AD Enumeration
AD Enumeration
Active Directory (AD) is the backbone of many enterprise IT infrastructures, managing user authentication, authorization, and resource access. During penetration testing or red team engagements, enumerating Active Directory is a critical step for gathering intelligence about the environment. This process involves systematically identifying valuable information that can be used to map out the network, discover potential attack paths, and exploit misconfigurations or vulnerabilities.
Why Enumerate Active Directory? Active Directory is complex and interconnected, making it a prime target for attackers. Enumeration helps uncover:
Domain structure and trust relationships.
User accounts, groups, and their permissions.
Domain Controllers (DCs) and critical services like DNS, LDAP, SMB, and Kerberos.
Misconfigurations, such as weak passwords, open shares, and insecure policies.
Key Enumeration Goals:
Map the Environment: Identify key assets, including Domain Controllers and critical servers.
Identify Users: Discover domain accounts and their roles.
Assess Permissions: Look for overprivileged users, groups, or objects.
Locate Weaknesses: Misconfigurations, legacy systems, or unpatched vulnerabilities.
Set the Stage for Attacks: Gather the information needed for credential attacks, privilege escalation, or lateral movement.
Common Enumeration Tools and Techniques: Enumeration can be performed using a variety of tools and techniques, including:
Nmap for network scanning and service discovery.
SMB and LDAP enumeration tools to query shared resources and directory structures.
BloodHound for mapping AD relationships and privilege escalation paths.
Kerberos-based tools like Kerbrute to discover valid accounts through pre-authentication failures.
PowerShell scripts for gathering system and domain information.
Reconnaissance Without Credentials: Even without valid domain credentials, attackers can leverage null sessions, misconfigured services, and network discovery tools to gain valuable information. These findings often serve as a foothold to further access.
Host Identification
Fping
Fping
The fping
tool allows quick identification of active hosts within a network range. For instance:
fping -asgq 192.168.1.0/24
Parameters Explained:
-a
: Display only active hosts.-s
: Print statistics at the end of the scan.-g
: Generate a list of destinations from a CIDR network.-q
: Suppress output for individual hosts.
Once the scan is complete, you can create a list of active hosts for further enumeration.
Nmap
nmap
can also be used to perform a Ping Scan for host discovery:
sudo nmap -sn 192.168.1.0/24
Parameters Explained:
-sn
: Skip port scanning and focus on host discovery by sending ICMP echo requests.
This scan provides a list of active hosts within the network. After identifying live hosts, we can move to detailed enumeration to identify services, critical hosts (e.g., domain controllers, web servers), and potential vulnerabilities.
Nmap Advanced Scans
Enumerate Active Hosts from a List
sudo nmap -v -A -iL hosts.txt -oN hostEnum
-v
: Increase verbosity.-A
: Perform OS detection, version detection, script scanning, and traceroute.-iL
: Input file containing list of target hosts.-oN
: Save results in a standard output format.
Comprehensive Port Scan
nmap -p- -sS --open --min-rate 5000 -vvv -Pn -n 192.168.1.10 -oG scanPorts
-p-
: Scan all 65,535 ports.-sS
: Perform a TCP SYN scan.--open
: Display only open ports.--min-rate 5000
: Ensure a minimum scan rate of 5000 packets per second.-Pn
: Skip ping checks.-n
: Skip DNS resolution.-oG
: Save results in greppable format for easy parsing.
Targeted Service Scan
nmap -sCV -p <PORTS> 192.168.1.10 -oN targeted
-sCV
: Perform service and version detection, and run default scripts.-p
: Specify ports to scan.
User Identification
Obtaining Valid Domain Users
Using Kerbrute
Kerbrute
is a stealthy tool for enumerating domain accounts by exploiting Kerberos pre-authentication failures, which often avoid logging or alerts:
kerbrute userenum -d DC.LOCAL --dc 192.168.1.1 usernames.txt -o valid_ad_users.txt
Extract valid usernames from results:
