Active Directory Enumeration
Overview
Active Directory (AD) enumeration maps the domain structure after gaining initial access — users, groups, computers, trusts, GPOs, ACLs, and delegation. Any domain-authenticated user can query most AD objects by default. Enumeration from Linux uses Impacket, NetExec, ldapsearch, and enum4linux-ng. From Windows, use built-in commands, the AD PowerShell module, or PowerView. BloodHound automates relationship mapping and attack path discovery.
ATT&CK Mapping
- Tactic: TA0007 - Discovery
- Technique: T1087.002 - Account Discovery: Domain Account
- Technique: T1069.002 - Permission Groups Discovery: Domain Groups
- Technique: T1018 - Remote System Discovery
- Technique: T1482 - Domain Trust Discovery
Prerequisites
- Valid domain credentials (user:password, NTLM hash, or Kerberos ticket)
- Network access to domain controller (LDAP TCP 389/636, SMB TCP 445, Kerberos TCP 88)
- DNS configured to resolve domain names (point to DC)
Techniques
Domain Information
From Linux:
# NetExec
# https://github.com/Pennyw0rth/NetExec
# Get domain SID and basic info
nxc ldap <DC_IP> -u <user> -p <password> --get-sid
# Password policy
nxc smb <DC_IP> -u <user> -p <password> --pass-pol
# enum4linux-ng
# https://github.com/cddmp/enum4linux-ng
# Full automated enumeration
enum4linux-ng -A -u <user> -p <password> <DC_IP>
# Specific checks
enum4linux-ng -U -u <user> -p <password> <DC_IP> # Users
enum4linux-ng -G -u <user> -p <password> <DC_IP> # Groups
enum4linux-ng -S -u <user> -p <password> <DC_IP> # Shares
enum4linux-ng -P -u <user> -p <password> <DC_IP> # Password policy
# ldapsearch
# Basic domain query
ldapsearch -x -H ldap://<DC_IP> -D '<domain>\<user>' -w '<password>' -b 'DC=corp,DC=local' '(objectClass=domain)'
# Get domain functional level
ldapsearch -x -H ldap://<DC_IP> -D '<domain>\<user>' -w '<password>' -b 'DC=corp,DC=local' -s base msDS-Behavior-Version domainFunctionality
From Windows:
:: Domain info
echo %USERDOMAIN%
echo %USERDNSDOMAIN%
echo %LOGONSERVER%
nltest /dsgetdc:%USERDOMAIN%
nltest /domain_trusts
# AD PowerShell module (requires RSAT or DC)
Get-ADDomain
Get-ADForest
(Get-ADDomain).DomainSID
Get-ADDefaultDomainPasswordPolicy
User Enumeration
From Linux:
# Impacket GetADUsers
# https://github.com/fortra/impacket
impacket-GetADUsers '<domain>/<user>:<password>' -dc-ip <DC_IP> -all
# Specific user
impacket-GetADUsers '<domain>/<user>:<password>' -dc-ip <DC_IP> -user admin
# NetExec
# https://github.com/Pennyw0rth/NetExec
# Enumerate domain users
nxc smb <DC_IP> -u <user> -p <password> --users
# RID brute-force (works without credentials if null sessions are allowed)
nxc smb <DC_IP> -u '' -p '' --rid-brute
# Impacket lookupsid
# https://github.com/fortra/impacket
impacket-lookupsid '<domain>/<user>:<password>@<DC_IP>'
# With higher RID range
impacket-lookupsid '<domain>/<user>:<password>@<DC_IP>' 20000
# ldapsearch — all users
ldapsearch -x -H ldap://<DC_IP> -D '<domain>\<user>' -w '<password>' \
-b 'DC=corp,DC=local' '(objectClass=user)' sAMAccountName memberOf
# Users with adminCount=1
ldapsearch -x -H ldap://<DC_IP> -D '<domain>\<user>' -w '<password>' \
-b 'DC=corp,DC=local' '(&(objectClass=user)(adminCount=1))' sAMAccountName
# Service accounts (accounts with SPNs)
ldapsearch -x -H ldap://<DC_IP> -D '<domain>\<user>' -w '<password>' \
-b 'DC=corp,DC=local' '(&(objectClass=user)(servicePrincipalName=*))' sAMAccountName servicePrincipalName
# Users with "Do not require Kerberos preauthentication"
ldapsearch -x -H ldap://<DC_IP> -D '<domain>\<user>' -w '<password>' \
-b 'DC=corp,DC=local' '(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))' sAMAccountName
From Windows:
:: Built-in commands
net user /domain
net user <username> /domain
# AD PowerShell module
Get-ADUser -Filter * -Properties MemberOf, ServicePrincipalName | Select-Object Name, SamAccountName, Enabled
Get-ADUser -Filter {AdminCount -eq 1} -Properties AdminCount | Select-Object Name, SamAccountName
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select-Object Name, ServicePrincipalName
