Domain Enumeration

Overview

Domain enumeration is a critical phase in Active Directory penetration testing that involves gathering information about the domain structure, users, groups, computers, and relationships. This information is essential for identifying attack paths and privilege escalation opportunities.

Essential Domain Enumeration Tools

1. ldapdomaindump

A tool for dumping domain information via LDAP and creating HTML reports for analysis.

Installation

# Install via pip
pip3 install ldapdomaindump

# Or install from source
git clone https://github.com/dirkjanm/ldapdomaindump.git
cd ldapdomaindump
python3 setup.py install

Basic Usage

# Basic domain dump with credentials
ldapdomaindump -u 'DOMAIN\username' -p 'password' dc_ip

# Using NTLM hash
ldapdomaindump -u 'DOMAIN\username' --hashes :ntlm_hash dc_ip

# Specify output directory
ldapdomaindump -u 'DOMAIN\username' -p 'password' -o /tmp/ldap_dump dc_ip

# Use different authentication methods
ldapdomaindump -u 'username@domain.local' -p 'password' dc_ip

Advanced Options

# Resolve all SIDs to names
ldapdomaindump -u 'DOMAIN\username' -p 'password' --resolve dc_ip

# Specify custom LDAP port
ldapdomaindump -u 'DOMAIN\username' -p 'password' --port 636 dc_ip

# Use LDAPS (SSL)
ldapdomaindump -u 'DOMAIN\username' -p 'password' --ssl dc_ip

# Verbose output
ldapdomaindump -u 'DOMAIN\username' -p 'password' -v dc_ip

Output Analysis

# Generated HTML files:
# - domain_computers.html - Computer accounts
# - domain_users.html - User accounts  
# - domain_groups.html - Group memberships
# - domain_policy.html - Domain policies
# - domain_trusts.html - Trust relationships

# Open in browser for analysis
firefox domain_users.html

2. BloodHound

A tool for analyzing Active Directory trust relationships and finding attack paths.

Installation

# Install BloodHound (GUI)
# Download from: https://github.com/BloodHoundAD/BloodHound/releases

# Install Neo4j database
sudo apt install neo4j

# Or use Docker
docker run -d -p 7474:7474 -p 7687:7687 -e NEO4J_AUTH=neo4j/bloodhound neo4j:4.4-community

Data Collection with SharpHound

# Download SharpHound
wget https://github.com/BloodHoundAD/SharpHound/releases/latest/download/SharpHound-v1.1.0.zip

# Run SharpHound on target (Windows)
.\SharpHound.exe -c All -d domain.local

# Specify domain controller
.\SharpHound.exe -c All -d domain.local --domaincontroller dc01.domain.local

# Use specific credentials
.\SharpHound.exe -c All -d domain.local --ldapusername user --ldappassword pass

# Stealth collection (slower but quieter)
.\SharpHound.exe -c All --stealth

Data Collection with BloodHound.py

# Install BloodHound.py
pip3 install bloodhound

# Collect data remotely
bloodhound-python -d domain.local -u username -p password -gc dc01.domain.local -c all

# Using NTLM hash
bloodhound-python -d domain.local -u username --hashes :ntlm_hash -gc dc01.domain.local -c all

# Specify name server
bloodhound-python -d domain.local -u username -p password -gc dc01.domain.local -c all --dns-tcp -ns 192.168.1.10

BloodHound Analysis

# Common queries in BloodHound:
# 1. Find all Domain Admins
# 2. Find Shortest Paths to Domain Admins
# 3. Find Principals with DCSync Rights
# 4. Find Computers with Unconstrained Delegation
# 5. Find ASREPRoastable Users
# 6. Find Kerberoastable Users
# 7. Find Computers where Domain Users are Local Admin
# 8. Find Shortest Paths from Kerberoastable Users

3. PlumHound

A tool that extends BloodHound by creating additional reports and analysis.