cat valid_ad_users.txt | awk -F "VALID USERNAME:\t" '{print $2}' | tr -d ' ' | sed '/^$/d' | awk -F '@' '{print $1}' | tee users.txt
Checking for Passwords Matching Usernames Some users may have their username as their password:
kerbrute bruteuser -d DC.LOCAL -dc 192.168.1.1 usernames.txt passwords.txt
SMB Enumeration
Netexec
Enumerate Domain Machines for SMB Signing
nxc smb 192.168.1.0/24
Validate Credentials
nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123'
Find Valid Machines for Connection
nxc smb 192.168.1.0/24 -u 'jdoe' -p 'Password123'
Enumerate Shared Resources
nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --shares
Enumerate Users and Groups
nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --users nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --groups
Dump LSA and NTDS If you have domain admin privileges:
nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --lsa nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --ntds
LDAP Enumeration
LdapSearch
LdapSearch
Perform anonymous or credentialed enumeration of the LDAP directory:
ldapsearch -H ldap://192.168.1.1 -x -s base namingcontexts
ldapsearch -H ldap://192.168.1.1 -D 'jdoe@DC.LOCAL' -w 'Password123' -x -b "DC=DC,DC=LOCAL"
LdapDomainDump
LdapDomainDump
Dump LDAP data in JSON and HTML formats for easier analysis:
ldapdomaindump -u 'DC.LOCAL\jdoe' -p 'Password123' 192.168.1.1
BloodHound
Option 1: Using
bloodhound.py
python3 bloodhound.py -u 'jdoe' -p 'Password123' -d DC.LOCAL -ns 192.168.1.1 --zip -c All
Option 2: Using
SharpHound.ps1
Download and upload
SharpHound.ps1
to the target.Run:
Import-Module .\SharpHound.ps1 Invoke-BloodHound -CollectionMethod All
Option 3: Using
SharpHound.exe
Run directly:
.\SharpHound.exe -c all
Download the resulting .zip
file and upload it to BloodHound for analysis.
PowerView
PowerView is a versatile PowerShell tool specifically designed for Active Directory reconnaissance. Part of the PowerSploit framework, it allows penetration testers and red teamers to perform in-depth enumeration of AD environments. PowerView provides a comprehensive suite of cmdlets to gather information about users, groups, computers, permissions, trust relationships, and more.
PowerView Usage
Get Domain Information
Get-NetDomain
Retrieves information about the current domain.
Enumerate Domain Controllers
Get-NetDomainController
Lists all Domain Controllers in the current domain.
List Domain Users
Get-NetUser
Displays all users in the domain, along with detailed attributes.
Find High-Value Targets
Get-NetUser -AdminCount 1
Lists all users flagged as administrators.
Enumerate Domain Groups
Get-NetGroup
Retrieves all domain groups.
Get-NetGroupMember -GroupName "Domain Admins"
Lists members of the "Domain Admins" group.
Locate Domain Computers
Get-NetComputer
Lists all computers in the domain.
Analyze Trust Relationships
Get-NetDomainTrust
Displays trust relationships between domains.
Check ACLs on AD Objects
Get-ObjectAcl -SamAccountName "Administrator" -ResolveGUIDs
Shows ACLs for a specific user account, resolving GUIDs to human-readable names.
Find Shares on Domain Computers
Invoke-ShareFinder
Locates shared folders across domain computers.
Identify Delegation Configurations
Get-NetUser -SPN
Finds user accounts with Service Principal Names (SPNs), often used in Kerberos-based attacks.
SMB Clients
Using
smbclient
:smbclient -L 192.168.1.1 -U 'jdoe%Password123'
Using
impacket-smbclient
:impacket-smbclient DC.LOCAL/jdoe:Password123@192.168.1.1
DNS Enumeration
Resolve DNS name using nslookup for retrieving useful info regarding target:
nslookup -type=SRV DC.LOCAL
Lab
To practice I created a local lab thanks to the following guide, then I run the enumeration of a Domain Controller (an unrealistic hypothesis because it is rarely directly exposed to the network).
In addition to what is indicated in the guide, i've added DNS and Web Server (IIS) services.
The target is a DC running Windows Server 2019, while the attacking machine is a Kali Linux machine (both machines are into a custom NAT_Network called: NAT_AD 192.168.57.0/24
).
Host Identification
sudo nmap -sn 192.168.57.0/24 #Host Discovery