Group Enumeration
From Linux:
# NetExec
# https://github.com/Pennyw0rth/NetExec
nxc smb <DC_IP> -u <user> -p <password> --groups
# Members of a specific group
nxc smb <DC_IP> -u <user> -p <password> --groups "Domain Admins"
# ldapsearch — Domain Admins members
ldapsearch -x -H ldap://<DC_IP> -D '<domain>\<user>' -w '<password>' \
-b 'DC=corp,DC=local' '(&(objectClass=group)(cn=Domain Admins))' member
# All groups
ldapsearch -x -H ldap://<DC_IP> -D '<domain>\<user>' -w '<password>' \
-b 'DC=corp,DC=local' '(objectClass=group)' cn member
From Windows:
:: Built-in commands
net group /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
net group "Domain Controllers" /domain
# AD PowerShell module
Get-ADGroup -Filter * | Select-Object Name, GroupScope
Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select-Object Name, objectClass
Computer Enumeration
From Linux:
# NetExec
# https://github.com/Pennyw0rth/NetExec
nxc smb <DC_IP> -u <user> -p <password> --computers
# ldapsearch — all computers
ldapsearch -x -H ldap://<DC_IP> -D '<domain>\<user>' -w '<password>' \
-b 'DC=corp,DC=local' '(objectClass=computer)' cn operatingSystem operatingSystemVersion
# Domain controllers
ldapsearch -x -H ldap://<DC_IP> -D '<domain>\<user>' -w '<password>' \
-b 'DC=corp,DC=local' '(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))' cn
From Windows:
# AD PowerShell module
Get-ADComputer -Filter * -Properties OperatingSystem | Select-Object Name, OperatingSystem, Enabled
Get-ADDomainController -Filter *
Share Enumeration
# NetExec
# https://github.com/Pennyw0rth/NetExec
# Enumerate shares and check access
nxc smb <DC_IP> -u <user> -p <password> --shares
Trust Enumeration
From Linux:
# ldapsearch — domain trusts
ldapsearch -x -H ldap://<DC_IP> -D '<domain>\<user>' -w '<password>' \
-b 'CN=System,DC=corp,DC=local' '(objectClass=trustedDomain)' cn trustDirection trustType
From Windows:
:: Built-in
nltest /domain_trusts /all_trusts
# AD PowerShell module
Get-ADTrust -Filter *
Delegation Enumeration
# NetExec
# https://github.com/Pennyw0rth/NetExec
# Find delegation relationships
nxc ldap <DC_IP> -u <user> -p <password> --find-delegation
nxc ldap <DC_IP> -u <user> -p <password> --trusted-for-delegation
# ldapsearch — unconstrained delegation
ldapsearch -x -H ldap://<DC_IP> -D '<domain>\<user>' -w '<password>' \
-b 'DC=corp,DC=local' '(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))' cn
# Constrained delegation
ldapsearch -x -H ldap://<DC_IP> -D '<domain>\<user>' -w '<password>' \
-b 'DC=corp,DC=local' '(msDS-AllowedToDelegateTo=*)' cn msDS-AllowedToDelegateTo
Session and Logon Enumeration
# NetExec
# https://github.com/Pennyw0rth/NetExec
# Logged-on users
nxc smb <target> -u <user> -p <password> --loggedon-users
# SMB sessions
nxc smb <target> -u <user> -p <password> --smb-sessions
BloodHound Collection
BloodHound visualizes AD relationships and automatically identifies attack paths to Domain Admin.
From Linux:
# bloodhound-python
# https://github.com/dirkjanm/BloodHound.py
bloodhound-python -u <user> -p <password> -d <domain> -dc <DC_FQDN> -c all
# With NTLM hash
bloodhound-python -u <user> --hashes ':<NThash>' -d <domain> -dc <DC_FQDN> -c all
# Specific collection methods
bloodhound-python -u <user> -p <password> -d <domain> -dc <DC_FQDN> -c Group,LocalAdmin,Session
# NetExec BloodHound collection
# https://github.com/Pennyw0rth/NetExec
nxc ldap <DC_IP> -u <user> -p <password> --bloodhound -c all
Collection methods: Group, LocalAdmin, Session, Trusts, Default, DCOnly, DCOM, RDP, PSRemote, LoggedOn, Container, ObjectProps, ACL, All.
From Windows:
# SharpHound
# https://github.com/BloodHoundAD/SharpHound
.\SharpHound.exe -c all
# Stealth collection (fewer queries)
.\SharpHound.exe -c DCOnly
# Loop collection (monitor sessions over time)
.\SharpHound.exe -c Session --loop --loopduration 02:00:00
Import the resulting ZIP file into BloodHound GUI. Key queries: "Shortest Path to Domain Admin", "Find Kerberoastable Users", "Find AS-REP Roastable Users".