AD Enumeration Path
Active Directory enumeration workflow
Active Directory EnumerationTip: Click on any node to see related information!
Interactive Mind Map
graph TD
A[Domain Access] --> B[BloodHound Collection]
B --> C[Identify Users]
C --> D[Identify Groups]
D --> E[Find Privileged Accounts]
E --> F[Map Admin Access]
F --> G[Find Attack Paths]
G --> H[Kerberoastable?]
G --> I[AS-REP Roastable?]
G --> J[Delegation?]
Related Modules
Quick Reference
BloodHound
bloodhound-python -u user -p pass -d domain.local -c all # Collect BloodHound data remotely neo4j console # Start Neo4j database bloodhound # Launch BloodHound GUI
LDAP
ldapsearch -x -H ldap://dc.domain.local -b 'DC=domain,DC=local' # Query LDAP for domain info
PowerView
Get-DomainUser # List domain users (PowerView) Get-DomainGroup # List domain groups Find-LocalAdminAccess # Find machines where current user is admin Get-DomainGPO # Enumerate Group Policy Objects
CME
crackmapexec smb 10.10.10.5 -u user -p pass --users # Enumerate domain users via SMB crackmapexec smb 10.10.10.5 -u user -p pass --shares # Enumerate SMB shares