Credentialed Enumeration - from Linux
After gaining a foothold and obtaining domain credentials (cleartext password, NTLM hash, or SYSTEM access on a domain-joined host), we can perform deep enumeration of domain users, computers, groups, GPOs, ACLs, trusts, and more. Most tools require at minimum a low-privilege domain user account.
CrackMapExec (CME / NetExec)
Versatile toolkit for assessing AD environments. Supports SMB, MSSQL, SSH, and WinRM protocols. Built on Impacket and PowerSploit.
Domain User Enumeration
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --users
- Returns all domain users with
badPwdCountattribute - Use
badPwdCountto filter users for password spraying (avoid accounts with count > 0 to prevent lockouts)
Domain Group Enumeration
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups
- Lists all groups with member counts
- Note groups of interest: Domain Admins, Administrators, Executives, IT admin groups
Logged-On Users
sudo crackmapexec smb 172.16.5.130 -u forend -p Klmcargo2 --loggedon-users
- Shows users currently logged into a target host
(Pwn3d!)in output indicates local admin access on the target- Look for privileged users (service accounts, domain admins) on file servers and jump hosts
Share Enumeration
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --shares
- Shows share names and access level (READ/WRITE)
- Target non-default shares (Department Shares, User Shares, archive shares) for sensitive data
Share Spidering with spider_plus
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares'
- Recursively lists all readable files in a share
- Output written as JSON to
/tmp/cme_spider_plus/<ip>.json - Look for
web.configfiles, scripts, and files that may contain hardcoded credentials
Key CME Flags
| Flag | Purpose |
|---|---|
-u | Username |
-p | Password |
--users | Enumerate domain users |
--groups | Enumerate domain groups |
--loggedon-users | Enumerate logged-on users on target |
--shares | Enumerate SMB shares |
-M spider_plus | Spider shares for all readable files |
--share | Target a specific share (with spider_plus) |
SMBMap
SMB enumeration tool for listing shares, permissions, and contents from Linux.
Check Share Access
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5
- Shows permission level per share:
READ ONLY,READ, WRITE, orNO ACCESS - Standard users typically have no access to
ADMIN$orC$ - Default read access to
IPC$,NETLOGON, andSYSVOL
Recursive Directory Listing
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R 'Department Shares' --dir-only
| Flag | Purpose |
|---|---|
-R | Recursive listing of a share |
--dir-only | Only show directories (suppress file listing) |
-d | Domain for authentication |
rpcclient
Tool for MS-RPC enumeration via the Samba protocol. Supports both authenticated and unauthenticated (null session) enumeration.
Connect (Null Session)
rpcclient -U "" -N 172.16.5.5
Connect (Authenticated)
rpcclient -U 'forend%Klmcargo2' 172.16.5.5
User Enumeration
rpcclient $> enumdomusers
rpcclient $> queryuser 0x457
Understanding RIDs
- SID (Security Identifier): unique identifier for a domain (e.g.
S-1-5-21-3842939050-3880317879-2865463114) - RID (Relative Identifier): appended to SID to uniquely identify an object
- Full user SID = domain SID + RID (e.g.
S-1-5-21-...-1111)
| RID (Hex) | RID (Dec) | Account |
|---|---|---|
0x1f4 | 500 | Built-in Administrator |
0x1f5 | 501 | Guest |
0x1f6 | 502 | krbtgt |
- RIDs for built-in accounts are consistent across all domains
- Use
queryuser <RID>to get detailed info (logon times, password info, bad password count)
Impacket Toolkit
Python toolkit for interacting with Windows protocols. Key tools for credentialed enumeration and remote execution.
psexec.py
Creates a remote service via ADMIN$ share, provides interactive shell as SYSTEM:
psexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.125
- Requires local admin credentials on the target
- Uploads a randomly-named executable to
ADMIN$ - Communicates over a named pipe
- Lands as
NT AUTHORITY\SYSTEM
wmiexec.py
Semi-interactive shell via WMI. More stealthy than psexec — no files dropped, fewer logs:
wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5
- Runs commands as the authenticated user (not SYSTEM)
- Each command spawns a new
cmd.exevia WMI - Event ID 4688 generated per command (new process creation)
- Less obvious than SYSTEM executing commands, but still detectable
psexec.py vs wmiexec.py
| psexec.py | wmiexec.py | |
|---|---|---|
| Runs as | SYSTEM | Authenticated user |
| Files on disk | Yes (uploads to ADMIN$) | No |
| Log volume | Higher | Lower |
| Stealth | Lower | Higher |
| Shell type | Fully interactive | Semi-interactive |
Windapsearch
Python script for AD enumeration via LDAP queries.
Domain Admins
python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da
Privileged Users (Recursive/Nested)
python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 -PU
-PUperforms recursive lookups for nested group membership- Checks common elevated group names in multiple languages
- Reveals users with excess privileges through nested group membership (good for reporting)
Key Flags
| Flag | Purpose |
|---|---|
--da | Enumerate Domain Admins members |
-PU | Find all privileged users (recursive nested lookups) |
-U | All users |
-G | All groups |
-C | All computers |
--user-spns | Find users with SPNs (Kerberoastable) |
--unconstrained-users | Users with unconstrained delegation |
--unconstrained-computers | Computers with unconstrained delegation |
--gpos | Enumerate GPOs |
BloodHound.py
Python-based BloodHound ingestor for collecting AD data from a Linux attack host. Collects users, groups, computers, group membership, GPOs, ACLs, domain trusts, local admin access, sessions, RDP/WinRM access, and more.
Run Collection
sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all
| Flag | Purpose |
|---|---|
-u | Username |
-p | Password |
-ns | Nameserver (Domain Controller) |
-d | Domain |
-c | Collection method (all, Default, DCOnly, Session, Group, ACL, etc.) |
Output
- Produces JSON files:
<date>_computers.json,<date>_domains.json,<date>_groups.json,<date>_users.json - Zip for import:
zip -r bh_data.zip *.json
Load into BloodHound GUI
sudo neo4j start
bloodhound
- Click “Upload Data” button
- Select the
.zipor individual.jsonfiles - Use the Analysis tab for pre-built queries (e.g. “Find Shortest Paths To Domain Admins”)
Why BloodHound Matters
- Uses graph theory to visualize relationships and attack paths
- Finds nuanced flaws that would be missed by manual enumeration
- Shows nested group memberships, ACL abuse paths, session-based lateral movement
DCOnlycollection is stealthier (no host connections)
Useful Resources
- WADComs — interactive cheat sheet for Windows/AD offensive tools
- BloodHound Cypher Cheatsheet — custom Cypher queries for BloodHound
Summary
| Tool | Protocol | Key Use Case |
|---|---|---|
| CrackMapExec | SMB/WinRM/MSSQL/SSH | All-purpose AD enumeration, share spidering, user hunting |
| SMBMap | SMB | Share enumeration with permissions and recursive listing |
| rpcclient | MS-RPC | User/group enumeration via RID lookups, null session testing |
| psexec.py | SMB (ADMIN$) | Remote SYSTEM shell (requires local admin) |
| wmiexec.py | WMI | Stealthy remote shell as authenticated user |
| Windapsearch | LDAP | Quick domain admin/privileged user/nested group enumeration |
| BloodHound.py | LDAP/SMB | Full AD data collection for attack path visualization |