search

Domain Enumeration

hashtag
Overview

Domain enumeration is a critical phase in Active Directory penetration testing that involves gathering information about the domain structure, users, groups, computers, and relationships. This information is essential for identifying attack paths and privilege escalation opportunities.

hashtag
Essential Domain Enumeration Tools

hashtag
1. ldapdomaindump

A tool for dumping domain information via LDAP and creating HTML reports for analysis.

hashtag
Installation

# Install via pip
pip3 install ldapdomaindump

# Or install from source
git clone https://github.com/dirkjanm/ldapdomaindump.git
cd ldapdomaindump
python3 setup.py install

hashtag
Basic Usage

# Basic domain dump with credentials
ldapdomaindump -u 'DOMAIN\username' -p 'password' dc_ip

# Using NTLM hash
ldapdomaindump -u 'DOMAIN\username' --hashes :ntlm_hash dc_ip

# Specify output directory
ldapdomaindump -u 'DOMAIN\username' -p 'password' -o /tmp/ldap_dump dc_ip

# Use different authentication methods
ldapdomaindump -u 'username@domain.local' -p 'password' dc_ip

hashtag
Advanced Options

hashtag
Output Analysis

hashtag
2. BloodHound

A tool for analyzing Active Directory trust relationships and finding attack paths.

hashtag
Installation

hashtag
Data Collection with SharpHound

hashtag
Data Collection with BloodHound.py

hashtag
BloodHound Analysis

hashtag
3. PlumHound

A tool that extends BloodHound by creating additional reports and analysis.

hashtag
Installation

hashtag
Usage with BloodHound Data

hashtag
Custom Report Generation

hashtag
4. PingCastle

A Windows-based tool for Active Directory security assessment and health check.

hashtag
Installation and Usage

hashtag
Comprehensive Domain Enumeration Workflow

hashtag
Phase 1: Initial LDAP Enumeration

hashtag
Phase 2: BloodHound Data Collection

hashtag
Phase 3: BloodHound Analysis

hashtag
Phase 4: Extended Analysis with PlumHound

hashtag
Advanced Enumeration Techniques

hashtag
LDAP Queries with ldapsearch

hashtag
PowerShell AD Enumeration (if on Windows)

hashtag
Impacket Tools for Domain Enumeration

hashtag
Key Information to Extract

hashtag
User Accounts

  • Domain administrators

  • Service accounts (SPNs)

  • Privileged users

  • Inactive accounts

  • Accounts with passwords that don't expire

  • ASREPRoastable users (no pre-auth)

hashtag
Groups

  • Administrative groups

  • Nested group memberships

  • Custom security groups

  • Distribution groups with security implications

hashtag
Computers

  • Domain controllers

  • Servers with specific roles

  • Workstations with local admin rights

  • Computers with unconstrained delegation

  • Inactive computer accounts

hashtag
Permissions and Rights

  • Users with DCSync rights

  • Accounts with delegation permissions

  • Users with admin rights on multiple systems

  • Service accounts with excessive privileges

hashtag
Attack Path Identification

hashtag
Common Attack Paths

  1. Kerberoasting β†’ Service account compromise β†’ Lateral movement

  2. ASREPRoasting β†’ User account compromise β†’ Privilege escalation

  3. Unconstrained Delegation β†’ Computer compromise β†’ Domain admin

  4. Local Admin Rights β†’ Credential harvesting β†’ Domain escalation

  5. Group Policy Abuse β†’ System compromise β†’ Domain control

hashtag
BloodHound Queries for Attack Paths

hashtag
Defensive Considerations

hashtag
Detection Indicators

  • Multiple LDAP queries from single source

  • Unusual BloodHound/SharpHound activity

  • Large data transfers from domain controllers

  • Non-standard LDAP bind attempts

  • Kerberos ticket requests for service accounts

hashtag
Mitigation Strategies

  • Monitor LDAP query patterns

  • Implement least privilege principles

  • Regular audit of privileged groups

  • Disable unused accounts

  • Implement proper delegation controls

  • Monitor for BloodHound indicators

hashtag
Reporting and Documentation

hashtag
Key Findings to Document

  • Domain structure and topology

  • Privileged user accounts identified

  • Attack paths discovered

  • Misconfigurations found

  • Recommendations for hardening

hashtag
Evidence Collection

hashtag
Tools Comparison

Tool
Purpose
Output Format
Best For

ldapdomaindump

LDAP enumeration

HTML reports

Initial reconnaissance

BloodHound

Attack path analysis

Graph database

Visual attack paths

PlumHound

Extended reporting

HTML/CSV reports

Detailed analysis

PingCastle

Security assessment

HTML reports

Compliance checking

Note: Always ensure proper authorization before conducting domain enumeration. These techniques should only be used in authorized penetration testing scenarios or controlled lab environments.

PreviousPass Attacks (PTH/PTT)NextGolden Ticket Attacks

Last updated