AD Enumeration Fundamentals

intermediate35 minWriteup

Basic techniques to enumerate AD environments

Learning Objectives

  • Enumerate users and groups
  • Find domain controllers
  • Identify service accounts
  • Map the domain structure

Before you attack Active Directory, you need to understand it. AD enumeration is the process of discovering users, groups, computers, policies, and relationships that make up the domain. The more you know, the better your attack paths.

The beauty of AD? By design, any authenticated user can query most information. You don't need admin rights to enumerate - just any valid domain account.

Enumeration is Key

In enterprise environments, 80% of time should be spent on enumeration. Finding the right attack path matters more than having fancy exploits.

Basic Domain Enumeration

Windows Built-in Tools

powershell
1606070;"># Current domain
2$env:USERDOMAIN
3$env:USERDNSDOMAIN
4[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
5 
6606070;"># Domain controllers
7nltest /dclist:corp.local
8nslookup -type=SRV _ldap._tcp.dc._msdcs.corp.local
9 
10606070;"># Domain info
11net user /domain
12net group /domain
13net group 606070;">#a5d6ff;">"Domain Admins" /domain
14 
15606070;"># Current user info
16whoami /all
17whoami /priv
18whoami /groups

PowerShell AD Module

powershell
1606070;"># Import AD module (needs RSAT or DC)
2Import-Module ActiveDirectory
3 
4606070;"># Domain info
5Get-ADDomain
6Get-ADForest
7 
8606070;"># Users
9Get-ADUser -Filter * -Properties *
10Get-ADUser -Filter 606070;">#a5d6ff;">'ServicePrincipalName -like "*"' -Properties ServicePrincipalName
11 
12606070;"># Groups
13Get-ADGroup -Filter * | select Name
14Get-ADGroupMember -Identity 606070;">#a5d6ff;">"Domain Admins" -Recursive
15 
16606070;"># Computers
17Get-ADComputer -Filter * -Properties *
18Get-ADComputer -Filter 606070;">#a5d6ff;">'OperatingSystem -like "*Server*"'
19 
20606070;"># Trust relationships
21Get-ADTrust -Filter *

LDAP Enumeration

LDAP is the protocol AD uses for queries. You can use it directly from Linux or without the AD module.

bash
1606070;"># ldapsearch - enumerate domain
2ldapsearch -x -H ldap:606070;">//dc.corp.local -D "user@corp.local" -w 'password' -b "DC=corp,DC=local"
3 
4606070;"># Get users
5ldapsearch -x -H ldap:606070;">//dc.corp.local -D "user@corp.local" -w 'pass' \
6  -b 606070;">#a5d6ff;">"DC=corp,DC=local" "(objectClass=user)" sAMAccountName userPrincipalName
7 
8606070;"># Get computers
9ldapsearch -x -H ldap:606070;">//dc.corp.local -D "user@corp.local" -w 'pass' \
10  -b 606070;">#a5d6ff;">"DC=corp,DC=local" "(objectClass=computer)" dNSHostName operatingSystem
11 
12606070;"># Get groups
13ldapsearch -x -H ldap:606070;">//dc.corp.local -D "user@corp.local" -w 'pass' \
14  -b 606070;">#a5d6ff;">"DC=corp,DC=local" "(objectClass=group)" cn member
15 
16606070;"># Find SPNs (Kerberoasting targets)
17ldapsearch -x -H ldap:606070;">//dc.corp.local -D "user@corp.local" -w 'pass' \
18  -b 606070;">#a5d6ff;">"DC=corp,DC=local" "(servicePrincipalName=*)" sAMAccountName servicePrincipalName
powershell
1606070;"># PowerShell without AD module
2$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
3$pdc = $domainObj.PdcRoleOwner.Name
4$ldapPath = 606070;">#a5d6ff;">"LDAP://$pdc"
5$dirEntry = New-Object System.DirectoryServices.DirectoryEntry($ldapPath)
6 
7606070;"># Create searcher
8$dirSearcher = New-Object System.DirectoryServices.DirectorySearcher($dirEntry)
9$dirSearcher.Filter = 606070;">#a5d6ff;">"(objectClass=user)"
10$dirSearcher.FindAll() | ForEach-Object { $_.Properties.samaccountname }

Key Objects to Enumerate

Users

powershell
1606070;"># High-value user attributes
2Get-ADUser -Filter * -Properties * | Select-Object \
3  SamAccountName,
4  Description,           606070;"># Often contains passwords!
5  ServicePrincipalName,  606070;"># Kerberoastable
6  PasswordLastSet,
7  LastLogon,
8  AdminCount,            606070;"># Protected by AdminSDHolder
9  MemberOf

