Here are a couple of methods that I would recommend
1. Get local administrator to a single machine
I advise that you try and get local admin on a single machine before you go after domain admin.
A lot of lazy system admins will use the same password for the local admin user and the domain admin user.
This can involve either cracking the NTLM hash using available tools, or scanning the network with any known credentials to find out if those credentials have local admin on any other machines. You can also use key loggers, though this is considerably more detectable.
2. Access Token duplication.
Once you have admin, you can use a tool such as Incognito which will scan the all running processes for delegation tokens, you can then use these tokens to attempt to create a domain admin user.
3. Check for windows services running as a domain administrator
Again, lazy sys admins will run certain windows services with the domain administrator account.
These accounts will have passwords stored locally. There are several tools available to dump these. LSADump, LSASecretsDump, pwdump, etc.
Using your new local admin access, you can scan the network for other machines you have local admin too as well, and find any that might be running services such as these.
4. Pass the hash attack
This is where you can intercept the authentication hash of a domain logon, from there, you can authenticate to active directory using the hash only, without having to know the plain text password.
http://www.windowsecurity.com/articles-tutorials/misc_network_security/Dissecting-Pass-Hash-Attack.html5. Pass the ticket (Kerberos gold/silver ticket attack)
This is where you use the Kerberos ticket granting ticket of a user that recently logged in to the domain.
https://www.vidder.com/resources/attacks/pass-the-ticket.htmlhttp://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf6. Network share executables
Some sysadmins have a network file server.
Sometimes they have tools such as PuTTY saved on there for ease of access.
If any of those tools (such as PuTTY) are open source and the directory is writable, you can recompile your own malicious version of the program and replace it. This program can steal credentials, or run a backdoor with the users priviledges.
These are a few effective methods for gaining control of a domain network.
There's plenty of information online for each. Just look them up.
-- xor
