Active Directory Enumeration

Active Directory (AD) is heavily featured in OSCP. Understanding AD structure and enumeration is critical for the exam's AD set (worth 40 points).

AD Fundamentals

Key Components

Active Directory Structure:
├── Forest (Top level)
│   └── Domain (corp.local)
│       ├── Domain Controllers (DC)
│       ├── Organizational Units (OUs)
│       ├── Users
│       ├── Groups
│       ├── Computers
│       └── Group Policy Objects (GPOs)

Important Objects

Object	Description	OSCP Relevance
Domain Controller	Holds AD database	High-value target
Domain Admin	Full domain control	Ultimate goal
Service Accounts	Run services	Kerberoastable
Computer Accounts	Machine identities	Lateral movement

Initial AD Enumeration

From Linux (No Credentials)

# Find Domain Controllers
nmap -p 88,389,636 --open $NETWORK/24

# LDAP anonymous bind
ldapsearch -x -H ldap://$DC -s base namingcontexts

# Enumerate via SMB
enum4linux -a $DC
crackmapexec smb $DC

From Windows (Domain Joined)

# Basic domain info
systeminfo | findstr /B /C:"Domain"
echo %userdomain%

# Current user info
whoami /all
net user %username% /domain

# Domain Controllers
nltest /dclist:$DOMAIN

BloodHound Enumeration

BloodHound visualizes AD attack paths. Essential for OSCP.

Collection with SharpHound

# Download and run SharpHound
.\SharpHound.exe -c All

# Or use PowerShell collector
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All

# Output: ZIP file for BloodHound import

Collection from Linux

# bloodhound-python (requires creds)
bloodhound-python -u 'user' -p 'password' -d corp.local -dc dc.corp.local -c All

# Output JSON files for import

Key BloodHound Queries

Pre-built queries to run:
├── Find Shortest Path to Domain Admins
├── Find Kerberoastable Users
├── Find AS-REP Roastable Users
├── Find Computers with Unconstrained Delegation
└── Shortest Path from Owned Principals

LDAP Enumeration

Using ldapsearch

# Get base DN
ldapsearch -x -H ldap://$DC -s base namingcontexts

# Enumerate all users
ldapsearch -x -H ldap://$DC -D "user@corp.local" -w 'password' -b "DC=corp,DC=local" "(objectClass=user)" sAMAccountName

# Find Domain Admins
ldapsearch -x -H ldap://$DC -D "user@corp.local" -w 'password' -b "DC=corp,DC=local" "(memberOf=CN=Domain Admins,CN=Users,DC=corp,DC=local)"

# Service accounts (likely Kerberoastable)
ldapsearch -x -H ldap://$DC -D "user@corp.local" -w 'password' -b "DC=corp,DC=local" "(servicePrincipalName=*)" sAMAccountName servicePrincipalName

PowerView Enumeration

PowerView is the go-to tool for AD enumeration on Windows.

Domain Information

# Import PowerView
Import-Module .\PowerView.ps1

# Basic domain info
Get-Domain
Get-DomainController

# Domain policy (password policy)
Get-DomainPolicy
(Get-DomainPolicy).SystemAccess

User Enumeration

# All domain users
Get-DomainUser | select samaccountname

# Specific user details
Get-DomainUser -Identity administrator

# Find users with SPNs (Kerberoastable)
Get-DomainUser -SPN

# Find users that don't require preauth (AS-REP Roastable)
Get-DomainUser -PreauthNotRequired

Group Enumeration

# All groups
Get-DomainGroup | select samaccountname

# Domain Admins members
Get-DomainGroupMember -Identity "Domain Admins"

# Find groups a user belongs to
Get-DomainGroup -UserName "targetuser"

Computer Enumeration

# All computers
Get-DomainComputer | select dnshostname,operatingsystem

# Find servers
Get-DomainComputer -OperatingSystem "*Server*"

# Find computers where current user has admin
Find-LocalAdminAccess

CrackMapExec Enumeration

From Linux

# Enumerate domain with creds
crackmapexec smb $DC -u user -p 'password' --users
crackmapexec smb $DC -u user -p 'password' --groups
crackmapexec smb $DC -u user -p 'password' --shares

# Check for admin access
crackmapexec smb $NETWORK/24 -u user -p 'password'

# Output: Pwn3d! means local admin

Impacket Tools

# Get domain users
GetADUsers.py -all corp.local/user:password -dc-ip $DC

# Enumerate SPNs
GetUserSPNs.py corp.local/user:password -dc-ip $DC

# Get AS-REP roastable users
GetNPUsers.py corp.local/ -usersfile users.txt -dc-ip $DC

AD Enumeration Checklist

□ Domain Controllers identified
□ Domain name and structure mapped
□ Users enumerated (focus on admins, service accounts)
□ Groups enumerated (Domain Admins, other privileged)
□ Computers enumerated (servers, workstations)
□ SPNs identified (Kerberoastable accounts)
□ AS-REP roastable users found
□ Password policy obtained
□ BloodHound data collected and analyzed
□ Shares enumerated
□ GPO enumeration (for persistence/privesc)

Next, we'll cover Active Directory attacks including Kerberoasting and credential theft. :::