AD: Basic Enumeration TryHackMe

Overview

This room introduces the first phase of attacking an Active Directory environment without credentials. The focus is on identifying live hosts, finding the domain controller, enumerating SMB shares, querying LDAP anonymously where possible, and building enough domain knowledge to move toward valid credentials.

Core idea: in an internal AD assessment, early wins usually come from disciplined unauthenticated enumeration of hosts, services, users, and misconfigurations rather than from immediate exploitation.

1) Goals of Basic AD Enumeration

The room frames four main objectives:

enumerate the target domain and network,
identify valid users and domain misconfigurations,
find opportunities for password spraying,
locate sensitive credentials in accessible files or shares.

2) Verifying Network Access

Before scanning, confirm that your attacker box can actually reach the target subnet.

route or ip route can confirm the VPN route exists.
If the subnet appears in routing output, basic communication should be possible.
Simple ping checks can confirm connectivity to known targets.

3) Host Discovery

The first practical step is identifying live systems in scope.

fping -agq <subnet>: fast ICMP-based sweep across the subnet.
nmap -sn <subnet>: host discovery without port scanning.

From there, save the relevant targets to a file such as hosts.txt for later scans.

4) Identifying the Domain Controller

Once live hosts are known, the next step is spotting the DC by its exposed services.

88/tcp Kerberos
135/tcp MS-RPC
139/tcp NetBIOS/SMB
389/tcp LDAP
445/tcp SMB
464/tcp Kerberos password service
636/tcp LDAPS

A targeted scan such as nmap -p 88,135,139,389,445,636 -sV -sC TARGET is often enough to confirm an AD host.

5) SMB Enumeration

SMB is one of the richest early-enumeration protocols in Windows environments.

smbclient -L //TARGET -N: lists shares anonymously if null sessions are allowed.
smbmap -H TARGET: quickly shows which shares are readable or writable.
Nmap smb-enum-shares: another good way to inspect SMB exposure.

Why this matters: anonymous or weakly protected shares often contain backups, scripts, documents, config files, and sometimes credentials.

6) Accessing Shares and Pulling Files

Once a readable share is found, connect and inspect it manually.

smbclient //TARGET/SHARE -N to connect anonymously.
ls to list files.
get filename to download interesting material.

Shared folders like user backups or internal file drops are especially valuable during an initial foothold phase.

7) LDAP Enumeration

If anonymous LDAP bind is enabled, it can reveal a lot about the domain structure.

ldapsearch -x -H ldap://TARGET -s base can confirm anonymous access and expose naming contexts.
ldapsearch -x -H ldap://TARGET -b "dc=example,dc=loc" "(objectClass=person)" can enumerate user objects.

This can expose domain names, hostnames, users, and other directory metadata without needing credentials.

8) Helpful Enumeration Tools

The room also points to automation helpers that speed up AD discovery:

enum4linux-ng: broad SMB and RPC enumeration.
CrackMapExec: excellent for SMB-focused validation and later credential testing.
Impacket smbclient: Python-based SMB interaction from the Impacket suite.

9) Practical AD Enumeration Mindset

This room is about building a map of the environment before attempting password attacks or exploitation.

Find live hosts.
Identify the domain controller.
Inspect SMB shares for exposed data.
Test whether LDAP allows anonymous information leakage.
Use what you learn to build user lists and target selection for the next phase.

Exam Notes (PT1)

In unauthenticated AD testing, start with host discovery, DC identification, SMB enumeration, and LDAP checks.
Kerberos, LDAP, SMB, and RPC ports together are strong indicators of a domain controller.
Anonymous SMB shares can expose files, backups, scripts, and credentials.
Anonymous LDAP bind can reveal domain naming contexts and user objects.
fping, nmap, smbclient, smbmap, ldapsearch, and enum4linux-ng are key tools to remember.