Credentialed Enumeration
Get a full view of the domain after obtaining a set a credentials
Active Directory is Microsoft’s directory service for Windows domain networks. Its primary goal is to centralize the authentication and authorization of users within the network to Domain Controllers (DC), which are commonly Windows servers running the Active Directory Domain Service (AD DS). Active Directory is very commonly used to manage internal enterprise networks.
The network protocols most essential for the function of AD DS are:
Other Services and protocols that are used within Active Directory environments include:
Linux hosts can also be part of an Active Directory domain when configured properly and can thus authenticate domain accounts and access domain services.
Active Directory services becomes a key way for attackers to gain initial access, lateral movement, privilege escalation, and eventually full domain compromise. Once attackers breach the domain initially, they can harvest hashes and credentials of domain accounts and abuse their access rights to move laterally within the network. This process is repeated until the attacker leverages their access to compromise a domain admin or enterpise admin user. From there, attackers can dump the password hashes stored on the domain controller, or use any of the plethora of methods to establish persistent and privileged access on the domain.
Get a full view of the domain after obtaining a set a credentials
What do I have to do to get my first set of domain credentials?
Move from account to account, service to service, and machine to machine while escalating your privileges until you compromise the domain.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.