This is a cheatsheet of tools and commands that I use to pentest Active Directory. It includes Windows, Impacket and PowerView commands, how to use Bloodhound and popular exploits such as Zerologon and NO-PAC.
See local accounts
net user
See all of the accounts in the domain
net user /domain
Check if an account is a Domain Admin
net user <account-name> domain
See groups in the AD domain
net group /domain
Sync the clock with the DC (Domain Controller).
ntpdate <dc-ip>
. .\PowerView.ps1
Information About The Domain
Get-NetDomain
Get-NetDomain-Controller
Get-Domain-Policy
See password rules
(Get-DomainPolicy).”system access”
Information about users Look for passwords/personal information in the description
Get-NetUser
Get-NetUser | select cn
Get-NetUser | select description
Get-NetUser | select samaccountname
Get-UserProperty -Properties pwdlastset
Get-UserProperty -Properties logoncount
Information About Computers
Get-NetComputer
Get-NetComputer -FullData
Get-NetGroup
Get-NetGroup -GroupName <group-name>
Get-NetGroup -GroupName “Domain Admins”
Get-NetGroupMember -GroupName “Domain Admins”
See SMB Shares
Invoke-ShareFinder
A few quick commands that I always use if I have no information about the machine
crackmapexec smb <ip>
crackmapexec smb <ip> -u ” -p ”
crackmapexec smb <ip> -u ‘guest’ -p ”
For more information click here.
Introduction Bash scripting is a powerful way to automate Linux tasks, but writing a script…
Introduction A self-signed SSL certificate is a certificate that is created and signed by the…
Introduction Debugging is an important part of Bash scripting. When a script does not work…
Introduction Cron jobs are used in Linux to run commands or Bash scripts automatically at…
Introduction Pipes are an important feature in Linux and Bash scripting. A pipe allows you…
Introduction The grep, awk, and sed commands are powerful text-processing tools in Linux. They are…