You are here: you hold a username/password, NT hash, ticket, or key — but no usable interactive shell yet.

A credential is a key ring, not a single key. Test it against everything before assuming it’s “just” a low-priv user.

▶️ Next moves (in order)

  1. Validate everywhere. Spray the one credential across services and hosts — SMB, LDAP, WinRM, MSSQL, RDP, SSH. (Pwn3d!) on WinRM/SMB means admin. → NetExec_SMB_Recon · NetExec_LDAP_Kerberos
  2. Test it as a hash, not just a password. Pass-the-Hash over SMB/WinRM where you only have the NT hash. → Pass_the_Hash
  3. Check for reuse. Same password across other users/hosts is extremely common. → AD_Password_Spraying_AD
  4. Map the identity in BloodHound, marked owned. What does this principal control? Shortest paths, outbound object control. → NetExec_BloodHound · AD_Tools_Reference
  5. Turn creds into a shell. WinRM → evil-winrm; SMB admin → psexec/wmiexec; RDP; SSH. → Windows_Remote_Management_RDP_WinRM_WMI · Attacking_RDP
  6. Kerberos with a valid account. Kerberoast SPN accounts; AS-REP roast pre-auth-disabled users. → AD_Kerberoasting · AD_Misc_Misconfigs
  7. Loot what the creds unlock. Readable shares, SYSVOL, GPP, network locations. → Credential_Hunting_Network_Shares

⚠️ Common stalls

  • Only tested SMB; never checked WinRM/LDAP/MSSQL.
  • Had an NT hash but never tried it (PtH) — only typed it as a password.
  • Misread (Guest) as authenticated.
  • Didn’t load BloodHound, so a one-hop path to control went unseen.
  • Never sprayed the password for reuse across the domain.
  • Stopped at AD/SMB — never tried the credential on web/git/DB services, or as an SSH key passphrase.
  • Discarded a service-shaped cred (e.g. SQLGuest) when SMB/LDAP failed — it’s a local account; test it with --local-auth against its own service (a low-priv MSSQL login still enables domain RID enumeration).
  • Treated an infrastructure key (RNDC/TSIG, API token) like a login and gave up when it didn’t auth anywhere — it drives its own service. A DNS update key lets you rewrite zone records (nsupdate) and hijack mail/token delivery. → Attack_Patterns · Attacking_DNS

⏱️ Stop condition

The credential is validated across every service and host, tested as both a password and a hash, sprayed for reuse, and run through BloodHound marked owned. If it still yields no shell and no control edge, it’s a low-value identity — bank it in the ledger and move on. Don’t keep re-testing the same cred on the same service hoping for a different answer. Go get a different identity (No_Foothold), or if it’s domain-valid, work the graph from it (Stuck_In_AD).

🔀 Route on