Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Initial Enumeration of the Domain

Internal AD enumeration begins once you are positioned inside the target network. The goal is to identify hosts, critical services, users, and potential footholds before gaining domain credentials.

Common Test Setups

Clients may choose from several engagement configurations:

  • Pentest VM in their internal network calling back to a jump host over VPN (SSH access)
  • Physical device plugged into an ethernet port, calling back over VPN
  • Physical presence at the client’s office with your own laptop
  • Cloud VM (Azure/AWS) with internal network access via SSH and IP whitelisting
  • VPN access into the internal network (limits certain attacks like LLMNR/NBT-NS poisoning)
  • Corporate laptop connected to client VPN
  • Managed workstation (typically Windows) at the office, with limited or full internet access
  • VDI (Citrix or similar), accessible over VPN

Testing Approaches

ApproachDescription
Grey boxProvided a list of in-scope IPs/CIDR ranges
Black boxNo information; all discovery is blind
EvasiveStart quiet, increase noise to find detection threshold
Non-evasiveFull speed, no stealth concerns

The client may also choose whether to provide credentials upfront or require you to start unauthenticated.

Key Data Points to Enumerate

Data PointDescription
AD UsersValid user accounts to target for password spraying
AD Joined ComputersDomain Controllers, file servers, SQL servers, web servers, Exchange servers, database servers
Key ServicesKerberos, NetBIOS, LDAP, DNS
Vulnerable Hosts and ServicesQuick wins — easy hosts to exploit for an initial foothold

Enumeration Methodology (TTPs)

  1. Passive identification of hosts on the network
  2. Active validation of results (services, names, potential vulnerabilities)
  3. Probe hosts for interesting data
  4. Regroup and assess — ideally you now have credentials or a target for a foothold

Identifying Hosts

Passive: Wireshark / TCPDump

Listen to network traffic to identify hosts and traffic types. Useful in black box assessments.

sudo -E wireshark
sudo tcpdump -i ens224
  • ARP requests/replies reveal hosts on the local broadcast domain
  • MDNS queries reveal hostnames (e.g. ACADEMY-EA-WEB01.local)
  • Save PCAP captures for later review and reporting

Passive: Responder (Analyze Mode)

Responder in analyze mode passively listens for LLMNR, NBT-NS, and MDNS requests without sending poisoned packets:

sudo responder -I ens224 -A

This can reveal additional hosts not seen in Wireshark captures.

Active: fping (ICMP Sweep)

Use fping to quickly identify live hosts across a subnet:

fping -asgq 172.16.5.0/23
FlagPurpose
-aShow targets that are alive
-sPrint stats at end of scan
-gGenerate target list from CIDR
-qQuiet — don’t show per-target results

Active: Nmap Scanning

Perform detailed service enumeration on discovered hosts:

sudo nmap -v -A -iL hosts.txt -oN /home/user/Documents/host-enum

Key things to look for in results:

  • Domain Controllers — identified by open ports: DNS (53), Kerberos (88), LDAP (389/636), SMB (445)
  • Naming conventions — NetBIOS and DNS names (e.g. ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL)
  • Legacy/outdated hosts — Windows Server 2008, Windows 7, etc. may be vulnerable to EternalBlue, MS08-067, and similar exploits
  • SQL servers, web servers, mail servers — additional attack surface

Best practices:

  • Always use -oA to save scan results in multiple formats
  • Understand what your scans do before running them (some Nmap scripts run active vuln checks that can crash hosts)
  • Alert the client before exploiting legacy systems — get written approval

Identifying Users

Kerbrute (Internal AD Username Enumeration)

Kerbrute exploits Kerberos pre-authentication failures (which often don’t trigger logs or alerts) to enumerate valid domain accounts:

kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users
  • Use wordlists from Insidetrust (e.g. jsmith.txt, jsmith2.txt)
  • Compile from source: git clone https://github.com/ropnop/kerbrute.git && sudo make all
  • Move binary to PATH: sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute

Results provide a list of valid usernames for targeted password spraying.

Gaining SYSTEM-Level Access

The NT AUTHORITY\SYSTEM account on a domain-joined host can enumerate AD by impersonating the computer account. Ways to gain SYSTEM access:

  • Remote exploits — MS08-067, EternalBlue, BlueKeep
  • Service account abuse — SeImpersonate privileges via Juicy Potato (older Windows OS)
  • Local privilege escalation — e.g. Windows 10 Task Scheduler 0-day
  • Local admin + PsExec — launch a SYSTEM cmd window

What SYSTEM Access Enables

  • Enumerate the domain with BloodHound, PowerView, or built-in tools
  • Perform Kerberoasting / ASREPRoasting
  • Run Inveigh for Net-NTLMv2 hash capture or SMB relay attacks
  • Token impersonation to hijack privileged domain accounts
  • ACL attacks

A Word of Caution

  • Non-evasive tests: noise level doesn’t typically matter
  • Evasive / red team: stealth is critical — tools like Nmap full-network scans are loud
  • Industrial environments: scanning sensors or logic controllers can overload them and disrupt operations
  • Always clarify the assessment goal and rules of engagement in writing before starting