Enumeration is the phase in which the auditor gathers detailed and specific information about the environment, such as users, groups, shared resources, network services, and other configurations. The goal is to identify entry points and weaknesses that may be exploited in later stages of the audit.
Now that we know what enumeration is, let us remember that Active Directory (AD) is a hierarchical directory system developed by Microsoft, which allows centralized management of users, computers, printers, and security policies within a domain. The Domain Controller (DC) stores this database and controls authentication and authorization.
In this article, we will discuss credential‑less enumeration or external enumeration, where the technologies and services present on the machines that make up the domain can be observed, and credentialed enumeration, meaning enumeration within Active Directory, where its structure and characteristics can be examined.
Credential‑less enumeration in Active Directory makes it possible to detect what information is visible to an attacker without prior access. It is key to identifying insecure configurations and potential configuration flaws.
The first thing we will do is scan the network in search of key ports using tools such as Nmap. The most interesting ports are those related to Active Directory services, such as DNS (53), Kerberos (88), RPC (135), LDAP (389 and 636), SMB (445), Kerberos kpasswd (464), the Global Catalog (3268 and 3269), and RDP (3389). Detecting these services can help us identify active Domain Controllers. However, gathering information about other services can always be useful because, even if they do not correspond to AD services, they may still be vulnerable and serve as an entry point for attackers.
Once the ports have been located, we will proceed to interact with the services we have discovered. A logical starting point can be the SMB and RPC services, as they are often configured to respond without requiring authentication.
With Smbclient, we can list shared resources that are open to anonymous access. Rpcclient can also be used to query domain information, with commands that allow us to list users and password policies without needing credentials.
To speed up this data collection, we can rely on automated tools. Enum4linux‑ng, for example, provides a fairly complete scan of the domain through SMB. CrackMapExec and NetExec are especially useful for obtaining information about shared resources, users, and password configurations in SMB services. Smbmap can also be used to visualize which resources are available without the need to authenticate, which can reveal valuable information about the structure of the shared file system.
Another very effective technique is RID Cycling, which consists of enumerating domain users based on their Relative Identifiers (RIDs). This test can be performed with NetExec or CrackMapExec to discover active domain accounts without having credentials.
When we find open LDAP ports, tools such as ldapsearch can be used to query basic directory information such as namingContexts, which gives us an overview of the domain structure and its organizational units.
In addition to LDAP, we can also take advantage of the Kerberos service. With Kerbrute, user enumeration attacks, password spraying, and the search for accounts vulnerable to AS‑REP Roasting can be performed. If Kerberos hashes of users without pre‑authentication were obtained, they would be saved and attempted to be cracked with hashcat using different dictionaries.
By using these techniques without having credentials, we can build a fairly complete picture of the environment, identify priority targets, and, in some cases, obtain initial access within Active Directory. This reconnaissance phase is essential for preparing any subsequent movement within a Windows network.
Regarding credentialed enumeration, two clearly differentiated situations arise. The first occurs when a user has been obtained through attacks carried out during a security audit. The second occurs when starting from a user provided by the client, which we call “assumed breach.”
The tests performed and their results in this section will depend on the role or permission level of the obtained user, since the information that can be gathered through enumeration is not the same when coming from a basic user, a local administrator, or even a Domain Administrator.
To carry out this enumeration, there is a large number of tools available, but we will focus on what can be done with the PowerView scripts, ADModule, and finally we will briefly discuss Bloodhound.
Before performing the tests, it is necessary to understand the scripts we are going to use. Both PowerView and ADModule are PowerShell modules (.ps1) that will allow us to perform queries that provide information about Active Directory, the machine, or the users configured on those machines.
To be able to run these queries, we must first upload the .ps1 files and import them into the machine to which we have access within Active Directory. This process is explained in each tool’s GitHub repository.
Once imported, we can begin enumerating. We will start by searching for basic information about the Domain itself, for example, looking for its name and main characteristics, as well as identifiers such as the GUID and the SID. We also check whether the Domain belongs to a forest.
We will also enumerate Active Directory characteristics, such as searching for the domain controller, its security policies, etc. It is also ideal to analyze Trust Relationships at both the Domain and Forest levels.
Next, the domain users and their properties would be enumerated. Here we could search for a specific user or a group; these searches serve both to learn the details of the user obtained during the audit, the groups they belong to along with their characteristics or permissions, and to identify what options or attacks could potentially be carried out with the captured users.
It is also useful to look for users belonging to the Domain Administrators group, as these are critical users whose compromise could endanger the platform. Additionally, it is possible to search for the domain’s Group Policies (GPOs) and their identifiers, the most important being that of the ‘Domain Admins’ group.
Another essential enumeration task could be the search for ‘important targets,’ such as shares, exposed sensitive files, or file servers within Active Directory.
Although up to this point we have only discussed Domain enumeration, enumeration should not be limited to the initial machine but also extended to the machines the user can access. This is important because a user may not have privileges on one machine but may belong to local groups with higher privileges and capabilities on other machines in the domain. A user without permissions is still useful for escalation if they share a machine with users who do have them; these users can become targets for attacks in later phases of the audit, enabling privilege escalation.
Another important part of enumeration is the ACLs (Access Control Lists), which are lists of ACEs (Access Control Entries) corresponding to the permissions or access rights of an object—in other words, they determine which objects have permissions over another object in Active Directory (remember that in Active Directory everything is an object: machines, users, groups, etc.).
Lastly, we can mention User Hunting, which is the discovery of local administrators on each machine, the machines on which our user is a local administrator, or the open sessions on each machine in Active Directory.
In this database, we can run a series of queries about the state and characteristics of Active Directory, for example, checking how many Domain Administrators there are, which domain machines are decommissioned, which users have access to which machines, or the groups they belong to, among other options. But the most interesting aspect of Bloodhound is that it represents these queries in the form of interactive graphs, allowing us to obtain a much clearer picture of Active Directory.
It is important to keep in mind that the amount of information Bloodhound retrieves depends entirely on the permissions of the user with whom the tool is executed. The more privileges the user has, the greater the visibility and the more complete the “snapshot” will be. A Domain Admin will always see more than an unprivileged user.
Reiterating what was stated at the beginning of the article, the importance of enumeration is vital within an audit, as this phase forms the foundation upon which the rest of the tests will be carried out. Knowing the environment we are auditing and its details makes the following steps in our work much simpler, more effective, and therefore better.
Internet Security Auditors has specialists in Red Team and Internal Penetration Testing who can help you assess the security level of your Active Directory and propose improvements for the environment.
Bibliography and useful links for performing Active Directory enumeration:
- Domain Enumeration | Hacking Notes
- GitHub - S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet: A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
- How to Enumerate Active Directory in Ethical Hacking | by S3Curiosity | Medium
- bloodhound | Kali Linux Tools
- PowerSploit/Recon/PowerView.ps1 at master · PowerShellMafia/PowerSploit · GitHub
- GitHub - samratashok/ADModule: Microsoft signed ActiveDirectory PowerShell module
- GitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcing
- nmap | Kali Linux Tools
- GitHub - byt3bl33d3r/CrackMapExec: A swiss army knife for pentesting networks
- netexec | Kali Linux Tools
- GitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover tool
✒️Autores:
| Carlos Mayor Analista de Seguridad Depto. de Auditoría |
Héctor Berrocal CEH, MCP, CCNA, eJPT, Ewptxv2, ITIL Analista de Seguridad Depto. de Auditoría |
