4. Active Directory Enumeration
Overview
Understanding Active Directory from an Attacker’s Perspective Active Directory (AD), formally known as Active Directory Domain Services (AD DS), is the central system administrators use to manage enterprise environments. Through AD, administrators control operating systems, applications, users, computers, and access to sensitive data across the organization.From a red team perspective, …
Manual Enumeration - Legacy Windows Tools
Initial Access: Connecting to the Domain-Joined Host From an offensive standpoint, enumeration begins the moment we gain access to a domain-joined system. In this scenario, we already have valid domain credentials and use them to connect to a Windows client via RDP.Using a legacy but reliable tool like xfreerdp, we …
Manual Enumeration - PowerShell and .NET
Why Build Our Own Enumeration Tools? In Active Directory (AD) environments, enumeration is one of the first things a red teamer does after gaining initial access. There are many built-in tools for this job, such as PowerShell cmdlets like Get-ADUser. However, these cmdlets are part of Remote Server Administration Tools …
Manual Enumeration - PowerView
Introducing PowerView PowerView is a PowerShell script that contains a large collection of functions designed to make Active Directory enumeration easier and more effective from a red team perspective. It is part of the PowerSploit framework and can be downloaded from here.Since PowerView is a script and not a compiled …
Automated Enumeration
Why Automation Matters Manually enumerating an Active Directory (AD) domain is slow, error-prone, and difficult to scale—especially in large enterprise environments. As a red team operator, you often collect massive amounts of information: users, groups, permissions, sessions, and trust relationships. Organizing and analyzing this data by hand quickly becomes overwhelming.Automated …