Skip to main content

Post Exploitation: Enumeration

PowerShell AD Module on Any Domain Host as Any User

Borrow a DLL Normally, one must install RSAT (Remote Server Administration Tools) on a host to m...

Dumping DNS Records with adidnsdump

Active Directory Integrated DNS Dump (adidnsdump) GitHub Repository Installation python3 -m pi...

CrackMapExec

When to Use Useful post-compromise if you've dumped hashes from SAM or LSASS or obtained clearte...

PowerView

Overview A set of PowerShell functions that can be used to enumerate ActiveDirectory. Part of th...

BloodHound

1. Installation sudo apt install -y neo4j bloodhound 2. Setup sudo neo4j console & Navi...

Remote Bloodhound

GitHub Repo Prerequisites impacket ldap3 dnspython  Installation python3 -m pip insta...

LdapDomainDump

When to Use    You'll know when you've found a domain controller, because it will have ...

LdapSearch

When to Use  You'll know when you've found a domain controller, because it will have several por...

Enum4Linux

Details Enum4linux is a tool for enumerating information from Windows and Samba systems. It at...

GetADUsers.py

When to Use Helpful in post-compromise enumeration. If you've compromised a domain-joined host, ...

GetUserSPNs.py

When to Use Useful in post-compromise enumeration. If you acquire user passwords or hashes for a...

Manual Enumeration

net.exe Drawbacks net does not show nested groups net only shows up to 10 groups even if a u...

Extracting Kerberos AS-REQ Pre-Auth Hashes from PCAPs

PCAP Analysis Note the existence of KRB5 protocol traffic on tcp/88, which is further identifi...