Active Directory Enumeration

Not Authenticated

Compare outputs from different commands! Some commands might miss some users…

Domain name & SID

Usernames & Groups

Most reliable: rpcclient, enum4linux, less reliable: ldapsearch filtered on object-class=Users (sometimes miss service accounts)

rpcclient -N -U "" $IP
enumdomusers
enumdomgroups
lookupname john.smith # Gives the user SID

rpcclient -W '' -c querydispinfo -U''%'' $IP

enum4linux -U $IP

enum4linux -U $IP | grep user: | cut -d "[" -f2 | cut -d "]" -f1 > users.txt

Authenticated

BEST OPTION: Use BloodHound, Impacket, PowerView & ldapsearch.

• ldapsearch *** GOOD ***
• Bloodhound – Relationship between AD users

enum4linux -a -u $USER -p $PASS $IP

Using PowerShell

❗ Only works on Windows, the ActiveDirectory module is not available in Kali.

Domain controllers

powershell -c "Get-ADDomainController -Filter *|select hostname, site"

Organizational Units (OU)

powershell -c "Get-ADOrganizationalUnit -Filter 'ObjectGUID -eq \"REPLACEME\"' -Properties *"

Users

powershell -c "Get-ADUser -Filter 'ObjectGUID -eq \"REPLACEME\"' -Properties *"

Objects

powershell -c "Get-ADObject -Filter {name -eq 'REPLACEME'} -SearchBase 'DC=yourdomain,DC=com' -Properties *"

Group Policy Object (GPO)

Documentation for Get-GPO, Get-GPPermission (Microsoft)

powershell -c "Get-GPO -Name \"REPLACEME\""

powershell -c "Get-GPPermission -Name \"REPLACEME\" -All"

GPO Settings:

# Get the GPO report in XML format
$GPOReport = Get-GPOReport -Name "GPO Name" -ReportType xml

# Convert the XML report to a readable format
$GPOSettings = [xml]$GPOReport

# Display the GPO settings
$GPOSettings.GPO.Computer.ExtensionData.Extension | Select-Object DisplayName, Setting

GPO Report:

powershell -c "Get-GPOReport -Name \"REPLACEME\" -ReportType xml"

powershell -c "Get-GPOReport -Name \"REPLACEME\" -ReportType html"

ACL

Checks what permissions GroupB has on GroupA.

powershell -c "([ADSI]\"LDAP://CN=GroupA,DC=example,DC=com\").ObjectSecurity.Access | Where-Object { $_.IdentityReference.Value -eq 'EXAMPLE\GroupB' }"

Manually using “net” commands

net user

net user /domain

net user "<username>" /domain

net group /domain

net group "<group name>" /domain

Domain’s account policy

net accounts

Enumerate SPNs

• Service Principal Names
• SPN Discovery (pentestlab)

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

Obtain IP/port of applications running on servers in the domain. Use Get-SPN.ps1.

Using setspn – already installed natively on Windows

All SPNs : DO NOT USE IN REAL AD PROD ENVIRONMENT

setspn -T <domain> -Q */*

SPNs for specific account

setspn -L account
setspn -L domain\account

SPNs of a specific server

setspn -l servername

LDAP Ping Enumeration

• LDAP Ping (Microsoft)

💡 Use LDAP Nom Nom to anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP).

MITRE ATT&CK: T1087.002 – Account Discovery: Domain Account

Certipy-AD

See Certipy for Active Directory Certificate Services (ADCS) enumeration that can be imported into BloodHound.