Targeting Enterprise Windows Environments

Active Directory (AD) is Microsoft's directory service, essential for large Windows environments. It manages domain users, computers, and security policies.

If an attacker gains a foothold, enumerating AD is the next step toward full domain compromise.

Key Information to Seek

1. Domain Controllers (DCs): The servers that manage AD (often found via DNS SRV records).
2. Users and Groups: Identifying administrators, service accounts, and privileged groups.
3. Trust Relationships: Mapping which domains trust each other.

LDAP Enumeration

AD relies heavily on LDAP (Lightweight Directory Access Protocol, TCP port 389/636). Attackers can often query LDAP anonymously or with low-privilege accounts to map out the organizational structure.

Tool Note: Tools like ldapsearch (Linux) or specialized PowerShell modules are used to query AD information once basic access is achieved.