OSCP AD Enumeration: Your Ultimate Cheat Sheet

Hey there, future OSCP rockstars! If you’re diving into the intense world of the Offensive Security Certified Professional (OSCP) exam, you know that Active Directory enumeration isn’t just a fancy phrase; it’s an absolutely critical skill that can make or break your entire engagement. This guide, your ultimate OSCP AD enumeration cheat sheet , is designed to be your best friend when you’re staring down a complex Windows domain. We’re going to break down the core concepts, show you the must-have tools, and walk through the techniques you need to master to uncover those hidden pathways to domain compromise. Forget about getting stuck early on in your lab or exam; with proper Active Directory enumeration , you’ll be able to map out the entire network, identify vulnerable users, misconfigured services, and weak spots that are ripe for exploitation. This isn’t just about running a few commands; it’s about understanding what you’re looking for, why it matters, and how to connect the dots to paint a clear picture of the target environment. We’ll cover everything from initial reconnaissance to deep dives into user privileges and group memberships, ensuring you have a comprehensive playbook to approach any Active Directory scenario. So, buckle up, because by the end of this cheat sheet, you’ll be much more confident in your ability to enumerate and exploit Active Directory environments like a pro, making your OSCP journey smoother and more successful. Remember, guys, thorough enumeration is the cornerstone of a successful penetration test, especially when dealing with the pervasive and often complex Active Directory infrastructures you’ll encounter.

Why Active Directory Enumeration is Your Best Friend in OSCP

Let’s be real, folks: Active Directory (AD) enumeration is often the unsung hero of a successful OSCP engagement. It’s not just a step in your methodology; it’s the foundation upon which almost all your Windows-based attacks will be built . Without a comprehensive understanding of the target AD environment, you’re essentially wandering in the dark, hoping to stumble upon a vulnerability. Active Directory enumeration allows you to systematically gather crucial intelligence about users, groups, computers, domain policies, trusts, and services running within the domain. This intelligence is invaluable because it directly informs your attack path. Think about it: how can you craft a targeted phishing attack if you don’t know who the privileged users are? How can you exploit a service misconfiguration if you don’t even know which services are running and under what accounts? This is where OSCP AD enumeration truly shines. It helps you identify potential targets for Kerberoasting , spot accounts vulnerable to AS-REPRoasting , discover insecure service principal names (SPNs), locate unconstrained delegation, and even uncover outdated systems or misconfigured group policies. The sheer amount of information you can extract—from identifying domain administrators to finding shares with weak permissions—is astounding and incredibly empowering. Every piece of data, no matter how small it seems, can be a puzzle piece leading you closer to domain compromise. Mastering Active Directory enumeration means you’re not just executing tools; you’re understanding the environment, predicting potential weaknesses, and strategizing your next move. This proactive approach, fueled by solid enumeration, is what separates an average penetration tester from an OSCP-level professional. It significantly reduces the guesswork, making your exploitation efforts more focused, efficient, and ultimately, more successful during the demanding OSCP exam. So, consider Active Directory enumeration your secret weapon, allowing you to reveal the hidden architecture and weaknesses that lead to critical compromise.

Essential Tools for Active Directory Enumeration

When it comes to Active Directory enumeration in an OSCP context, having the right tools in your arsenal is absolutely crucial. You’ll be encountering a variety of scenarios, and each tool offers unique capabilities to help you peel back the layers of the domain. From network scanning utilities to specialized scripts for Windows and Linux, understanding how and when to use these tools effectively will drastically improve your enumeration game. We’re not just listing tools; we’re explaining their purpose and common OSCP AD enumeration applications. We’ll look at the classics like Nmap for initial recon, enum4linux for quick SMB/RPC checks, and then dive into more advanced options like BloodHound for visualizing attack paths, PowerShell scripts (especially PowerView.ps1 ) for deep internal enumeration, and the powerful Impacket suite for Linux-based interactions. Remember, guys, the key isn’t to run every tool, but to run the right tool at the right time, interpreting its output to build a comprehensive picture of the target Active Directory environment. Each of these tools plays a vital role in collecting different types of information, contributing to your overall understanding of the domain’s structure, user privileges, and potential vulnerabilities. Getting comfortable with these will make your OSCP AD enumeration tasks significantly more streamlined and effective, ensuring you don’t miss any critical clues.

