This is a cheatsheet of tools and commands that I use to pentest Active Directory. It includes Windows, Impacket and PowerView commands, how to use Bloodhound and popular exploits such as Zerologon and NO-PAC.
See local accounts
net user
See all of the accounts in the domain
net user /domain
Check if an account is a Domain Admin
net user <account-name> domain
See groups in the AD domain
net group /domain
Sync the clock with the DC (Domain Controller).
ntpdate <dc-ip>
. .\PowerView.ps1
Information About The Domain
Get-NetDomain
Get-NetDomain-Controller
Get-Domain-Policy
See password rules
(Get-DomainPolicy).”system access”
Information about users Look for passwords/personal information in the description
Get-NetUser
Get-NetUser | select cn
Get-NetUser | select description
Get-NetUser | select samaccountname
Get-UserProperty -Properties pwdlastset
Get-UserProperty -Properties logoncount
Information About Computers
Get-NetComputer
Get-NetComputer -FullData
Get-NetGroup
Get-NetGroup -GroupName <group-name>
Get-NetGroup -GroupName “Domain Admins”
Get-NetGroupMember -GroupName “Domain Admins”
See SMB Shares
Invoke-ShareFinder
A few quick commands that I always use if I have no information about the machine
crackmapexec smb <ip>
crackmapexec smb <ip> -u ” -p ”
crackmapexec smb <ip> -u ‘guest’ -p ”
For more information click here.
garak checks if an LLM can be made to fail in a way we don't…
Vermilion is a simple and lightweight CLI tool designed for rapid collection, and optional exfiltration…
ADCFFS is a PowerShell script that can be used to exploit the AD CS container…
Tartufo will, by default, scan the entire history of a git repository for any text…
Loco is strongly inspired by Rails. If you know Rails and Rust, you'll feel at…
A data hoarder’s dream come true: bundle any web page into a single HTML file.…