Conquering Active Directory for OSCP+: Essential Techniques and Strategies — Part 2

This is the second of a series of short articles written to assist with the Active Directory (AD) portion of the new OSCP+ exam format. The steps and suggestions here are just the tip of the iceberg. Please expand beyond these articles and utilize the PEN-200 material for a more comprehensive review. Practice in a secure lab environment. “Hands-on” is the only way to truly learn all of this.

In the first article of this series, we discussed how to enumerate Active Directory (AD) users — a crucial first step for obtaining valid credentials. Let’s check how we can obtain some valid credentials .

In a recent blog post I compared nxc and DomainPasswordSpray, the latter being a Windows-based tool. Today, we will take a deeper look at the following tools:

• Kerbrute
• cewl

Kerbrute: A Stealthy Method for Credential Discovery

In the first article of this series, we covered how to use Kerbrute. Below is an example of its typical output, sourced from an HTB Academy module.