Groups

powershell
1606070;"># Find privileged group members
2$groups = @(606070;">#a5d6ff;">"Domain Admins", "Enterprise Admins", "Administrators", "Account Operators")
3foreach ($group in $groups) {
4  Write-Host 606070;">#a5d6ff;">"=== $group ===" -ForegroundColor Yellow
5  Get-ADGroupMember -Identity $group -Recursive | Select-Object Name
6}

Computers

powershell
1606070;"># Find interesting computers
2Get-ADComputer -Filter * -Properties * | Select-Object \
3  Name,
4  OperatingSystem,
5  OperatingSystemVersion,
6  IPv4Address,
7  LastLogonDate | Sort-Object OperatingSystem

GPOs

powershell
1606070;"># Group Policy Objects
2Get-GPO -All | Select-Object DisplayName, Id, GpoStatus
3 
4606070;"># Find GPOs with password settings
5Get-GPO -All | ForEach-Object {
6  $gpoId = $_.Id
7  $gpoName = $_.DisplayName
8  606070;"># Check for password policies, scripts, etc.
9}

Descriptions Are Gold

User and computer descriptions often contain passwords, hints, or sensitive information. Always check them!

Linux Enumeration Tools

bash
1606070;"># CrackMapExec - Swiss army knife
2crackmapexec smb dc.corp.local -u user -p password --users
3crackmapexec smb dc.corp.local -u user -p password --groups
4crackmapexec smb dc.corp.local -u user -p password --shares
5crackmapexec ldap dc.corp.local -u user -p password -M get-desc-users
6 
7606070;"># Impacket GetADUsers
8GetADUsers.py -all -dc-ip dc.corp.local corp.local/user:password
9 
10606070;"># Enum4linux-ng
11enum4linux-ng -A -u user -p password dc.corp.local
12 
13606070;"># windapsearch
14windapsearch -d corp.local --dc-ip 192.168.1.10 -u user@corp.local -p password --users
15windapsearch -d corp.local --dc-ip 192.168.1.10 -u user@corp.local -p password --da
16 
17606070;"># rpcclient
18rpcclient -U 606070;">#a5d6ff;">"user%password" dc.corp.local
19rpcclient $> enumdomusers
20rpcclient $> enumdomgroups
21rpcclient $> querydispinfo

Finding Attack Targets

powershell
1606070;"># Kerberoastable accounts
2Get-ADUser -Filter {ServicePrincipalName -like 606070;">#a5d6ff;">"*"} -Properties ServicePrincipalName
3 
4606070;"># AS-REP Roastable accounts (no preauth)
5Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True}
6 
7606070;"># Accounts with password in description
8Get-ADUser -Filter * -Properties Description | Where-Object { $_.Description -match 606070;">#a5d6ff;">"pass" }
9 
10606070;"># Accounts with delegation
11Get-ADUser -Filter {TrustedForDelegation -eq $True}
12Get-ADComputer -Filter {TrustedForDelegation -eq $True}
13 
14606070;"># Recently changed passwords (likely active accounts)
15$date = (Get-Date).AddDays(-30)
16Get-ADUser -Filter {PasswordLastSet -gt $date} -Properties PasswordLastSet

Stealth Considerations

Extensive LDAP queries may trigger alerts. In red team ops, spread queries over time and avoid obvious patterns. BloodHound does efficient batch collection.

Enumeration Methodology

AD Enumeration Process

1
Domain InfoIdentify domain name, DCs, forest structure
2
UsersEnumerate all users, find admins and service accounts
3
GroupsMap privileged groups and memberships
4
ComputersFind DCs, servers, workstations
5
TargetsIdentify Kerberoastable, AS-REP roastable accounts
6
TrustsMap trust relationships
7
ACLsUse BloodHound for attack path analysis

Knowledge Check

Quick Quiz
Question 1 of 3

What privileges do you need to enumerate AD?

Challenges

Complete Domain Enumeration

Challenge
🔥 intermediate

With domain credentials, enumerate: all domain admins, Kerberoastable accounts, accounts with passwords in descriptions, and trust relationships.

Need a hint? (4 available)

Key Takeaways

  • Any domain user can enumerate most AD information
  • LDAP (389/636) and RPC are primary enumeration protocols
  • Key targets: Domain Admins, SPNs, delegation, descriptions with passwords
  • PowerView and CrackMapExec are essential tools
  • User descriptions often contain passwords or hints
  • BloodHound automates attack path discovery