CyberCheatsheets

First hour of Active Directory recon

What to run, what to skip, and how not to light up every Kerberos sensor on day one of an internal test.

Published 2 min read
active-directoryreconwindows

You landed on a workstation as a low-privilege domain user. The BloodHound collector failed because .NET policy blocked it, and someone already ran Kerberoast spray against every SPN in the forest before lunch.

Hour one is not about maximum enumeration. It is about building a map without becoming the map's loudest event.

Start with what the user already has

whoami /all
net user %username% /domain
net group "Domain Admins" /domain

whoami /groups tells you if you are on a machine that matters or a random VDI pool. Note transitive groups. "Authenticated Users" is not interesting. "Helpdesk Tier 2" might be.

Check DC connectivity and DNS suffix:

nltest /dclist:corp.local
ipconfig /all

Wrong DNS on the VPN client sends LDAP to a black hole. Fix that before you blame tools.

LDAP and SMB without spraying

Light enumeration before password attacks:

ldapdomaindump -u 'corp\\user' -p 'Password1' ldap://dc01.corp.local -o ldap-out

Or enum4linux-ng when you need a quick SMB/LDAP summary from Linux.

Save netexec (or legacy CrackMapExec workflows) for when you have cracked creds or a confirmed account list. Running --users against every host in sites.txt in minute ten is how internal tests get paused.

BloodHound: when it works

BloodHound is valuable when ingestion succeeds. On locked-down endpoints, collectors fail and defenders see unusual LDAP query volume anyway.

If policy blocks execution, pivot to:

  • Manual ACL review on shares you can already read
  • GPO paths from SYSVOL if readable
  • Session enumeration only on hosts you own in scope

The bloodhound cheat sheet helps once you have JSON in. It does not replace knowing what "Owner" on a computer object implies in practice.

Kerberos noise budget

Kerberoasting and AS-REP roasting are effective and loud. Coordinate with the client if they monitor Event 4769 spikes.

kerbrute user enumeration is sometimes in scope, sometimes explicitly forbidden. Read the rules of engagement line about account lockout thresholds before you test them empirically.

Rubeus belongs in the toolkit after you understand tickets, not as a first-hour script kiddie macro.

Write down the forest shape early

Domain count, trust direction, naming patterns for servers (SRV-, SQL-, DEV-). Mislabeled lab domains adjacent to production have burned teams that assumed one forest meant one sensitivity level.

Stop at sixty minutes with: user context, DC list, a handful of reachable file servers, and one plausible privilege path hypothesis. Everything else is day two.

Related articles

Nmap scans that survive real networks

Scan timing, UDP reality checks, and service detection traps on noisy client networks during authorized pentests.

nmapscanningrecon