CheatSheet Active Directory
Initial Enumeration
Query the target's DNS server
Used to resolve the domain name and verify DNS configuration of the target.
nslookup ns1.inlanefreight.com
Capture packets on the network interface
Useful for monitoring traffic such as Kerberos, SMB, or LLMNR/NetBIOS.
sudo tcpdump -i ens224
Start Responder in passive analysis mode
Responder listens for LLMNR, NBT-NS, and MDNS requests to capture hashes.
sudo responder -I ens224 -A
Ping sweep the specified network range
Quickly identifies live hosts in a subnet by sending ICMP echo requests.
fping -asgq 172.16.5.0/23
Perform aggressive Nmap scan with OS and version detection
Uses scripts and fingerprinting to enumerate services and OS details.
sudo nmap -v -A -iL hosts.txt -oN /home/User/Documents/host-enum
Basic Windows Network Commands
net accounts # Show local password and logon policy
net accounts /domain # Show domain-level password and lockout policy
net group /domain # List all domain groups
net group Domain Admins /domain # List users in the Domain Admins group
net group domain computers /domain # List all computers joined to the domain
net group Domain Controllers /domain # List all Domain Controllers
net group <domain_group_name> /domain # List members of a specific domain group
net groups /domain # List all domain groups (alternative syntax)
net localgroup # List all local groups on the system
net localgroup administrators /domain # List domain users in the local Administrators group
net localgroup Administrators # List users in the local Administrators group
net localgroup administrators [username] /add # Add a user to the local Administrators group
net share # View shared folders on the local machine
net user <ACCOUNT_NAME> /domain # Get information about a domain user
net user /domain # List all users in the domain
net user %username% # View information about the currently logged-in user
net use x: \\computer\share # Map a shared folder as a network drive
net view # List visible computers in the network
net view /all /domain[:domainname] # View all shared resources and computers in a specific domain
net view \\computer /ALL # List all shared folders on a specific computer
net view /domain # List all visible domains/workgroups
Password Spraying and Password Policies
Enumerate password policy using CrackMapExec
Displays domain password policy such as lockout threshold and min password length.
crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol
Connect to SMB using null session
Anonymous SMB session often used to extract domain information.
rpcclient -U "" -N 172.16.5.5
Enumerate password policy inside rpcclient
Command executed after connecting to rpcclient to retrieve domain policy.
querydominfo
Enumerate password policy using enum4linux
Old but useful tool to collect AD-related info via SMB.
enum4linux -P 172.16.5.5
Use enum4linux-ng and export results
Modern alternative with support for saving output in various formats.
enum4linux-ng -P 172.16.5.5 -oA ilfreight
Enumerate password policy via LDAP
Performs a raw LDAP query to locate password policy attributes.
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
Check password policy on a Windows host
Local command that reveals domain-linked policy when run from a domain-joined machine.
net accounts
Import PowerView in PowerShell
Loads the PowerView module for domain enumeration.
Import-Module .\PowerView.ps1
Get domain password policy using PowerView
Displays default domain password policy.
Get-DomainPolicy
User Enumeration
Enumerate users using enum4linux
This tool allows you to list users on a domain using SMB null sessions.
enum4linux -U 172.16.5.5 | grep "user:"
Connect to RPC service using null session
Establish an anonymous connection to enumerate information via RPC.
rpcclient -U "" -N 172.16.5.5
Enumerate domain users inside rpcclient
Once connected, this command lists all domain users.
enumdomusers
Discover users using CrackMapExec
Scans and lists users on a target domain using SMB.
crackmapexec smb 172.16.5.5 --users
Enumerate users via LDAP
Queries LDAP for all objects of class user, then filters for usernames.
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName:
Discover users using windapsearch.py
Simple Python script for LDAP enumeration of user accounts.
./windapsearch.py --dc-ip 172.16.5.5 -u "" -U
Security Control Enumeration
Check Windows Defender status
Useful for identifying if Defender is active on the system.
Get-MpComputerStatus
Check effective AppLocker policies
Lists the currently enforced AppLocker rules on the system.
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Check current PowerShell language mode
Verifies the PowerShell session mode (e.g., FullLanguage vs ConstrainedLanguage).
$ExecutionContext.SessionState.LanguageMode
Find delegated LAPS groups
Checks which AD groups have delegated rights for LAPS-managed passwords.
Find-LAPSDelegatedGroups
Check extended rights on LAPS-enabled computers
Finds users or groups with LAPS read permissions.
Find-AdmPwdExtendedRights
Find LAPS-enabled computers
Lists all AD computer objects that are managed by LAPS.
Get-LAPSComputers
Check Windows Defender status using CMD
Command-line method to check if Windows Defender is running.
sc query windefend