introduction

🛠️ My AD Lab Pentesting Learning Journey – Tools Guide & Checklist

Welcome to my personal blog documenting my journey into Active Directory (AD) penetration testing in a lab environment. This post serves as both a learning resource and a checklist to help me track my progress and understanding of essential tools used in AD attacks.

🔐 Disclaimer: This content is for educational purposes only. Use only in authorized environments like your own lab or with proper permissions.

🔍 Tool Overview & Usage Guide

Below are the tools I'm learning, along with their purpose and usage.

1. `GetADUsers.py`

Purpose: Enumerate users from Active Directory using LDAP queries. Use Case: Discover user accounts in the domain. How to Use:

bash1python GetADUsers.py -u 'user' -p 'password' -d 'domain.com' ldap://dc.domain.com

Notes: Requires LDAP access. Useful for initial reconnaissance.

2. `GetNPUsers.py`

Purpose: Enumerate users with DoNotRequirePreauth (Kerberos) enabled. Use Case: Find users that can be cracked offline via Kerberos AS-REP. How to Use:

bash1python GetNPUsers.py domain.com/user -dc-ip 192.168.1.10 -no-pass -request

Notes: No password needed if DoNotRequirePreauth is enabled.

3. `Get-GPPPassword.py`

Purpose: Extract passwords from Group Policy Preferences (GPP). Use Case: Find plaintext passwords in .xml files (e.g., saved credentials in user profiles). How to Use:

bash1python Get-GPPPassword.py -u 'user' -p 'password' -d 'domain.com' -dc-ip 192.168.1.10

Notes: GPP is outdated but still found in legacy environments.

4. `GetUserSPNs.py`

Purpose: Enumerate users with Service Principal Names (SPNs). Use Case: Identify users that can be targeted for Kerberoasting. How to Use:

bash1python GetUserSPNs.py domain.com/user -k -no-pass -dc-ip 192.168.1.10

Notes: Requires valid credentials. Output is encrypted TGS tickets for cracking.

5. `nxc` (NetExec)

Purpose: Modern, fast, multi-protocol network scanner and exploit tool. Use Case: Execute commands, scan for vulnerabilities, and perform lateral movement. How to Use:

bash1nxc smb 192.168.1.10 -u 'user' -p 'password' -x 'whoami'

Notes: Supports SMB, WinRM, SSH, RDP, and more. Great for automation.

6. `smbmap.py`

Purpose: Enumerate SMB shares and access files. Use Case: Find accessible shares and download sensitive files. How to Use:

bash1python smbmap.py -u 'user' -p 'password' -H 192.168.1.10 -r 'C$'

Notes: Useful for finding C$, ADMIN$, and other shares.

7. `evil-winrm`

Purpose: Connect to Windows machines via WinRM (Remote Management). Use Case: Execute commands on remote Windows systems. How to Use:

bash1evil-winrm -i 192.168.1.10 -u 'user' -p 'password'

Notes: Requires WinRM enabled on target.

8. `psexec.py`

Purpose: Execute commands via PsExec (SMB-based). Use Case: Remote command execution without installing agents. How to Use:

bash1python psexec.py domain/user:password@192.168.1.10

Notes: Requires SMB access and valid credentials.

9. `lookupsid.py`

Purpose: Enumerate SID (Security Identifier) information for users/groups. Use Case: Map users to their domain roles and privileges. How to Use:

bash1python lookupsid.py -u 'user' -p 'password' -d 'domain.com' 192.168.1.10

Notes: Helps identify privileged users and groups.

10. `kerbrute`

Purpose: Bruteforce Kerberos authentication and enumerate users. Use Case: User enumeration and password spraying. How to Use:

bash1kerbrute userenum --dc 192.168.1.10 --users users.txt --domain domain.com

Notes: Fast and efficient for user enumeration.

11. `secretsdump.py`

Purpose: Dump NTLM hashes, LM hashes, and DPAPI secrets from LSASS memory or SAM. Use Case: Extract credentials from domain controllers or compromised machines. How to Use:

bash1python secretsdump.py domain/user:password@192.168.1.10

Notes: Requires valid domain credentials. Outputs hashes for cracking.

12. `crackmapexec`

Purpose: Multi-protocol scanner and exploit tool (like nxc). Use Case: Scan for vulnerabilities, execute commands, and perform lateral movement. How to Use:

bash1crackmapexec smb 192.168.1.10 -u 'user' -p 'password' -d 'domain.com'

Notes: Supports SMB, WinRM, SSH, RDP, and more. Great for automation.

13. `smbpasswd`

Purpose: Change or reset SMB passwords (used with smbclient). Use Case: Password reset on SMB shares. How to Use:

bash1smbpasswd -U 'username' -p 'newpassword' -r '192.168.1.10'

Notes: Requires valid credentials. Used in post-exploitation.

PreviousActive Directory NextIIS

Last updated 4 months ago

hashtag🛠️ My AD Lab Pentesting Learning Journey – Tools Guide & Checklist

hashtag🔍 Tool Overview & Usage Guide

hashtag1. GetADUsers.py

hashtag2. GetNPUsers.py

hashtag3. Get-GPPPassword.py

hashtag4. GetUserSPNs.py

hashtag5. nxc (NetExec)

hashtag6. smbmap.py

hashtag7. evil-winrm

hashtag8. psexec.py

hashtag9. lookupsid.py

hashtag10. kerbrute

hashtag11. secretsdump.py

hashtag12. crackmapexec

hashtag13. smbpasswd