Active Directory findings

This is my reference sheet for tools and stuff I may need to look up when doing an AD pentest. If you find this interesting, feel free to browse. If you don’t, well… hi.

If you find something missing, please let me know!

Active Directory Reconnaissance

Without creds

  • Nmap (with ALL the flags)
  • Firefox (for checking out all those websites that may pop up)
  • whatweb (to check out what the website is running on)
  • nikto (a full-blown vuln-scan against websites)
  • responder (pick up some hashes while I’m here)
  • smbclient

With creds

  • WinPEAS (who knows, might lead somewhere)
  • crackmapexec (see where the same login applies)


  • PHP webshells (if there’s a box that can interpret it, noice)
  • msfvenom


  • Powershell-Empire (I really only worked with this one so far)
  • Starkiller to go with Empire
  • SilentTrinity (maybe? I dunno, I keep hearing about it)