Skip to main content

Post Exploitation: Enumeration

Using Faketime for Ad-Hoc Kerberos Authentication

Installing Faketime sudo apt install faketime faketime -h This will run the specified 'program' ...

Kerberos Authentication from Kali

NetExec nxc smb DC01.domain.tld -d 'domain.tld' -u 'username' -p 'P@$$word123!' -k Use a user...

LdapDomainDump

When to Use    You'll know when you've found a domain controller, because it will have ...

Remote Bloodhound

Nmap LDAP Enumeration Acquire DC DNS Name sudo nmap -Pn -T4 -p 389,636 --script ldap-rootdse <d...

BloodHound

Install and Initial Setup Kali Linux When changing the neo4j user password at initial setup, I ...

LdapSearch

When to Use You'll know when you've found a domain controller, because it will have several port...

Dumping DNS Records with adidnsdump

Active Directory Integrated DNS Dump (adidnsdump) GitHub Repository Installation pipx install ...

Enum4Linux

Details Enum4linux is a tool for enumerating information from Windows and Samba systems. It at...

NetExec

When to Use Useful post-compromise if you've dumped hashes from SAM or LSASS or obtained clearte...

GetADUsers.py

When to Use Helpful in post-compromise enumeration. If you've compromised a domain-joined host, ...

GetUserSPNs.py

When to Use Useful in post-compromise enumeration. If you acquire domain user passwords or hashe...

PowerShell AD Module on Any Domain Host as Any User

Borrow a DLL Normally, one must install RSAT (Remote Server Administration Tools) on a host to m...

PowerView

Overview A set of PowerShell functions that can be used to enumerate ActiveDirectory. Part of th...

Manual Enumeration

Linux LdapSearch ldapsearch -x -H ldap://DC01.ad.lab -D 'john.doe@ad.lab' -W -b 'DC=ad,DC=lab' ...

Extracting Secrets from PCAPs

PCAP Analysis Kerberos AS-REQ Pre-Auth Hashes Note the existence of KRB5 protocol traffic on tcp...
Back to top