Bloodhound

Quick Reference Technique Tool Requires Creds AD port scan nmap No DNS SRV enumeration dig / nslookup No LDAP anonymous bind ldapsearch No Full LDAP dump ldapdomaindump No / Yes SMB/User enumeration enum4linux-ng No / Yes AD enumeration swiss-knife NetExec (nxc) No / Yes Attack path mapping bloodhound-python Yes Kerberos user enum Kerbrute No User / SID enumeration lookupsid.py, GetADUsers.py No / Yes RPC enumeration rpcclient No / Yes LDAP attribute queries windapsearch Yes Share content discovery nxc spider_plus Yes adminCount / SPN / UAC flags ldapsearch Yes Environment Setup Before attacking an AD environment from Kali, configure your local resolver and Kerberos client so tools resolve domain names correctly. ...

Quick Reference Technique Tool Privilege Needed Domain / forest info Native AD cmdlets, PowerView Domain user User / group / computer enumeration Get-ADUser, Get-DomainUser Domain user SPN discovery (Kerberoast candidates) Get-ADUser, PowerView Domain user AdminSDHolder / privileged objects Get-ADObject Domain user ACL enumeration PowerView Domain user Local admin discovery Find-LocalAdminAccess Domain user Share discovery Find-DomainShare, Snaffler Domain user Full graph collection SharpHound Domain user Host recon Seatbelt Local user (some checks need admin) Session enumeration SharpHound, NetSessionEnum Local admin (remote hosts) GPO enumeration PowerView Domain user Trust mapping Get-DomainTrust, nltest Domain user Native AD Cmdlets No extra tooling required. Requires the ActiveDirectory PowerShell module, which is present on domain-joined systems with RSAT installed, or can be imported from a DC. ...