Active Directory Methodology

No credentials

Enumeration

nxc smb <target_ip>
enum4linux -a <target_ip>
nmap -n -sV --script "ldap* and not brute" -p 389 <dc_ip>
ldapsearch -x -H <dc_ip> -s base

Zone transfer

dig axfr <domain> @<dc_ip>

Shares

nxc smb <dc_ip> -u '' -p '' --shares
nxc smb <dc_ip> -u 'guest' -p '' --shares

Enumerate users

nxc smb <dc_ip> --users
nxc smb <dc_ip> --rid-brute 10000
kerbrute userenum -d <domain> <user_wordlist>

Timeroast

Valid user (no password)

Password spray

ASREP Roast

Blind kerberoast

Valid credentials

List all users

Enumerate SMB shares

BloodHound

Enumerate LDAP

Enumerate ADCS

Kerberoast

If you find this error from Linux: KRB_AP_ERR_SKEW(Clock skew too great) it's because of your local time, you need to synchronise the host with the DC.