# 3 - AD Enumeration
### Topics
> 1. [Host & User Identification](/crtp-notes/readme/network-security-1/2.1.md)
> 2. [Common Services Enumeration](/crtp-notes/readme/network-security-1/3.2-common-services-enum.md)
> 3. [Domain Enumeration](/crtp-notes/readme/network-security-1/3.3-domain-enumeration.md)
[AD Enumeration Lab](https://dev-angelist.gitbook.io/writeups-and-walkthroughs/homemade-labs/active-directory/ad-enumeration)
{% hint style="danger" %}
#### ❗ Disclaimer
**Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!**❗
{% endhint %}
### AD **Enumeration**
Active Directory (AD) is the backbone of many enterprise IT infrastructures, managing user authentication, authorization, and resource access. During penetration testing or red team engagements, **enumerating Active Directory** is a critical step for gathering intelligence about the environment. This process involves systematically identifying valuable information that can be used to map out the network, discover potential attack paths, and exploit misconfigurations or vulnerabilities.
**Why Enumerate Active Directory?** Active Directory is complex and interconnected, making it a prime target for attackers. Enumeration helps uncover:
* Domain structure and trust relationships.
* User accounts, groups, and their permissions.
* Domain Controllers (DCs) and critical services like DNS, LDAP, SMB, and Kerberos.
* Misconfigurations, such as weak passwords, open shares, and insecure policies.
**Key Enumeration Goals:**
1. **Map the Environment:** Identify key assets, including Domain Controllers and critical servers.
2. **Identify Users:** Discover domain accounts and their roles.
3. **Assess Permissions:** Look for overprivileged users, groups, or objects.
4. **Locate Weaknesses:** Misconfigurations, legacy systems, or unpatched vulnerabilities.
5. **Set the Stage for Attacks:** Gather the information needed for credential attacks, privilege escalation, or lateral movement.
**Common Enumeration Tools and Techniques:** Enumeration can be performed using a variety of tools and techniques, including:
* **Nmap** for network scanning and service discovery.
* **SMB and LDAP enumeration** tools to query shared resources and directory structures.
* **BloodHound** for mapping AD relationships and privilege escalation paths.
* **Kerberos-based tools** like Kerbrute to discover valid accounts through pre-authentication failures.
* **PowerShell scripts** for gathering system and domain information.
**Reconnaissance Without Credentials:** Even without valid domain credentials, attackers can leverage null sessions, misconfigured services, and network discovery tools to gain valuable information. These findings often serve as a foothold to further access.
## Labs
Refers to [Learning Object 1](/crtp-notes/readme/lab/1-lo-1.md) and [Learning Object 3](/crtp-notes/readme/lab/3-lo-3.md) labs
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://dev-angelist.gitbook.io/crtp-notes/readme/network-security-1.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.