Active Directory Enumeration: Mapping the Kingdom Before the Siege

Usernames, sessions and hidden privilege paths: uncovering the domain’s true structure

Introduction

Hey everyone!
Biometrics may feel futuristic, but nothing beats the classic: Active Directory.
When you're inside a Windows domain, the first real step isn't exploiting, it's mapping. Knowing who’s who, what’s what, and where the gold is.

In this issue, we’re diving into Active Directory enumeration. How to map users, groups, machines, permissions, and privilege paths that might lead you all the way to Domain Admin.

Let’s start drawing the map 👇

By the way, a while ago I published a full series on Active Directory attacks and internals. One of the chapters focuses specifically on post-compromise enumeration, right after gaining access to a machine. If you want to go deeper, that’s a good place to start.

🏰 Why Enumeration Matters in AD

In an Active Directory environment, almost everything is an object: users, computers, groups, OUs, GPOs, ACLs... And most of this is readable by any authenticated user.

This means even with a low-privileged domain account or a compromised machine, you can:

• Discover who the domain admins are

• Find machines where they log in

• Spot misconfigured ACLs that let you escalate

• Build a path from “just a user” to “Domain Admin”

🛠 Tools of the Trade

Here are a few tools to get you started – but this is just the tip of the iceberg. I highly recommend exploring the space further, as there's a huge ecosystem of tools built for AD enumeration and attack path discovery.

Some highlights:

• 🕵️‍♂️ BloodHound + SharpHound – The classic for visualizing privilege escalation paths with a graph-based approach.

• 🐍 python-bloodhound – A Python-based collector that can be run remotely to feed BloodHound data without touching disk.

• ⚡ RustHound – A blazing-fast SharpHound alternative written in Rust, optimized for stealth and performance.

• 🔍 ldapsearch / ldapdomaindump – Great for lightweight LDAP-based dumps of domain objects.

• 🧪 PowerView – PowerShell framework for comprehensive in-domain enumeration (flagged by AV, so use with caution).

• 🧰 NetExec – Modern fork of CrackMapExec that’s actively maintained and supports enumeration, lateral movement, and command execution.

👤 Enumerating Users

Finding users is often the first step.

PowerView:

Get-DomainUser
Get-DomainUser -Identity "john.doe"

ldapsearch:

ldapsearch -x -h <DC-IP> -b "dc=corp,dc=local" "(objectClass=user)" sAMAccountName

BloodHound:

SharpHound.exe -c All

Then load the output into BloodHound for full graph analysis of users, sessions, and access rights.

👑 Finding Domain Admins & High-Value Targets

Get-DomainGroupMember -Identity "Domain Admins"

Or visually through BloodHound → Group: Domain Admins.

💡 Also look for users in:

• Enterprise Admins

• Backup Operators (DCSync abuse)

• DNSAdmins (can escalate to SYSTEM)

• Delegated OUs with misconfigured rights

🖥️ Finding Machines and Sessions

Where do admins log in? That’s gold.

Find-DomainUserLocation -UserName "admin.user"

Or let BloodHound highlight “HasSession” and “AdminTo” edges they show where sensitive users have logged in, and where you might hijack tokens or pivot.

🔐 Dumping ACLs & Delegation Paths

AD is full of hidden privilege paths via misconfigured Access Control Entries (ACEs).

BloodHound + ACL collection mode:

SharpHound.exe -c ACL

PowerView (if usable):

Find-InterestingDomainAcl
Get-ObjectAcl -SamAccountName "targetuser" -ResolveGUIDs

Look for:

• GenericAll, GenericWrite

• WriteOwner, WriteDACL

• ForceChangePassword

These flags can give full control over users, groups, or even entire OUs.

🧰 ldapdomaindump: Fast & Clean

ldapdomaindump -u 'corp.local\\lowuser' -p 'Password123' <DC-IP>

This will dump:

• All users, groups, computers

• Trust relationships

• GPOs

• Interesting flags like "Password not required"

Low noise. High value.

🗺️ Final Tips for Silent Recon

• Use targeted SharpHound collection (e.g., Session, ACL, Trusts) to reduce noise.

• Prefer LDAP over SMB or WinRM where possible, it's more stealthy.

• Log everything. You may not see a privilege escalation path now, but one new session or credential can change the graph entirely.

🧪 Labs to Practice BloodHound Enumeration

BloodHound isn't just a visualization tool it’s a weapon. Mastering it means understanding how privileges and object relationships can be abused in AD environments. These labs will sharpen your skills on data collection, attack path discovery, and Cypher queries.

• 🎮 Hack The Box – Blazorized

• Set SPN on a user and identify the action in BloodHound

  • Discover GenericWrite permissions to abuse login scripts

  • Visualize the privilege path in the BloodHound interface
    👉 Good starting point with low-privilege enumeration and basic privilege abuse

• 🎮 Hack The Box – Fulcrum

• Use BloodHound to enumerate users and group memberships
  👉 Basic recon with SharpHound, minimal complexity

• 🎮 Hack The Box – Axlle

• Collect data with BloodHound.py and validate session info

  • Compare results with SharpHound to detect gaps in the Python collector
    👉 Great for understanding collector limitations

• 🎮 Hack The Box – Certified

• Run BloodHound.py and SharpHound

  • Spot WriteOwner, GenericAll, and trace delegation paths
    👉 Mid-to-advanced level involving multiple attack paths and Cypher logic

• 🎮 Hack The Box – Rebound

• Use NetExec to run Python collector

  • Ingest and analyze BloodHound data for ACL abuse paths
    👉 Requires chaining tools and integrating enumeration into access flows

🧭 Final Thoughts

Active Directory isn’t just a directory, it’s a jungle of objects, permissions, and hidden privilege paths.

And if you want to own the domain, you need to understand the map before you move.

Enumerate first. Attack second.
Because knowledge, in AD, is power.

Until next time,
Stay quiet, stay mapping,
Ruben 🚀