Getting Started

Getting Started

This page walks through launching Ghostline and running a first enumeration end to end.

---

Launching

cd Ghostline
./ghostline.sh

You are shown a centered splash banner for a moment, then the Main Menu. Ghostline is fully keyboard driven, type the number of the entry you want and press Enter.

[1]  Configuration Menu
[2]  Passive Enumeration
[3]  Active Enumeration
[4]  Special Actions
[0]  Exit

0 always goes back one level (and exits from the main menu). An invalid entry simply reprints the menu.

The current target, domain and user are displayed in the header of every menu, so you always know what you are pointed at.

---

Navigation model

Ghostline is a set of nested menus. There is no command line to memorize:

Main → Configuration → set Target / Domain / Credentials / Output
Main → Passive       → pick a recon module
Main → Active        → pick an authenticated module
Main → Special       → workflow / vuln scan / secretsdump / view results

Every enumeration module is self-checking. Before it runs it verifies that:

• the values it needs (target, domain, credentials) are set, prompting you inline if not;
• the underlying tool is installed, warning you with an install hint if not.

This means you can jump straight into a module, if you forgot to set the target, it will ask for it on the spot.

---

A complete first run (no credentials)

1. Set the target
   Main → [1] Configuration → [1] Set Target → 192.168.56.10 → [0] Back

2. (Optional) set the domain for LDAP/DNS modules
   Main → [1] Configuration → [2] Set Domain → corp.local → [0] Back

3. Run passive recon
   Main → [2] Passive Enumeration → [1] Nmap Scan
                                  → [2] enum4linux-ng
                                  → [3] RPC null session
   [0] Back to main

4. Review what you collected
   Main → [4] Special Actions → [4] View Results

All output is saved under a directory like ad_enum_20231220_143022/ in your current working directory. See Output & Results.

---

A first run with credentials

1. Configure target + domain + credentials
   Main → [1] Configuration → [1] Set Target → 192.168.56.10
                            → [2] Set Domain → corp.local
                            → [3] Set Credentials → user: john.doe / pass: ******
   [0] Back

2. Collect BloodHound data
   Main → [3] Active Enumeration → [1] BloodHound Collection

3. Enumerate shares and users with CrackMapExec
   Main → [3] Active Enumeration → [2] CrackMapExec

Passwords are read silently (no echo) and held in memory for the session only. They are not written to a config file. Be aware that authenticated tools receive the password as a command-line argument, which is visible in the host's process list while the tool runs, see Legal & Safe Use.

---

Recommended order of operations

A practical AD enumeration flow maps cleanly onto the menus:

1. Passive first — Nmap to find which AD ports are open, then enum4linux-ng / rpcclient / anonymous LDAP to grab anything exposed without credentials.
2. Get a foothold — once you have any valid credential, set it in Configuration.
3. Active enumeration — BloodHound for attack paths, CrackMapExec for shares/users, GetNPUsers for AS-REP roasting.
4. Special actions — run the automated workflow for a quick sweep, or secretsdump once you have privileged access.

Continue with Configuration.