Environment Variables / Setup

export IP=

NetExec Null Session Testing

# Test anonymous access across all protocols systematically
netexec smb $IP -u '' -p '' --shares
netexec smb $IP -u 'guest' -p '' --shares
netexec ldap $IP -u '' -p '' --users --groups
netexec winrm $IP -u '' -p ''
netexec rdp $IP -u '' -p ''

Sharphound → Ingest into Bloodhound

sudo apt-get install sharphound Copy to target and execute to get zip file Set up bloodhound instance on attacking machine:

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux

PowerView.ps1

https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/refs/heads/master/Recon/PowerView.ps1

PowerUp.ps1

https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/refs/heads/master/PowerUp/PowerUp.ps1

Manual Service Enumeration

53 DNS
88 Kerberos
135 RPC
139,445 SMB
389,636 LDAP(S)
464 Kerberos Password Change
5985: WinRM

LDAP

ldapsearch -x -H ldap://$IP -b "dc=<domain>,dc=<tld>"

Enumerate DNS

gobuster dns -d domain.com -t 25 -w /us/share/wordlists/Seclist/Discovery/DNS/subdomain-top2000.txt

Check SMB Shares

RPCClient

rpcclient -U "" $IP

Veilcat

Explorer

Latest

OSCP 🐲

Medjed

OSCP Note Template and Runbooks

Active Directory Enumeration

Environment Variables / Setup

NetExec Null Session Testing

Sharphound → Ingest into Bloodhound

PowerView.ps1

PowerUp.ps1

Manual Service Enumeration

LDAP

Enumerate DNS

Check SMB Shares

RPCClient

DNS

Graph View

Table of Contents