RedTeam
5.Machine
3.Active-Directory
General
Exploitation
3.Enumeration-AD
7.additional Enumeration Techniques

Additional Enumeration Techniques

  • LDAP enumeration (opens in a new tab) - Any valid AD credential pair should be able to bind to a Domain Controller's LDAP interface. This will allow you to write LDAP search queries to enumerate information regarding the AD objects in the domain.

  • PowerView (opens in a new tab) - PowerView is a recon script part of the PowerSploit (opens in a new tab) project. Although this project is no longer receiving support, scripts such as PowerView can be incredibly useful to perform semi-manual enumeration of AD objects in a pinch.

  • Windows Management Instrumentation (WMI) (opens in a new tab) - WMI can be used to enumerate information from Windows hosts. It has a provider called "root\directory\ldap" that can be used to interact with AD. We can use this provider and WMI in PowerShell to perform AD enumeration.

6.enumeration through Bloodhound1.spawning Processes Remotely