Installation

# Install PlumHound
git clone https://github.com/PlumHound/PlumHound.git
cd PlumHound
pip3 install -r requirements.txt

Usage with BloodHound Data

# Generate all default reports
python3 PlumHound.py --server bolt://localhost:7687 -u neo4j -p bloodhound

# Generate specific report types
python3 PlumHound.py --server bolt://localhost:7687 -u neo4j -p bloodhound --TaskList tasks/default.tasks

# Custom output directory
python3 PlumHound.py --server bolt://localhost:7687 -u neo4j -p bloodhound -o /tmp/plumhound_reports

# Generate specific queries
python3 PlumHound.py --server bolt://localhost:7687 -u neo4j -p bloodhound --QuerySingle "MATCH (u:User {enabled:true}) RETURN u.name"

Custom Report Generation

# Create custom task file
cat > custom.tasks << EOF
["Domain Admins","MATCH (u:User)-[:MemberOf*1..]->(g:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'}) RETURN u.name as Username","List of Domain Administrators"]
["High Value Targets","MATCH (u:User {highvalue:true}) RETURN u.name as Username","High Value User Accounts"]
["Unconstrained Delegation","MATCH (c:Computer {unconstraineddelegation:true}) RETURN c.name as Computer","Computers with Unconstrained Delegation"]
EOF

# Run custom tasks
python3 PlumHound.py --server bolt://localhost:7687 -u neo4j -p bloodhound --TaskList custom.tasks

4. PingCastle

A Windows-based tool for Active Directory security assessment and health check.

Installation and Usage

# Download PingCastle from: https://www.pingcastle.com/download/
# Run on Windows domain-joined machine or with credentials

# Basic health check
PingCastle.exe --healthcheck --server dc01.domain.local

# Generate report for specific domain
PingCastle.exe --healthcheck --server dc01.domain.local --domain domain.local

# Advanced scan with all modules
PingCastle.exe --healthcheck --level Full --server dc01.domain.local

# Export results
PingCastle.exe --healthcheck --server dc01.domain.local --xmls

Comprehensive Domain Enumeration Workflow

Phase 1: Initial LDAP Enumeration

# Step 1: Basic LDAP dump
ldapdomaindump -u 'DOMAIN\username' -p 'password' -o ldap_output dc_ip

# Step 2: Analyze HTML reports
firefox ldap_output/domain_users.html
firefox ldap_output/domain_groups.html
firefox ldap_output/domain_computers.html

# Step 3: Extract key information
grep -i "admin" ldap_output/domain_users.html
grep -i "service" ldap_output/domain_users.html

Phase 2: BloodHound Data Collection

# Option A: Remote collection with BloodHound.py
bloodhound-python -d domain.local -u username -p password -gc dc01.domain.local -c all -ns dc_ip

# Option B: On-target collection (if you have access)
# Upload and run SharpHound.exe
.\SharpHound.exe -c All --zipfilename domain_bloodhound.zip

Phase 3: BloodHound Analysis

# Start Neo4j database
sudo neo4j start

# Import data into BloodHound
# Drag and drop .zip files into BloodHound interface

# Run pre-built queries:
# 1. Find all Domain Admins
# 2. Shortest Paths to Domain Admins  
# 3. Find Computers with Unconstrained Delegation
# 4. Find ASREPRoastable Users (no pre-auth)
# 5. Find Kerberoastable Users (SPN set)

Phase 4: Extended Analysis with PlumHound

# Generate comprehensive reports
python3 PlumHound.py --server bolt://localhost:7687 -u neo4j -p bloodhound -o plumhound_reports

# Review generated reports
ls plumhound_reports/
# - Domain_Admins.html
# - Kerberoastable_Users.html  
# - ASREPRoastable_Users.html
# - Computers_Local_Admin_Rights.html

Advanced Enumeration Techniques

LDAP Queries with ldapsearch

# Enumerate all users
ldapsearch -x -H ldap://dc_ip -D "username@domain.local" -w password -b "DC=domain,DC=local" "(objectClass=user)" sAMAccountName

# Find service accounts
ldapsearch -x -H ldap://dc_ip -D "username@domain.local" -w password -b "DC=domain,DC=local" "(&(objectClass=user)(servicePrincipalName=*))" sAMAccountName servicePrincipalName

# Find computers  
ldapsearch -x -H ldap://dc_ip -D "username@domain.local" -w password -b "DC=domain,DC=local" "(objectClass=computer)" sAMAccountName

# Find groups
ldapsearch -x -H ldap://dc_ip -D "username@domain.local" -w password -b "DC=domain,DC=local" "(objectClass=group)" sAMAccountName member

PowerShell AD Enumeration (if on Windows)

