Certified Red Team Professional (CRTP) - Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝Certified Red Team Professional (CRTP) - Notes
    • ℹ️0 - Course Summary
    • 1️⃣1 - Active Directory (AD)
      • 1.1 - Introduction to Active Directory (AD)
      • 1.2 - Physical Components of AD
      • 1.3 - Logical Components of AD
    • 2️⃣2 - PowerShell
      • 2.1 - Introduction to PowerShell
      • 2.2 - Security and Detection
    • 3️⃣3 - AD Enumeration
      • 3.1 - Host & User Identification
      • 3.2 - Common Services Enum
        • 3.2.1 - LDAP & DNS Enum
        • 3.2.2 - SMB Enum & Common Attacks
      • 3.3 - Domain Enumeration
        • 3.3.1 - PowerView
          • 3.3.1.1 - Domain Enumeration (Video Lab)
        • 3.3.2 - BloodHound
    • 4️⃣4 - Trust and Privileges Mapping
      • 4.1 - Access Control (ACL/ACE)
      • 4.2 - Group Policy
      • 4.3 - Trusts
    • 5️⃣5 - Local Privilege Escalation
      • 5.1 - Privilege Escalation
        • 5.1.1 - Feature Abuse
        • 5.1.2 - Relaying
        • 5.1.3 - GPO Abuse
        • 5.1.4 - Unquoted Service Path
      • 5.2 - Tools
    • 7️⃣6 - Lateral Movement
      • 6.1 - PowerShell Remoting & Tradecraft
      • 6.2 - Credentials Extraction & Mimikatz
    • 9️⃣7 - Kerberos Attack and Privelege Escalation
      • 7.1 - Kerberos Intro
      • 7.2 - User Enum in Kerberos
      • 7.3 - AS-REP Roasting
      • 7.4 - Kerberoasting
      • 7.5 - Kerberos Delegation
        • Uncostrained Delegation
        • Constrained Delegation
      • 7.6 - Accross Trusts
        • Page
        • External Trust
        • Forest
        • Domain Trust
    • 8️⃣8 - Persistence
      • 8.1 - Golden Ticket
      • 8.2 - Silver Ticket
      • 8.3 - Diamond Ticket
      • 8.4 - Skeleton Key
      • 8.5 - DSRM
      • 8.6 - Custom SSP
      • 8.7 - Persistence via ACLs
        • 8.7.1 - AdminSDHolder
        • 8.7.2 - DCSync Attack
        • 8.7.3 - Security Descriptors
    • 9️⃣9 - Detection and Defense
    • Lab
      • 0 - Lab Instructions
      • 1 - LO 1️
      • 2 - LO2️
      • 3 - LO 3️
      • 4 - LO 4️
      • 5 - LO 5️
      • 6 - LO 6️
      • 7 - LO 7️
      • 8 - LO8️
      • 9 - LO9️
      • 10 - LO1️0️
      • 11 - LO1️1️
      • 12 - LO1️2️
      • 13 - LO1️3️
      • 14 - LO1️4️
      • 15 - LO1️5️
      • 16 - LO1️6️
      • 17 - LO1️7️
      • 18 - LO1️8️
      • 19 - LO1️9️
      • 20 - LO2️0️
      • 21 - LO2️1️
      • 22 - LO 2️2️
      • 23 - LO2️3️
    • 📄Report
      • How to write a PT Report
  • 🛣️RoadMap / Exam Preparation
  • 📔CRTP Cheat Sheet
Powered by GitBook
On this page
  • Topics
  • AD Enumeration
  • Labs
  1. Certified Red Team Professional (CRTP) - Notes

3 - AD Enumeration

Previous2.2 - Security and DetectionNext3.1 - Host & User Identification

Last updated 1 month ago

Topics

❗ Disclaimer

Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗

AD Enumeration

Active Directory (AD) is the backbone of many enterprise IT infrastructures, managing user authentication, authorization, and resource access. During penetration testing or red team engagements, enumerating Active Directory is a critical step for gathering intelligence about the environment. This process involves systematically identifying valuable information that can be used to map out the network, discover potential attack paths, and exploit misconfigurations or vulnerabilities.

Why Enumerate Active Directory? Active Directory is complex and interconnected, making it a prime target for attackers. Enumeration helps uncover:

  • Domain structure and trust relationships.

  • User accounts, groups, and their permissions.

  • Domain Controllers (DCs) and critical services like DNS, LDAP, SMB, and Kerberos.

  • Misconfigurations, such as weak passwords, open shares, and insecure policies.

Key Enumeration Goals:

  1. Map the Environment: Identify key assets, including Domain Controllers and critical servers.

  2. Identify Users: Discover domain accounts and their roles.

  3. Assess Permissions: Look for overprivileged users, groups, or objects.

  4. Locate Weaknesses: Misconfigurations, legacy systems, or unpatched vulnerabilities.

  5. Set the Stage for Attacks: Gather the information needed for credential attacks, privilege escalation, or lateral movement.

Common Enumeration Tools and Techniques: Enumeration can be performed using a variety of tools and techniques, including:

  • Nmap for network scanning and service discovery.

  • SMB and LDAP enumeration tools to query shared resources and directory structures.

  • BloodHound for mapping AD relationships and privilege escalation paths.

  • Kerberos-based tools like Kerbrute to discover valid accounts through pre-authentication failures.

  • PowerShell scripts for gathering system and domain information.

Reconnaissance Without Credentials: Even without valid domain credentials, attackers can leverage null sessions, misconfigured services, and network discovery tools to gain valuable information. These findings often serve as a foothold to further access.

Labs

Refers to and labs

📝
3️⃣
Host & User Identification
Common Services Enumeration
Domain Enumeration
AD Enumeration Lab
Learning Object 1
Learning Object 3