Initial Domain Enumeration

2 min read Security Careers & Certifications

Initial Domain Enumeration

Domain enumeration begins immediately upon gaining any domain-joined system access, even with unprivileged accounts. Built-in Windows commands provide initial reconnaissance: net user /domain, net group /domain, and nltest reveal users, groups, and domain controllers. These commands work from any domain member without special tools, making them ideal for initial assessment.

LDAP queries extract detailed AD information without privileged access. Tools like ldapsearch on Linux or PowerShell's AD module enumerate users, groups, computers, and organizational structure. Anonymous LDAP binding sometimes permits enumeration without credentials. Focus on identifying privileged groups (Domain Admins, Enterprise Admins), service accounts, and potential targets.

BloodHound revolutionizes AD attack path visualization through graph theory analysis. The tool maps AD relationships including group memberships, ACLs, trusts, and sessions, revealing non-obvious escalation paths. SharpHound collectors gather data from domain controllers and members, while the BloodHound interface visualizes attack paths from current access to domain administration. Pre-built queries identify quick wins and complex paths alike.

PowerView provides PowerShell-based AD enumeration without requiring administrative tools. Functions enumerate users, groups, computers, shares, and ACLs through LDAP and Windows APIs. PowerView's flexibility enables custom queries and targeted enumeration. Understanding underlying techniques rather than memorizing commands develops adaptability when tools are unavailable.