Active Directory & Exam Simulation
Active Directory Enumeration
5 min read
Active Directory (AD) is heavily featured in OSCP. Understanding AD structure and enumeration is critical for the exam's AD set (worth 40 points).
AD Fundamentals
Key Components
Active Directory Structure:
├── Forest (Top level)
│ └── Domain (corp.local)
│ ├── Domain Controllers (DC)
│ ├── Organizational Units (OUs)
│ ├── Users
│ ├── Groups
│ ├── Computers
│ └── Group Policy Objects (GPOs)
Important Objects
| Object | Description | OSCP Relevance |
|---|---|---|
| Domain Controller | Holds AD database | High-value target |
| Domain Admin | Full domain control | Ultimate goal |
| Service Accounts | Run services | Kerberoastable |
| Computer Accounts | Machine identities | Lateral movement |
Initial AD Enumeration
From Linux (No Credentials)
# Find Domain Controllers
nmap -p 88,389,636 --open $NETWORK/24
# LDAP anonymous bind
ldapsearch -x -H ldap://$DC -s base namingcontexts
# Enumerate via SMB
enum4linux -a $DC
nxc smb $DC
From Windows (Domain Joined)
# Basic domain info
systeminfo | findstr /B /C:"Domain"
echo %userdomain%
# Current user info
whoami /all
net user %username% /domain
# Domain Controllers
nltest /dclist:$DOMAIN
BloodHound Enumeration
BloodHound visualizes AD attack paths. Essential for OSCP.
Collection with SharpHound
# Download and run SharpHound
.\SharpHound.exe -c All
# Or use PowerShell collector
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
# Output: ZIP file for BloodHound import
Collection from Linux
# bloodhound-python (requires creds)
bloodhound-python -u 'user' -p 'password' -d corp.local -dc dc.corp.local -c All
# Output JSON files for import
Key BloodHound Queries
Pre-built queries to run:
├── Find Shortest Path to Domain Admins
├── Find Kerberoastable Users
├── Find AS-REP Roastable Users
├── Find Computers with Unconstrained Delegation
└── Shortest Path from Owned Principals
LDAP Enumeration
Using ldapsearch
# Get base DN
ldapsearch -x -H ldap://$DC -s base namingcontexts
# Enumerate all users
ldapsearch -x -H ldap://$DC -D "user@corp.local" -w 'password' -b "DC=corp,DC=local" "(objectClass=user)" sAMAccountName
# Find Domain Admins
ldapsearch -x -H ldap://$DC -D "user@corp.local" -w 'password' -b "DC=corp,DC=local" "(memberOf=CN=Domain Admins,CN=Users,DC=corp,DC=local)"
# Service accounts (likely Kerberoastable)
ldapsearch -x -H ldap://$DC -D "user@corp.local" -w 'password' -b "DC=corp,DC=local" "(servicePrincipalName=*)" sAMAccountName servicePrincipalName
PowerView Enumeration
PowerView is the go-to tool for AD enumeration on Windows.
Domain Information
# Import PowerView
Import-Module .\PowerView.ps1
# Basic domain info
Get-Domain
Get-DomainController
# Domain policy (password policy)
Get-DomainPolicy
(Get-DomainPolicy).SystemAccess
User Enumeration
# All domain users
Get-DomainUser | select samaccountname
# Specific user details
Get-DomainUser -Identity administrator
# Find users with SPNs (Kerberoastable)
Get-DomainUser -SPN
# Find users that don't require preauth (AS-REP Roastable)
Get-DomainUser -PreauthNotRequired
Group Enumeration
# All groups
Get-DomainGroup | select samaccountname
# Domain Admins members
Get-DomainGroupMember -Identity "Domain Admins"
# Find groups a user belongs to
Get-DomainGroup -UserName "targetuser"
Computer Enumeration
# All computers
Get-DomainComputer | select dnshostname,operatingsystem
# Find servers
Get-DomainComputer -OperatingSystem "*Server*"
# Find computers where current user has admin
Find-LocalAdminAccess
NetExec (formerly CrackMapExec) Enumeration
Note: CrackMapExec (crackmapexec/cme) was archived in 2024. Its successor is NetExec (nxc), a community-maintained fork with the same syntax. Use nxc on current Kali images.
From Linux
# Enumerate domain with creds
nxc smb $DC -u user -p 'password' --users
nxc smb $DC -u user -p 'password' --groups
nxc smb $DC -u user -p 'password' --shares
# Check for admin access
nxc smb $NETWORK/24 -u user -p 'password'
# Output: Pwn3d! means local admin
Impacket Tools
# Get domain users
GetADUsers.py -all corp.local/user:password -dc-ip $DC
# Enumerate SPNs
GetUserSPNs.py corp.local/user:password -dc-ip $DC
# Get AS-REP roastable users
GetNPUsers.py corp.local/ -usersfile users.txt -dc-ip $DC
AD Enumeration Checklist
□ Domain Controllers identified
□ Domain name and structure mapped
□ Users enumerated (focus on admins, service accounts)
□ Groups enumerated (Domain Admins, other privileged)
□ Computers enumerated (servers, workstations)
□ SPNs identified (Kerberoastable accounts)
□ AS-REP roastable users found
□ Password policy obtained
□ BloodHound data collected and analyzed
□ Shares enumerated
□ GPO enumeration (for persistence/privesc)
Next, we'll cover Active Directory attacks including Kerberoasting and credential theft. :::