# Import Active Directory module
Import-Module ActiveDirectory

# Get all domain users
Get-ADUser -Filter * -Properties *

# Find service accounts
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

# Get domain admins
Get-ADGroupMember "Domain Admins"

# Find computers
Get-ADComputer -Filter * -Properties *

# Get domain trusts
Get-ADTrust -Filter *

Impacket Tools for Domain Enumeration

# GetADUsers.py - Enumerate domain users
GetADUsers.py domain.local/username:password -dc-ip dc_ip -all

# GetUserSPNs.py - Find Kerberoastable users
GetUserSPNs.py domain.local/username:password -dc-ip dc_ip

# GetNPUsers.py - Find ASREPRoastable users  
GetNPUsers.py domain.local/username:password -dc-ip dc_ip

# secretsdump.py - Extract secrets (if admin)
secretsdump.py domain.local/username:password@dc_ip

Key Information to Extract

User Accounts

  • Domain administrators

  • Service accounts (SPNs)

  • Privileged users

  • Inactive accounts

  • Accounts with passwords that don't expire

  • ASREPRoastable users (no pre-auth)

Groups

  • Administrative groups

  • Nested group memberships

  • Custom security groups

  • Distribution groups with security implications

Computers

  • Domain controllers

  • Servers with specific roles

  • Workstations with local admin rights

  • Computers with unconstrained delegation

  • Inactive computer accounts

Permissions and Rights

  • Users with DCSync rights

  • Accounts with delegation permissions

  • Users with admin rights on multiple systems

  • Service accounts with excessive privileges

Attack Path Identification

Common Attack Paths

  1. Kerberoasting โ†’ Service account compromise โ†’ Lateral movement

  2. ASREPRoasting โ†’ User account compromise โ†’ Privilege escalation

  3. Unconstrained Delegation โ†’ Computer compromise โ†’ Domain admin

  4. Local Admin Rights โ†’ Credential harvesting โ†’ Domain escalation

  5. Group Policy Abuse โ†’ System compromise โ†’ Domain control

BloodHound Queries for Attack Paths

// Find shortest path to Domain Admins
MATCH (u:User {name:"USERNAME@DOMAIN.LOCAL"}), (g:Group {name:"DOMAIN ADMINS@DOMAIN.LOCAL"}), p=shortestPath((u)-[*1..]->(g)) RETURN p

// Find computers where domain users have local admin
MATCH (g:Group {name:"DOMAIN USERS@DOMAIN.LOCAL"})-[:AdminTo]->(c:Computer) RETURN c.name

// Find users with DCSync rights
MATCH (u:User)-[:GetChanges|GetChangesAll*1..]->(d:Domain) RETURN u.name

// Find Kerberoastable users with admin rights
MATCH (u:User {hasspn:true})-[:AdminTo]->(c:Computer) RETURN u.name, c.name

Defensive Considerations

Detection Indicators

  • Multiple LDAP queries from single source

  • Unusual BloodHound/SharpHound activity

  • Large data transfers from domain controllers

  • Non-standard LDAP bind attempts

  • Kerberos ticket requests for service accounts

Mitigation Strategies

  • Monitor LDAP query patterns

  • Implement least privilege principles

  • Regular audit of privileged groups

  • Disable unused accounts

  • Implement proper delegation controls

  • Monitor for BloodHound indicators

Reporting and Documentation

Key Findings to Document

  • Domain structure and topology

  • Privileged user accounts identified

  • Attack paths discovered

  • Misconfigurations found

  • Recommendations for hardening

Evidence Collection

# Save all enumeration outputs
mkdir domain_enum_$(date +%Y%m%d)
cp -r ldap_output domain_enum_$(date +%Y%m%d)/
cp *.zip domain_enum_$(date +%Y%m%d)/  # BloodHound data
cp -r plumhound_reports domain_enum_$(date +%Y%m%d)/

# Create summary report
echo "Domain Enumeration Summary - $(date)" > domain_enum_$(date +%Y%m%d)/summary.txt
echo "Users found: $(wc -l < users.txt)" >> domain_enum_$(date +%Y%m%d)/summary.txt
echo "Computers found: $(wc -l < computers.txt)" >> domain_enum_$(date +%Y%m%d)/summary.txt

Tools Comparison

Tool
Purpose
Output Format
Best For

ldapdomaindump

LDAP enumeration

HTML reports

Initial reconnaissance

BloodHound

Attack path analysis

Graph database

Visual attack paths

PlumHound

Extended reporting

HTML/CSV reports

Detailed analysis

PingCastle

Security assessment

HTML reports

Compliance checking

Note: Always ensure proper authorization before conducting domain enumeration. These techniques should only be used in authorized penetration testing scenarios or controlled lab environments.

PreviousPass Attacks (PTH/PTT)NextGolden Ticket Attacks

Last updated