Conquering Active Directory for OSCP+: Essential Techniques and Strategies — Part 1

This is the first of a series of short articles written to assist with the Active Directory (AD) portion of the new OSCP+ exam format. The steps and suggestions here are just the tip of the iceberg. Please expand beyond these articles and utilize the PEN-200 material for a more comprehensive review. Most importantly, practice in a secure lab environment. “Hands-on” is the only way to truly learn all of this.

We begin in an assumed breach scenario, connected to the same network where the AD resides. While there’s no need to establish an initial foothold, we still need to identify two important elements before proceeding: network assets and AD users. There are no users without assets, so logically, step #1 is identifying network assets. Once those assets are identified, step #2 is to find suitable users. Let’s dive deeper and explore how we can obtain both: assets and valid users.

Network Assets

nmap is the go-to tool for scanning networks and identifying connected devices. However, there’s another tool, less commonly used but equally effective for finding network assets: fping. It should come pre-installed with Kali, but if not, you can install it using the following command:

sudo apt install fping