Active Directory Enumeration Part-1
INTRODUCTION
In this blog post, we will be enumerating data manually from the current domain, other sub-domains, forest, external trusts along with getting a basic understanding of the Active Directory infrastructure.
This all enumeration can also be achieved using BloodHound (an excellent tool) to enumerate the Active Directory Environment. However, we need to understand on a surface level that how things work in AD to proceed with the further exploitation and lateral movement.
High-level understanding of Active Directory:

DOMAIN TRUST
We need to understand the domain trust as we will be enumerating the data from other domains.
Trust Direction
Uni-directional
Bi-Directional
Unidirectional (One-way trust): Users in the trustee domain can access resources in the trusting domain but not vice-versa.
Bi-directional (Two-way trust): Users of both domains can access resources from each other.
Trust Transitivity
Transitive
Non-transitive
Transitive - Can be extended to establish a trust relationship with other domains.
All the default intra-forest trust relationship (Tree-root, Parent-Child) between domains within the same forest are transitive (two-way trusts).
Nontransitive - cannot be extended to other domains in the forest. Can be two-way or one-way.
This is the default trust (called external trust) between two domains in different forests when forests do not have a trust relationship.
Enumeration Topics:
Current Domain
Sister/child Domain
Forest
From all the above-mentioned points we will be enumerating the following data:
Users
Computers
Groups
Group Membership of users
ACLs
Logged ON Users
Domain Administrators
Enterprise Administrators
Network Shares
OUs
GPOs
Applied ACLs for the user group
Domain Trust Mapping
Forest Mapping
Local Admin Access
Tools Used
PowerView
ADModule
CHALLENGE
Before enumerating the data from other domains we need to understand the trust between the current domain(where the current laptop is assigned) and other domains.
I want you to analyze which kind of trust and connectivity should be established to enumerate data from other domains
ENUMERATION STEPS & COMMANDS
Dividing into multiple parts:
Part-1:
Trust Enumeration
Domain Enumeration
Forest Enumeration
Domain Controllers
Trust Enumeration
Domain trusts for the current & other domain
PowerView
Get-NetDomainTrust
Get-NetDomainTrust -Domain <for other domains>
ADModule
Get-ADTrust
Get-ADTrust -Identity <for other domains>
Forest Trust Enumeration
Get-NetForestTrust (PowerView)
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"' (ADModule)
Get Current Domain (where the current laptop is assigned)
Get-NetDomain (PowerView)
Get-ADDomain (ADModule)
Get the object of another domain
Get-NetDomain -Domain <any other domain> (PowerView)
Get-ADDomain -Identity <any other domain> (ADModule)
Get details about the current forest
Get-NetForest (PowerView)
ADModule (Get-ADForest)
Get details about the other forest
Get-NetForest -Forest <forest.local> (PowerView)
Get-ADForest -Identity <forest.local> (ADModule)
Get all domains in the current forest
Get-NetForestDomain (PowerView)
(Get-ADForest).Domains (ADModule)
Global catalogs for the current forest
Get-NetForestCatalog (PowerView)
Get-ADForest | select -ExpandProperty GlobalCatalogs (ADModule)
Get SID of the current domain
Get-DomainSID (PowerView)
(Get-ADDomain).DomainSID (ADModule)
Get the domain policy of the current domain
Get-DomainPolicy; (Get-DomainPolicy)."system access" ; (Get-DomainPolicy)."Kerberos Policy"
Get the domain policy of another domain
(Get-DomainPolicy -domain <domainname>)."system access"
Get the domain controller for the current domain
Get-NetDomainController (PowerView)
Get-ADDomainController (ADModule)
Get the domain controller for another domain
Get-NetDomainController -Domain <domain.local> (PowerView)
Get-ADDomainController -DomainName <domain.local> -Discover (ADModule)
NOTE: You may find challenges while loading these scripts. To avoid it kindly refer execution policy and AMSI bypassing techniques which can be achieved without privileged/local admin access.
References
https://adsecurity.org/ https://github.com/samratashok/ADModule https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Last updated
Was this helpful?