Post Exploitation: Enumeration
PowerShell AD Module on Any Domain Host as Any User
Borrow a DLL Normally, one must install RSAT (Remote Server Administration Tools) on a host to m...
Dumping DNS Records with adidnsdump
Active Directory Integrated DNS Dump (adidnsdump) GitHub Repository Installation python3 -m pi...
CrackMapExec
When to Use Useful post-compromise if you've dumped hashes from SAM or LSASS or obtained clearte...
PowerView
Overview A set of PowerShell functions that can be used to enumerate ActiveDirectory. Part of th...
BloodHound
1. Installation sudo apt install -y neo4j bloodhound 2. Setup sudo neo4j console & Navi...
Remote Bloodhound
GitHub Repo Prerequisites impacket ldap3 dnspython Installation python3 -m pip insta...
LdapDomainDump
When to Use You'll know when you've found a domain controller, because it will have ...
LdapSearch
When to Use You'll know when you've found a domain controller, because it will have several por...
Enum4Linux
Details Enum4linux is a tool for enumerating information from Windows and Samba systems. It at...
GetADUsers.py
When to Use Helpful in post-compromise enumeration. If you've compromised a domain-joined host, ...
GetUserSPNs.py
When to Use Useful in post-compromise enumeration. If you acquire user passwords or hashes for a...
Manual Enumeration
net.exe Drawbacks net does not show nested groups net only shows up to 10 groups even if a u...
Extracting Kerberos AS-REQ Pre-Auth Hashes from PCAPs
PCAP Analysis Note the existence of KRB5 protocol traffic on tcp/88, which is further identifi...