Initial Access: Connecting to the Domain-Joined Host
From an offensive standpoint, enumeration begins the moment we gain access to a domain-joined system. In this scenario, we already have valid domain credentials and use them to connect to a Windows client via RDP.
Using a legacy but reliable tool like xfreerdp, we establish a remote desktop session to the target machine:
kali@kali:~$ xfreerdp /u:john /d:example.com /v:192.168.10.100Once authenticated, we are operating as a low-privileged domain user on a Windows host. This is often enough to start extracting valuable information from Active Directory using built-in tools.
Enumerating Domain Users with net user
One of the first enumeration steps is identifying user accounts in the domain. Windows provides the net.exe utility by default, which makes it extremely useful for stealthy enumeration—no additional tools need to be dropped on disk.
To list all domain users, we use the net user subcommand with the /domain switch:
C:\Users\john>net user /domain
The request will be processed at a domain controller for domain example.com.
User accounts for \\DC1.example.com
-------------------------------------------------------------------------------
Administrator dave Guest
iis_service davidadmin
jen krbtgt john
The command completed successfully.This command sends the request to the domain controller and returns a list of user accounts. Even this simple output can be valuable. Usernames often reveal roles, responsibilities, or privilege levels.
Identifying High-Value Accounts
During enumeration, naming conventions matter. The presence of the word admin in a username—whether as a prefix or suffix—immediately raises attention. Such accounts are often administrative or highly privileged.
To inspect this user more closely, we query the account directly:
C:\Users\john>net user davidadmin /domain
The request will be processed at a domain controller for domain corp.com.
User name davidadmin
Full Name
...
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *Domain Users *Domain Admins
The command completed successfully.This confirms that davidadmin is a member of the Domain Admins group.
Why This Matters
At this stage, we may not have control over the account, but we have identified a critical attack target. If this account is compromised later—through password spraying, credential dumping, or lateral movement—we can escalate privileges to full Domain Administrator, effectively owning the entire Active Directory environment.
Enumerating Domain Groups
Users alone do not tell the full story. Groups define access, permissions, and trust relationships across the domain. Using the same net.exe tool, we can enumerate all domain groups:
C:\Users\john>net group /domain
The request will be processed at a domain controller for domain corp.com.
Group Accounts for \\DC1.example.com
-------------------------------------------------------------------------------
...
*Management Department
*Sales Department
...
The command completed successfully.This returns a list of both default and custom-created groups. Some groups are created automatically by Active Directory, while others are manually created by administrators to manage users and resources.
Inspecting Group Memberships
After identifying interesting groups, the next step is to examine their members. This helps us understand how users are organized and what access they may have.
For example, to inspect the Sales Department group:
C:\Users\john>net group "Sales Department" /domain
The request will be processed at a domain controller for domain corp.com.
Group name Sales Department
Comment
Members
-------------------------------------------------------------------------------
pete john
The command completed successfully.Here, we confirm that our current user, john, is a member of this group. While this may not seem immediately impactful, group membership can grant access to shared folders, internal applications, or even delegated administrative privileges.
Why Basic Enumeration Still Matters
At first glance, this information may appear limited or unimportant. However, successful Active Directory attacks are built by correlating small pieces of data:
- Usernames and naming patterns
- Group memberships
- Privileged accounts
- Organizational structure
Legacy tools like net.exe provide a low-noise, highly compatible way to gather this intelligence. Although more advanced tools exist with greater flexibility and automation, understanding and using built-in Windows utilities is essential—especially in restricted environments where deploying custom tools may trigger defenses.
Enumeration is not about a single command. It is about patiently mapping the domain, step by step, until a clear attack path emerges.
Conclusion
Manual enumeration using legacy Windows tools remains a foundational skill for any red team operator, especially during early post-compromise phases. By leveraging built-in utilities like net.exe, we can reliably and stealthily extract critical Active Directory intelligence without introducing additional tooling. From identifying users and groups to spotting high-value accounts, this low-noise approach is essential for building real-world attack paths in restricted environments.
Key Takeaways
- Built-in Windows tools enable stealthy, reliable enumeration without dropping binaries.
- User and group enumeration reveals organizational structure and privilege relationships.
- Naming conventions often expose high-value or administrative accounts.
- Small data points, when correlated, lead to effective privilege escalation paths.
- Mastering manual techniques is essential when advanced tools are blocked or monitored.
To truly internalize these techniques, practice them repeatedly in lab environments that mirror real-world constraints. Always prioritize stealth and opsec, and think about how this intelligence can be chained with later-stage techniques like credential access or lateral movement. Finally, remember to apply these skills ethically and legally—only in environments where you have explicit authorization to test.