Member-only story

Conquering Active Directory for OSCP+: Essential Techniques and Strategies — Part 1

Jose Campo
3 min readOct 22, 2024

This is the first of a series of short articles written to assist with the Active Directory (AD) portion of the new OSCP+ exam format. The steps and suggestions here are just the tip of the iceberg. Please expand beyond these articles and utilize the PEN-200 material for a more comprehensive review. Most importantly, practice in a secure lab environment. “Hands-on” is the only way to truly learn all of this.

We begin in an assumed breach scenario, connected to the same network where the AD resides. While there’s no need to establish an initial foothold, we still need to identify two important elements before proceeding: network assets and AD users. There are no users without assets, so logically, step #1 is identifying network assets. Once those assets are identified, step #2 is to find suitable users. Let’s dive deeper and explore how we can obtain both: assets and valid users.

Network Assets

nmap is the go-to tool for scanning networks and identifying connected devices. However, there’s another tool, less commonly used but equally effective for finding network assets: fping. It should come pre-installed with Kali, but if not, you can install it using the following command:

sudo apt install fping

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Or, continue in mobile web

Already have an account? Sign in

Jose Campo
Jose Campo

Responses (1)

Write a response

Love it. I have been pentesting since 2017 and I always love to see how different folks approach AD testing. I also took the OSCP right before AD was added. So I'm curious to see how the techniques you mention for the OSCP and my real world workflow…