Save it into /etc/hosts file: sudo echo "192.168.57.9 corp-dc" >> /etc/hosts
(optional)
Open Ports Discovery
nmap -p0- -sCV -Pn corp-dc -oN open_ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-21 18:19:55Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: dev-angelist.lab0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: dev-angelist.lab0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49687/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:C0:12:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_nbstat: NetBIOS name: CORP-DC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:c0:12:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
|_clock-skew: -1s
| smb2-time:
| date: 2025-02-21T18:20:44
|_ start_date: N/A
I will focus on potentially active and vulnerable services, in this case for example I have not configured the DNS so I will skip it.
HTTP/80
We can use whatweb command to retrieve info regarding web server, a GET request using curl or visiting page via browser.
whatweb http://corp-dc
curl -v http://corp-dc

Kerberos protocol is a master topic of AD, but in this case i'm doing enumeration phase.
135 - Microsoft Remote Procedure Call (msrpc)
This protocol allows application to communicate with other machine into network.
We can user RPC Client for login and enumerate domain users
rpcclient -U devan corp-dc #access via recclient (devan::P@ssword123!)
enumdomusers #enumerate domain users
139 - NetBios
Protocol that facilitate communication for file and printer sharing into networks, it is the predecessor of SMB.
nbtscan 192.168.57.9

in this case we obtain NetBIOS Name, eventually server, user and MAC address info.
389 - LDAP
Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly. We can perform enumerion using various tools:
LdapSearch
LdapSearch
Perform anonymous or credentialed enumeration of the LDAP directory:
ldapsearch -H ldap://192.168.1.1 -x -s base namingcontexts
ldapsearch -H ldap://CORP-DC -D "devan@dev-angelist.lab" -w "P@ssword123!" -b "DC=dev-angelist,DC=lab" "(objectClass=user)"
#Other additional useful queries:
$Filter = "(objectClass=user)"
$RootOU = "DC=dev-angelist,DC=lab"
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($RootOU)")
$Searcher.Filter = $Filter
$Searcher.SearchScope = "Subtree"
$Searcher.FindAll()


LdapWhoami
Obtain user via Ldapwhoami
ldapwhoami -H ldap://CORP-DC -D "CN=devan,CN=Users,DC=dev-angelist,DC=lab" -w "P@ssword123!"

LdapDomainDump
LdapDomainDump
Dump LDAP data in JSON and HTML formats for easier analysis:
ldapdomaindump -u 'dev-angelist\devan' -p 'P@ssword123!' 192.168.57.9
445 - SMB
The SMB protocol is a network file sharing protocol that allows applications on a computer to read and write to files. SMB also requests services from server programs in a computer network. It's the most critical attack vector if it's not protected well.
The v1 is deprecated and have several vulnerabilities (Eternal Blue, WannaCry, etc).
It can run over multiple ports: 445, 137-139 (NetBIOS), and over UDP.
To test it, i've created a share folder called "SharedFiles" with a text file. This directory is shared with 'devan' with read/write rights (Properties->Share->AddUser: 'devan')

Location: \\CORP-DC\SharedFiles
Then, we can access to it on Devan's workstation machine using that location

We can enumerate SMB shares and access to system using these tools:
smbmap -H corp-dc
smbclient //corp-dc/SharedFiles -U "dev-angelist.lab/devan%P@ssword123!"

References
HackTricks: SMB and Active Directory Enumeration
Last updated