Active Directory Enumeration & Attack: Tools of the Trade
In modern enterprise security, Active Directory (AD) is the central target for most internal network breaches. Gaining a foothold and moving laterally requires a deep understanding of the protocols that hold AD together—and the tools that can manipulate them.
Whether you're attacking from a domain-joined Windows workstation or a rogue Linux host on the network, having the right toolkit is paramount. This guide categorizes the most essential tools used in AD engagements, from situational awareness and enumeration to exploitation and auditing.
1. Enumeration & Situational Awareness
The first phase of any AD engagement is mapping out the environment. You need to know who the users are, what groups they belong to, and which machines they are logged into.
| Tool | Description |
|---|---|
| PowerView / SharpView | PowerShell/.NET tools for gaining situational awareness. Replacements for Windows net* commands, ideal for finding users, computers, and "quick wins" like Kerberoastable accounts. |
| BloodHound | Graph-based analysis tool to visually map out AD relationships and attack paths. Uses SharpHound for data collection. |
| SharpHound | The C# ingestor for BloodHound. Collects information about users, groups, computers, ACLs, GPOs, and more. |
| BloodHound.py | Python-based BloodHound ingestor, perfect for non-domain joined Linux attack hosts. |
| windapsearch | Python script for automating custom LDAP queries to enumerate users, groups, and computers. |
| adidnsdump | Enumerates and dumps DNS records from a domain, similar to a DNS Zone transfer. |
| rpcinfo / rpcclient | Tools for querying RPC services and performing AD enumeration via remote RPC services. |
| enum4linux-ng | A modern rework of enum4linux for enumerating Windows and Samba systems. |
| ldapsearch | The standard built-in interface for interacting with the LDAP protocol directly. |
| Active Directory Explorer | A Sysinternals AD viewer and editor for navigating AD databases and taking snapshots for offline analysis. |
2. Authentication & Credential Attacks
Once you have a list of targets, the next step is obtaining valid credentials or session tickets.
| Tool | Description |
|---|---|
| Impacket toolkit | The "Swiss Army Knife" for AD. Includes tools like GetUserSPNs.py, GetNPUsers.py, secretsdump.py, and more. |
| Rubeus | A C# tool built for Kerberos abuse, including AS-REP roasting, Kerberoasting, and ticket manipulation. |
| Mimikatz | The legendary tool for extracting plaintext passwords, hashes, and Kerberos tickets from memory. |
| Responder / Inveigh | Poisoners for LLMNR, NBT-NS, and mDNS. Essential for capturing NTLMv2 hashes via man-in-the-middle. |
| Kerbrute | A Go-based tool for Kerberos account enumeration, password spraying, and brute-forcing. |
| DomainPasswordSpray.ps1 | PowerShell tool for performing safe password spray attacks against domain users. |
| Hashcat | The world's fastest password cracker, used for offline cracking of captured hashes (Kerberos, NTLM, etc.). |
| gpp-decrypt | Extracts credentials stored in Group Policy Preferences (GPP) files. |
| PKINITtools | Includes gettgtpkinit.py and getnthash.py for manipulating certificates and TGTs. |
3. Lateral Movement & Exploitation
With credentials in hand, you can move through the network or escalate your privileges.
| Tool | Description |
|---|---|
| CrackMapExec (CME) | A powerhouse for post-exploitation, supporting SMB, WMI, WinRM, MSSQL, and more for command execution across a domain. |
| evil-winrm | The ultimate shell for interacting with hosts over the WinRM protocol. |
| psexec.py / wmiexec.py | Impacket scripts for remote command execution via Psexec-like functionality or WMI. |
| noPac.py | Exploit for CVE-2021-42278 and CVE-2021-42287 to impersonate a Domain Admin from a standard user. |
| PetitPotam.py | Tool for coercing Windows hosts to authenticate to other machines, often used for NTLM relay attacks. |
| ntlmrelayx.py | Impacket's tool for performing SMB/HTTP relay attacks to gain shells or dump secrets. |
| Snaffler | Audits accessible file shares for sensitive information, such as passwords, certificates, or configuration files. |
| smbmap | Enumerates SMB shares and permissions across an entire domain. |
| LAPSToolkit | PowerShell functions for auditing and attacking Microsoft's Local Administrator Password Solution (LAPS). |
4. Domain Trusts & Persistence
Advanced attacks often involve moving between parent and child domains or establishing long-term access.
| Tool | Description |
|---|---|
| ticketer.py | Creates and customizes TGT/TGS tickets for Golden/Silver Ticket attacks and trust abuse. |
| raiseChild.py | Automates privilege escalation from a child domain to a parent domain. |
| lookupsid.py | SID brute-forcing tool to find hidden accounts and groups. |
| setspn.exe | Native Windows binary for managing Service Principal Names (SPN). |
5. Auditing & Risk Assessment
Finally, auditing tools provide a high-level overview of the domain's security posture.
| Tool | Description |
|---|---|
| PingCastle | A risk assessment tool that provides a "maturity score" based on AD security best practices. |
| Group3r | Specifically audits Group Policy Objects (GPOs) for security misconfigurations. |
| ADRecon | Extracts comprehensive data from AD into an Excel report for detailed security analysis. |
Conclusion
Mastering Active Directory exploitation is not just about knowing the tools—it's about understanding the underlying protocols like Kerberos, LDAP, and SMB. The tools listed above represent the current industry standards for both Red Teamers and penetration testers.
Whether you are performing a stealthy engagement using PowerView and BloodHound, or going for direct exploitation with Impacket and Mimikatz, this toolkit provides everything you need to navigate and conquer even the most hardened AD environments.
This guide serves as a reference for the tools covered in our AD exploitation modules. Happy hunting!
