Domain Enumeration
Overview
Domain enumeration is a critical phase in Active Directory penetration testing that involves gathering information about the domain structure, users, groups, computers, and relationships. This information is essential for identifying attack paths and privilege escalation opportunities.
Essential Domain Enumeration Tools
1. ldapdomaindump
A tool for dumping domain information via LDAP and creating HTML reports for analysis.
Installation
# Install via pip
pip3 install ldapdomaindump
# Or install from source
git clone https://github.com/dirkjanm/ldapdomaindump.git
cd ldapdomaindump
python3 setup.py installBasic Usage
# Basic domain dump with credentials
ldapdomaindump -u 'DOMAIN\username' -p 'password' dc_ip
# Using NTLM hash
ldapdomaindump -u 'DOMAIN\username' --hashes :ntlm_hash dc_ip
# Specify output directory
ldapdomaindump -u 'DOMAIN\username' -p 'password' -o /tmp/ldap_dump dc_ip
# Use different authentication methods
ldapdomaindump -u 'username@domain.local' -p 'password' dc_ipAdvanced Options
Output Analysis
2. BloodHound
A tool for analyzing Active Directory trust relationships and finding attack paths.
Installation
Data Collection with SharpHound
Data Collection with BloodHound.py
BloodHound Analysis
3. PlumHound
A tool that extends BloodHound by creating additional reports and analysis.
Installation
Usage with BloodHound Data
Custom Report Generation
4. PingCastle
A Windows-based tool for Active Directory security assessment and health check.
Installation and Usage
Comprehensive Domain Enumeration Workflow
Phase 1: Initial LDAP Enumeration
Phase 2: BloodHound Data Collection
Phase 3: BloodHound Analysis
Phase 4: Extended Analysis with PlumHound
Advanced Enumeration Techniques
LDAP Queries with ldapsearch
PowerShell AD Enumeration (if on Windows)
Impacket Tools for Domain Enumeration
Key Information to Extract
User Accounts
Domain administrators
Service accounts (SPNs)
Privileged users
Inactive accounts
Accounts with passwords that don't expire
ASREPRoastable users (no pre-auth)
Groups
Administrative groups
Nested group memberships
Custom security groups
Distribution groups with security implications
Computers
Domain controllers
Servers with specific roles
Workstations with local admin rights
Computers with unconstrained delegation
Inactive computer accounts
Permissions and Rights
Users with DCSync rights
Accounts with delegation permissions
Users with admin rights on multiple systems
Service accounts with excessive privileges
Attack Path Identification
Common Attack Paths
Kerberoasting β Service account compromise β Lateral movement
ASREPRoasting β User account compromise β Privilege escalation
Unconstrained Delegation β Computer compromise β Domain admin
Local Admin Rights β Credential harvesting β Domain escalation
Group Policy Abuse β System compromise β Domain control
BloodHound Queries for Attack Paths
Defensive Considerations
Detection Indicators
Multiple LDAP queries from single source
Unusual BloodHound/SharpHound activity
Large data transfers from domain controllers
Non-standard LDAP bind attempts
Kerberos ticket requests for service accounts
Mitigation Strategies
Monitor LDAP query patterns
Implement least privilege principles
Regular audit of privileged groups
Disable unused accounts
Implement proper delegation controls
Monitor for BloodHound indicators
Reporting and Documentation
Key Findings to Document
Domain structure and topology
Privileged user accounts identified
Attack paths discovered
Misconfigurations found
Recommendations for hardening
Evidence Collection
Tools Comparison
ldapdomaindump
LDAP enumeration
HTML reports
Initial reconnaissance
BloodHound
Attack path analysis
Graph database
Visual attack paths
PlumHound
Extended reporting
HTML/CSV reports
Detailed analysis
PingCastle
Security assessment
HTML reports
Compliance checking
Note: Always ensure proper authorization before conducting domain enumeration. These techniques should only be used in authorized penetration testing scenarios or controlled lab environments.
Last updated