Skip to content

AD Enumeration , You Can't Hit What You Can't See

Every single Active Directory pentest kicks off the same way , with enumeration You have to map the terrain before you can launch an attack Before you escalate privileges , you find the hidden paths Before you own the domain , you discover its secrets

This isn't your standard recon , we're not just pinging IPs or scanning ports AD enumeration goes way deeper It's about connecting the dots , who has access to what , which group gives you the keys to the kingdom , and what's the path of least resistance from a compromised user to full-blown Domain Admin That's what we're here to find out

AD Enumeration Diagram

Table of Contents

The Enumeration Mindset

Think of Active Directory as a giant graph It's a web of connections where users are nodes , groups are hubs , and permissions are the edges linking everything together Your job is to build that graph in your head , find the weak links , and exploit them

It's a systematic process Start broad (what domain am I in) , then get specific (who are the users) , analyze the hell out of it (what can they do) , and then you strike

The Lay of the Land: Initial Recon

Before you have any credentials , your view is limited , but not blind You can still gather critical intel from the network itself

# Find the domain name and domain controllers using PowerShell
(Get-ADDomain).Name
(Get-ADForest).Domains
Get-ADDomainController -Discover -Service PrimaryDC

From a Linux box , DNS is your best friend AD relies on SRV records to function , and they're a goldmine

# Find the domain controllers using DNS
nslookup -type=srv _ldap._tcp.dc._msdcs.yourdomain.local

This initial recon tells you the name of the domain and the IPs of the domain controllers , which are your primary targets

Enumerating with Credentials: The Real Work Begins

Once you have a foothold , even with a low-privilege domain user account , the entire directory opens up to you The native PowerShell ActiveDirectory module is your best friend here because it's installed on most systems and its traffic looks legitimate

Users: Finding Your Targets

Users are the lifeblood of AD Your goal is to find interesting accounts , service accounts , privileged users , and accounts with weak configurations

# Get a list of all enabled users , this is your starting point
Get-ADUser -Filter {Enabled -eq $true} -Properties Description, LastLogonDate | Select-Object SamAccountName, Description, LastLogonDate

# Hunt for privileged accounts
Get-ADUser -Filter {AdminCount -eq 1}

# Find accounts with passwords that never expire , a huge red flag
Get-ADUser -Filter {PasswordNeverExpires -eq $true}

# Find dormant accounts that haven't been used in 90+ days
$cutoff = (Get-Date).AddDays(-90)
Get-ADUser -Filter {Enabled -eq $true -and LastLogonDate -lt $cutoff} -Properties LastLogonDate

Groups: Mapping the Power Structure

Groups are how permissions are managed Understanding the group structure is how you find paths to privilege escalation

# Find all security groups
Get-ADGroup -Filter {GroupCategory -eq 'Security'}

# Enumerate members of the holy grail groups
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-ADGroupMember -Identity "Enterprise Admins" -Recursive

The -Recursive switch is critical here It unrolls nested groups so you can see who really has privileges , not just the direct members

Computers: Identifying the Battleground

Computers are the endpoints where the action happens You need to know what they are , what they're running , and if they have any juicy misconfigurations

# Get all domain computers, focusing on servers
Get-ADComputer -Filter {OperatingSystem -like "*Server*"} -Properties OperatingSystem, DNSHostName

# Find domain controllers , your primary targets
Get-ADDomainController -Filter *

# Hunt for computers with Unconstrained Delegation , a massive security hole
Get-ADComputer -Filter {TrustedForDelegation -eq $true}

Trusts: Finding Bridges Between Kingdoms

In a multi-domain environment , trusts are the bridges that connect them They can be a pathway for lateral movement if they're not configured securely

# Enumerate all domain trusts
Get-ADTrust -Filter *

Look for external or forest trusts , and check if they have SID filtering disabled , which can open them up to attack

Advanced Reconnaissance Techniques

Once you have the basics down , it's time to dig for the real vulnerabilities

Service Principal Names (SPNs): The Kerberoasting Goldmine

SPNs are tied to service accounts Any domain user can request a Kerberos ticket for a service , and that ticket is encrypted with the service account's password hash This is the foundation of Kerberoasting

# Find all user accounts with SPNs (potential Kerberoasting targets)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

You take these accounts , request tickets for them , and then crack the hashes offline A weak password on a service account can be a quick win

Group Policies (GPOs): The Rules of the Game

GPOs define the security configuration for users and computers They can be a source of credentials or reveal weak settings

# List all GPOs in the domain
Get-GPO -All

# Look for GPOs that might contain passwords (a classic vulnerability)
Get-ChildItem \\yourdomain.local\SYSVOL -Recurse -Include *.xml | Select-String "cpassword"

Every object in AD has an ACL that defines who can do what to it Misconfigured ACLs are a direct path to privilege escalation

# This is complex with native tools, which is why we use PowerView or BloodHound
# But here's a basic example of checking who can modify the Domain Admins group
(Get-Acl "AD:CN=Domain Admins,CN=Users,DC=yourdomain,DC=local").Access

You're looking for permissions like GenericAll , WriteDacl , or WriteOwner granted to non-admin users

The Modern Toolkit

Native tools are great , but specialized tools are better

PowerView: The PowerShell Swiss Army Knife

PowerView is part of the PowerSploit framework and it makes complex enumeration tasks dead simple It's the tool every AD pentester has in their arsenal

# PowerView makes finding interesting things trivial
# Find where the current user has local admin rights
Find-LocalAdminAccess -Verbose

# Find readable shares on the network
Find-DomainShare -CheckShareAccess

# A more powerful way to find Kerberoastable users
Get-NetUser -SPN

# Find interesting ACLs that could lead to privesc
Find-InterestingDomainAcl

BloodHound: Visualizing the Attack Paths

BloodHound is a game-changer It takes all the data you've enumerated and puts it into a graph database , letting you visualize attack paths you'd never find manually

You use the SharpHound collector to gather the data , then import it into the BloodHound GUI

# Run the SharpHound collector from PowerShell
Invoke-BloodHound -CollectionMethod All -Domain yourdomain.local -ZipFileName loot.zip

Once the data is in BloodHound , you can run queries to find the shortest path from a compromised user to Domain Admin , identify Kerberoastable accounts , or map out dangerous delegation rights It turns a mountain of data into a clear, actionable attack plan

Defense: How to Spot the Enemy Scout

Enumeration is noisy if you know what to look for

  • Monitor Event Logs: A sudden spike in Event ID 4769 (Kerberos service ticket requested) can indicate Kerberoasting A high volume of LDAP queries from a single host is also a major red flag
  • Enable PowerShell Logging: Script Block Logging and Module Logging will catch tools like PowerView in the act
  • Network Monitoring: Look for unusual SMB traffic or a large number of DNS queries for SRV records
  • Honeypots: Create decoy user accounts or GPOs with tempting names like "Password_Policy" and set up alerts to see who tries to access them

Good enumeration is the foundation of every successful AD compromise Know how to do it , and you'll know how to spot it