Active Directory Enumeration
Enumerate Active Directory — ldapsearch/ldapdomaindump/windapsearch, PowerView, built-in net/nltest/setspn, rpcclient/enum4linux null sessions and RID brute, plus BloodHound/Certipy collection references.
ldapsearch -x -H ldap://10.10.10.1 -D '[email protected]' -w Password123 -b 'DC=corp,DC=local'
ldapsearch -x -H ldap://10.10.10.1 -s base namingContexts
ldapsearch ... '(&(objectClass=user)(servicePrincipalName=*))' sAMAccountName
ldapdomaindump -u 'corp.local\\user' -p Password123 10.10.10.1
windapsearch --dc-ip 10.10.10.1 -d corp.local -u user -p pass --da
Get-NetUser | select samaccountname,description
Get-NetGroupMember "Domain Admins"
Get-NetComputer -OperatingSystem "*Server*"
Find-LocalAdminAccess
Invoke-UserHunter
Find-InterestingDomainAcl -ResolveGUIDs
Get-DomainTrust
net user /domain; net group "Domain Admins" /domain
net accounts /domain
nltest /dclist:corp.local; nltest /domain_trusts
setspn -T corp.local -Q */*
enum4linux-ng -A 10.10.10.1
rpcclient -U '' -N 10.10.10.1
rpcclient $> enumdomusers; querydispinfo
nxc smb 10.10.10.1 -u user -p pass --rid-brute
bloodhound-python -d corp.local -u user -p pass -ns 10.10.10.1 -c All
certipy find -u [email protected] -p pass -dc-ip 10.10.10.1 -vulnerable
Related Articles
5
ADCS Attacks (ESC1–ESC16)
AD CS is the quietest road to Domain Admin: one mis-set checkbox on a certificate template…
Active Directory Attacks
Deep dive into Active Directory attack techniques — Kerberoasting, AS-REP Roasting, Pass-t…
Wireshark for Security Professionals
Master Wireshark for security work — capture and display filters, protocol dissection, det…
Golden Ticket Attack — Complete Guide
Golden Ticket Attack Complete Guide: Kerberos Exploitation in Active Directory | LazyHack…
CPTS Exam Walkthrough
A complete, sanitised CPTS-style walkthrough — two trusted Active Directory forests compro…
Related Courses
3Network Penetration Testing
From host discovery to Active Directory attacks
Networking Fundamentals for Pentesters
Understand how networks actually work — so you can break them. TCP/IP, routing, protocols,…
Windows Privilege Escalation — Complete Course
From whoami /priv to NT AUTHORITY\SYSTEM — every technique, tool, and HTB/THM/PG practice …