Active Directory Enumeration
Before you exploit anything in Active Directory, you need to understand what you’re working with. Enumeration is the most critical phase of attacking AD — because if you skip it or do it poorly, you’ll miss the attack paths that matter.
This post covers how to map out users, groups, computers, trusts, and permissions using the most effective tools available to pentesters.
Why Enumeration Matters
In AD, the key to compromise isn’t always a zero-day — it’s misconfiguration, and excessive trust. Enumeration reveals:
- Who the users are
- What groups they belong to
- Where admins log in
- What accounts are roastable
- Which systems are vulnerable to lateral movement or privilege escalation
You’re building the blueprint for everything that follows.
Tools We’ll Use
- PowerView
- BloodHound / SharpHound
- Kerbrute
- rpcclient
- smbclient
- ldapsearch
- CrackMapExec (light use here)
1. PowerView (PowerShell)
PowerView is a PowerShell toolset for querying Active Directory objects.
Import the module:
Import-Module .\PowerView.ps1
Enumerate all users:
Get-DomainUser
# Lists all domain users
Find users with SPNs (for Kerberoasting):
Get-DomainUser -SPN
# Lists accounts with registered service SPNs
List groups:
Get-DomainGroup
# Lists all domain groups
Find members of Domain Admins:
Get-DomainGroupMember -Identity "Domain Admins"
# Shows who has the highest privilege
See where admins are logged in:
Find-DomainUserLocation -UserName Administrator
# Attempts to find where the user is logged in
2. BloodHound (SharpHound)
BloodHound maps relationships and permissions in AD that are hard to spot manually.
Run SharpHound collection on target machine:
.\SharpHound.exe -c All --zipfilename data.zip
# Collects all AD data
Upload to BloodHound interface (on Kali):
# Drag-and-drop into the BloodHound GUI
Use built-in queries like:
- Shortest Paths to Domain Admins
- Users with Kerberoastable SPNs
- Accounts with GenericAll on high-priv targets
BloodHound shows you where your current access can go.
3. Kerbrute
Kerbrute is great for enumerating valid usernames and performing password sprays against the KDC.
User enumeration:
kerbrute userenum -d corp.local users.txt --dc 192.168.56.101
# Identifies valid users based on Kerberos error responses
4. rpcclient
Useful for basic info gathering when SMB ports (139/445) are open.
rpcclient -U "" 192.168.56.101
# Anonymous bind
Then:
enumdomusers
queryuser <RID>
enumdomgroups
This is an old-school but reliable method.
5. smbclient
Enumerate shared folders over SMB:
smbclient -L //192.168.56.101 -N
# Lists available shares anonymously
If you have creds:
smbclient //192.168.56.101/share -U username
# Connects to a specific share
Look for:
- Backup shares
- IT or SYSVOL folders
- Scripts or config files
6. ldapsearch
Search Active Directory over LDAP directly:
ldapsearch -x -h 192.168.56.101 -b "dc=corp,dc=local"
# Pulls AD data anonymously
With creds:
ldapsearch -x -D "corp\\user" -w 'Password123' -H ldap://192.168.56.101 -b "dc=corp,dc=local"
Great for parsing raw AD data if you need low-level access.
7. Bonus: CrackMapExec (Quick Sweeps)
crackmapexec smb 192.168.56.0/24 -u user -p 'Password123'
# Quickly finds where credentials are valid
You can also check for admin access:
crackmapexec smb 192.168.56.0/24 -u user -p 'Password123' --local-auth
What to Look For
- Users with SPNs → For Kerberoasting
- Users with
DoesNotRequirePreAuth→ For AS-REP Roasting - Where users are logged in → For lateral movement
- Group memberships → For privilege escalation
- Misconfigured ACLs → For BloodHound attacks
Summary
Active Directory enumeration is about discovery, not exploitation. You’re gathering information to make smart decisions later. Don’t rush it.
| Target | Tool Example |
|---|---|
| Users, groups | PowerView, BloodHound, Kerbrute |
| SPNs, roastables | PowerView, Rubeus, GetUserSPNs.py |
| Trusts, sessions | BloodHound |
| Shares and logins | smbclient, rpcclient |
| LDAP structure | ldapsearch |