# Active Directory

- [Reconnaissance](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/reconnaissance.md)
- [Find Domain Name](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/reconnaissance/find-domain-name.md)
- [Find Domain Controllers](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/reconnaissance/find-domain-controllers.md)
- [Enumerating Machines](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/reconnaissance/enumerating-machines.md): It is important during an internal penetration test to enumerate alive machines in order to properly cartography the perimeter.
- [Enumerating Services](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/reconnaissance/enumerating-services.md): We cannot enumerate every ports on every machines during an internal assessment (because of allotted time). We have to choose specific ports (smb, web ports, administrative ports, etc).
- [DNS Enumeration](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/reconnaissance/dns-enumeration.md): DNS Enumeration is an important step to cartography the perimeter.
- [Exploitation](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/exploitation.md)
- [Exploit Without Account](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/exploitation/exploit-without-account.md)
- [SMB Relay](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/exploitation/exploit-without-account/smb-relay.md): This page deals with gaining code execution relaying NTLMv1/2 hashes in a very effective manner.
- [Exploit With Account](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/exploitation/exploit-with-account.md)
- [Kerberoast Attack](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/exploitation/exploit-with-account/kerberoast-attack.md): This page deals with compromising Active Directory with Kerberoast attack.
- [Post-Exploitation](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/post-exploitation.md)
- [Extracting Credentials](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/post-exploitation/extracting-credentials.md)
- [Retrieve Windows passwords](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/post-exploitation/extracting-credentials/windows-clear-text-credentials.md): This page deals with retrieving windows clear text credentials from memory and WDigest.
- [Retrieve Windows hashes](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/post-exploitation/extracting-credentials/retrieve-windows-hashes.md): This page deals with retrieving windows hashes (NTLM, NTLMv1/v2, MSCASHv1/v2).
- [Maintening Access](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/post-exploitation/maintening-access.md)
- [Adding Local Administrator](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/post-exploitation/maintening-access/adding-local-administrator.md): Adding a local administrator on a machine is a very effective way to maintain access to a machine.
- [Lateral Movement](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/post-exploitation/lateral-movement.md)
- [SMB protocol](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/post-exploitation/lateral-movement/smb-protocol.md): This page deals with lateral movement using smb protocol.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.