Automated Enumeration

Manually enumerating an Active Directory (AD) domain is slow, error-prone, and difficult to scale—especially in large enterprise environments. As a red team operator, you often collect massive amounts of information: users, groups, permissions, sessions, and trust relationships. Organizing and analyzing this data by hand quickly becomes overwhelming.

Automated enumeration tools solve this problem. They help us:

• Collect large amounts of domain data quickly
• Organize relationships in a structured way
• Identify possible attack paths faster
• Focus on realistic privilege escalation scenarios

That said, automation is not a replacement for manual techniques. Manual and automated methods each have strengths and weaknesses, and effective attackers use both together.

One important operational risk to keep in mind:
Automated tools generate significant network traffic. In monitored environments, defenders may detect unusual traffic spikes when these tools are executed. This makes timing, scope, and stealth critical considerations during an engagement.

Introducing BloodHound and SharpHound

BloodHound is a free and widely used Active Directory attack path analysis tool. It helps attackers understand how privileges, trust relationships, and access rights can be abused to move laterally and escalate privileges inside a domain.

The toolset is divided into two main components:

• SharpHound: A data collection tool that runs inside the target environment
  
• BloodHound: A graphical analysis tool used to visualize and analyze the collected data
  

Think of SharpHound as the sensor, and BloodHound as the brain.

SharpHound is the data collection component of BloodHound. It runs on a compromised system inside the target domain and gathers information such as:

• Users and groups
• Group memberships
• Active sessions
• Access control lists (ACLs)
• Trust relationships

You can obtain SharpHound from the official repository.

Loading SharpHound into Memory

To reduce disk artifacts, SharpHound is commonly loaded directly into memory using PowerShell:

Running SharpHound

To start data collection, run the following command:

-CollectionMethod All Collects almost all available data (except local group policy information). This is the most comprehensive option and provides the best visibility for attack path analysis.

By default, SharpHound collects data in JSON format and then compresses it into a ZIP file.

Conceptually, this process takes a snapshot of the domain from the perspective of the compromised user account (for example, user john). The resulting data shows everything that user can see or influence—directly or indirectly—within the domain.

BloodHound is commonly preinstalled on Kali Linux. Before launching it, we must start the Neo4j service.

What Is Neo4j?

Neo4j is an open-source graph database (NoSQL). Unlike traditional databases that store data in rows and columns, Neo4j represents data as:

• Nodes (users, computers, groups)
  
• Edges (relationships such as “MemberOf” or “HasSession”)
  
• Properties (attributes of nodes and edges)
  

This structure is ideal for visualizing complex AD relationships and attack paths.

Starting Neo4j on Kali Linux

BloodHound comes preinstalled on Kali Linux, but Neo4j must be started manually:

Open the provided address in your browser and log in using the default credentials:

• Username: neo4j
• Password: neo4j

On first login, Neo4j will require you to set a new password.

Launching BloodHound

After configuring Neo4j, start BloodHound:

BloodHound will prompt you for the Neo4j credentials you just configured.

Importing SharpHound Data

Once logged in to the BloodHound GUI:

1. Click Upload Data (top-right corner)
2. Upload the ZIP file generated by SharpHound

After importing, BloodHound organizes the data into different categories such as:

• Users and Groups
• Sessions
• ACLs
• Computers and Domain Info

You can review this information in the Database Info section.

Using Built-In Analysis Queries

The Analysis section contains pre-built queries designed to answer common offensive questions, such as:

• “Which users can become Domain Admins?”
  
• “Which computers have unconstrained delegation?”
  
• “Who has dangerous ACL permissions?”
  

Finding the Shortest Path to Your Goal

One of BloodHound’s most powerful features is its ability to find the shortest attack path between two objects—for example, from a low-privileged user to a Domain Admin account.

This feature works by analyzing all known relationships and privileges, then calculating the minimum number of steps required to reach the target. Each step represents a realistic action an attacker could take, such as:

• Abusing group membership
  
• Exploiting ACL misconfigurations
  
• Leveraging active sessions on a system
  

Automated Active Directory enumeration with SharpHound and BloodHound dramatically improves a red team’s ability to understand complex enterprise environments and identify realistic attack paths. By efficiently collecting and graphing relationships, permissions, and sessions, these tools transform overwhelming raw data into actionable insights. From a red team perspective, mastering automated enumeration is essential for reliably mapping privilege escalation opportunities while maintaining operational efficiency.

Key Takeaways

• Automated enumeration accelerates discovery and reduces human error in large AD environments
  
• SharpHound provides comprehensive, perspective-based data collection from compromised hosts
  
• BloodHound’s graph-based analysis reveals real-world attack paths that are difficult to see manually
  
• Built-in queries and shortest-path analysis help prioritize high-impact privilege escalation routes
  
• Automation must be balanced with manual validation and strong operational security practices
  

In real-world engagements, these tools shine when used thoughtfully—scoped carefully, executed stealthily, and chained with other post-exploitation techniques such as credential abuse, lateral movement, or ACL exploitation. Practice extensively in lab environments to truly master their capabilities, and always operate ethically and legally by testing only in authorized systems. When used correctly, automated enumeration becomes a powerful, reliable foundation for advanced red team operations.