangePassword — caminhos pra Domain Admin.
AD CS (ADCS ESC1-15)
Certificate template misconfig, request abuse, NTLM relay para HTTP endpoint, escalation via certificate.
DCSync, golden/silver/diamond ticket
Replicação maliciosa, persistência via krbtgt hash, golden ticket forjado, diamond ticket pós-defesa.
Pass-the-Hash, Pass-the-Ticket, OverPass
Lateral movement clássico, with-the-key Kerberos, NTLM relay coercion (PetitPotam, PrinterBug).
Hybrid identity e Entra Connect
Pass-through, password hash sync, abuse de Entra Connect server (alvo nº1).
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
AD de instituições financeiras, indústria e ente público com 5k-50k usuários.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/faq
FAQ — Pentest Active Directory
Vocês entregam Domain Admin no relatório?
Sim. Quando possível e autorizado, demonstramos o caminho completo até DA com cada etapa documentada (TTPs MITRE) e mitigação específica.
Faixa de preço?
AD single-domain pequeno: R$ 18-35k. Multi-domain/forest: R$ 40-90k. Enterprise híbrido com Entra Connect: R$ 60-150k.
/contact
Cotar pentest Active Directory
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.