Nmap for Initial Recon and Service Discovery

Nmap , the network mapper, is an absolute staple in any penetration tester’s toolkit, and its role in OSCP AD enumeration cannot be overstated. Before you even think about diving deep into specific AD services, you need to know what services are running on target machines. Nmap allows you to perform initial host discovery, port scanning, and service version detection, which are fundamental steps in understanding the attack surface. For Active Directory enumeration , you’ll primarily be looking for common AD-related ports like 53 (DNS), 88 (Kerberos), 135 (RPC), 139 (NetBIOS Session Service), 389 (LDAP), 445 (SMB), ³²⁶⁸ ⁄ ₃₂₆₉ (Global Catalog LDAP), ⁵⁹⁸⁵ ⁄ ₅₉₈₆ (WinRM), and 49152-65535 (Dynamic RPC ports). A typical Nmap scan for AD targets might involve using the -sC (default scripts) and -sV (service version detection) flags. For example, nmap -sC -sV -oA initial_scan <target_IP> is a fantastic starting point. This command runs a suite of safe scripts that often reveal interesting information, including basic SMB enumeration, DNS details, and Kerberos information, alongside identifying the services running on open ports. You can also leverage Nmap’s powerful scripting engine (NSE) to run specific Active Directory enumeration scripts. Scripts like smb-enum-users.nse (to list users), smb-enum-shares.nse (to list shares), smb-security-mode.nse , ldap-enum-users.nse , or msrpc-enum.nse can provide quick wins and valuable insights directly from Nmap . Identifying domain controllers is often the first goal, which you can typically deduce from the services running (Kerberos, LDAP, DNS on port 53, etc.). Pay close attention to the version numbers of services; outdated versions might harbor known vulnerabilities. Furthermore, Nmap can help you identify other Windows machines in the domain, allowing you to expand your enumeration efforts beyond just the domain controller. Remember, even basic information like the hostname and domain name can be revealed through Nmap’s output, laying the groundwork for more advanced OSCP AD enumeration techniques. Don’t skip this crucial initial step; a thorough Nmap scan can save you a lot of time and point you in the right direction, guys.

Enum4linux for Basic SMB/RPC Enumeration

Moving on from Nmap , one of the quickest and easiest tools for initial OSCP AD enumeration when you’re on a Linux attacking machine is enum4linux . This fantastic script is a wrapper around smbclient , rpcclient , net , and nmblookup , making it incredibly efficient for gathering a broad spectrum of information from Windows machines, especially domain controllers. When you run enum4linux <target_IP> , it attempts to enumerate a wealth of data without requiring any credentials, making it perfect for initial reconnaissance. What kind of juicy details does it pull out? Well, guys, it can list users, groups, share names, password policies, and even provide details about the operating system. Specifically, enum4linux can often reveal: user lists (potentially valid usernames for brute-forcing or dictionary attacks), group membership information (identifying privileged groups like Domain Admins), RID cycling (which can sometimes dump all users and groups), share enumeration (identifying open SMB shares that might contain sensitive data or offer pivot points), and password policy information (which helps in crafting password guessing strategies or understanding the domain’s security posture). The ability to quickly extract this information without authentication is why enum4linux is such a powerful tool in the early stages of Active Directory enumeration . It’s like a quick health check of the target’s exposed SMB and RPC services. You might uncover default accounts, guest accounts, or even service accounts that have weak or no passwords, providing immediate opportunities for lateral movement or privilege escalation. Remember to always examine the output carefully; sometimes the most innocuous-looking entry can be the key to unlocking the next stage of your attack. While enum4linux is excellent for getting a rapid overview, it’s just one piece of the OSCP AD enumeration puzzle. Its output often serves as a springboard for more targeted enumeration with other tools, providing you with a list of users or shares to investigate further. Don’t underestimate the power of this simple yet effective utility in your Active Directory enumeration toolkit.

BloodHound and SharpHound for Relationship Mapping

Alright, guys, if you want to truly see the attack paths within an Active Directory environment, then BloodHound is your best friend. This tool is an absolute game-changer for OSCP AD enumeration because it moves beyond just listing objects and instead focuses on visualizing the complex relationships between users, groups, computers, and trusts. It allows you to quickly identify highly complex attack paths that would be incredibly difficult, if not impossible, to find manually. The process involves two main components: SharpHound.exe (or BloodHound.ps1 for PowerShell) for data collection on the target Windows domain, and the BloodHound GUI for analyzing that data. SharpHound is run on a compromised Windows machine (even with low-privileged access initially) and it gathers information about various objects and their ACLs (Access Control Lists), group memberships, user sessions, and more. This data is then outputted into a JSON file, which you then import into the BloodHound GUI on your attacking machine. Once imported, BloodHound builds a beautiful, interactive graph database that shows you exactly how different objects relate to each other. You can then run pre-built queries like