Initial access in Active Directory means reaching the first useful authentication primitive.
That primitive may be:
- a valid username
- readable SMB data
- a crackable AS-REP hash
- a cracked NetNTLMv2 hash
- a valid domain password
- a valid machine account credential
We do not jump straight into BloodHound, Kerberoasting, ACL abuse, delegation, ADCS, DCSync, or lateral movement here. Those require an authenticated foothold or belong to later attack paths.
Initial access answers one question:
How do we move from network access to the first valid domain identity?
Lab Variables
Use these values in the OOTW lab:
Domain: ootw.local
NetBIOS: OOTW
DC: 10.10.10.200
Kali: 10.10.10.100
Win10: 10.10.10.201
Set the working variables:
export DC=10.10.10.200
export DOMAIN=ootw.local
export NETBIOS=OOTW
Point Kali DNS at the DC or use explicit DC arguments in every command.
echo "nameserver 10.10.10.200" | sudo tee /etc/resolv.conf
Operator Flow
Work in this order:
1. Discover live hosts.
2. Identify the domain controller.
3. Check SMB null and Guest access.
4. Enumerate usernames.
5. Check password policy.
6. Try ASREP roasting.
7. Spray carefully if policy allows it.
8. Listen for LLMNR/NBT-NS/MDNS traffic.
9. Validate the first credential.
Do not run every technique blindly. Each step should produce a decision.
Evidence To Keep
Keep clean output files as the run progresses:
hosts.txt
dc.txt
users.txt
shares.txt
password-policy.txt
asrep.hashes
netntlmv2.hashes
valid-creds.txt
Do not mix raw guesses, discovered usernames, and confirmed credentials in one file.
Success Criteria
Initial access is complete when one of these is true:
- we authenticate to SMB, LDAP, WinRM, RDP, or MSSQL with a domain account
- we crack an ASREP hash and validate the password
- we crack a captured NetNTLMv2 hash and validate the password
- we authenticate with a machine account that can be used in a later path
After that, move to authenticated enumeration and credential access.