Domain Enumeration, Red Teaming

Active Directory Enumeration: pywerview

by raj

Executive Summary

This report documents a comprehensive Active Directory (AD) enumeration exercise conducted against the ignite.local domain. Using pywerview, a Python-based port of the PowerView PowerShell module, an authenticated attacker with low-privileged credentials (raj / Password@1) was able to enumerate substantial information about the domain, including users, computers, groups, delegation settings, and SPN-registered accounts.

The enumeration revealed several significant security misconfigurations that could be exploited by an attacker to escalate privileges and potentially achieve full domain compromise. Key findings include a domain administrator account (aaru), a Kerberoastable SPN account (kavish) with constrained delegation to a SQL server, computers configured with unconstrained delegation, and a Backup Operators member (shivam) who could abuse that privilege for privilege escalation.

Methodology

The enumeration was performed using pywerview, which provides unauthenticated and authenticated LDAP queries against the domain controller. The following pywerview modules were used:

Key flags used during enumeration:

  • –spn: Filter for users with Service Principal Names registered (Kerberoasting targets)
  • –admin-count: Filter for users with admincount=1 (historically privileged accounts)
  • –unconstrained: Filter for computers configured with unconstrained delegation
  • –operating-system: Filter computers by OS string
  • –full-data: Return complete LDAP attributes
  • –username: Filter results for a specific user
  • –groupname: Target a specific group
  • –recurse: Recursively resolve nested group membership

Table of Contents

  1. Methodology
    Overview of pywerview
    • Enumeration Approach
    • Key Flags and Parameters
  2. Domain Enumeration
    Domain Controller Enumeration
    • Domain Information
  3. User Account Enumeration
    • Specific User Enumeration
    • Kerberoastable Accounts (SPN Users)
    • AdminCount Users
  4. Group Enumeration
    • Enumerating a Specific Group (Full Data)
    • User-to-Group Mapping
    • Group Membership Enumeration
    • Recursive Group Membership
    • Full Data of Group Members
  5. Computer Enumeration
    • Detailed Computer Enumeration
    • OS-Based Computer Filtering
    • Unconstrained Delegation Systems
    • Detailed Unconstrained Delegation
  6. Share and Disk Enumeration
    Network Share Enumeration
    • Local Disk Enumeration
  7. Session and Logged-On User Enumeration
    Active Sessions Enumeration
    • Logged-On Users Enumeration
  8. Local System Enumeration
    Local Group Enumeration
    • Process Enumeration
    • User Event Logs (Logon/Logoff)
  9. Organizational Structure Enumeration
    • Detailed OU Enumeration
    • Sites Enumeration
    • Subnets Enumeration
  10. Group Policy Enumeration
    GPO Enumeration
    • Domain Policy Enumeration
  11. Privilege and Access Checks
    Local Admin Access Check
    • User Rights and Privilege Validation
  12. Hunting Techniques
    High-Privilege User Hunting
    • Process Hunting
  13. Advanced Active Directory Enumeration
    AD Object Enumeration (Get-ADObject)
    • ACL Enumeration (Get-ObjectAcl)
    • Domain Trust Enumeration

Domain Enumeration

Domain Controller

The get-netdomaincontroller module returned the full LDAP object for the domain controller. Key attributes are highlighted below

pywerview get-netdomaincontroller -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11

Domain Information

The get-netdomain command revealed two domain contexts: IGNITE (the primary domain) and Builtin (the built-in local groups container). This is standard for any Active Directory domain.

pywerview get-netdomain -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11

User Account Enumeration

All Domain Users

The get-netuser command (without filters) returned all user accounts in the domain. Three standard user accounts were enumerated: ashish, aaru, and yashika. All are NORMAL_ACCOUNT

pywerview get-netuser -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11

Specific user Details

Get-NetUser -Username targets a single specific user and returns all their AD attributes — logon history, group memberships, account flags, password metadata, and mor

pywerview get-netuser -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --username aaru

Critical attributes for aaru:

  • memberof: CN=Domain Admins,CN=Users,DC=ignite,DC=local
  • objectsid: S-1-5-21-2964257136-1039789743-457275023-1112
  • useraccountcontrol: NORMAL_ACCOUNT (no special delegation)
  • logoncount: 0 (account may not have been used interactively yet)
  • admincount: 1 (confirmed as protected admin-tier account)

Kerberoastable User

Get-NetUser -SPN — Returns all domain user accounts that have one or more Service Principal Names (SPNs) registered, indicating they are service accounts used to run specific services within the domain

pywerview get-netuser -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --spn

The combination of an SPN (Kerberoastable) and TRUSTED_TO_AUTH_FOR_DELEGATION (constrained delegation with Protocol Transition) means that if the kavish account password can be cracked from a Kerberos TGS ticket, an attacker could then impersonate any domain user (including Domain Admins) against the SQL server at WIN-SQL.ignite.local:1433.

AdminCount Users

Get-NetUser -AdminCount – Returns all user accounts in the domain where the adminCount attribute is set to 1, indicating they are (or were) members of a protected, privileged group managed by AdminSDHolder

pywerview get-netuser -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --admin-count

Group Enumeration

All Group Name

Gets a list of all current groups in the domain, or all groups a given user/group is a member of.

pywerview get-netgroup -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11

Members in Single Group

Without -FullData, Get-NetGroup returns only the group name (samAccountName) of each group. Adding -FullData pulls every available LDAP attribute for each group object, giving a complete picture of group configuration, membership, privilege level, and timestamps. This is particularly useful when trying to understand the full context of a group — its description, members, admin status, and distinguished names, all in a single query

pywerview get-netgroup -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --groupname "Domain Admins" --full-data

Get all groups user “users” belongs to

Instead of enumerating group members (which Get-NetGroupMember does), -UserName reverses the query — it starts from a user account and returns all groups that user belongs to.

pywerview get-netgroup -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --username aaru

Get all members of Single Group

Get-NetGroupMember — Gets a list of all current users in a specified domain group.

pywerview get-netgroupmember -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --groupname "Backup Operators"

The user shivam is a member of Backup Operators. This membership can be abused to dump the NTDS.dit database or registry hives (SAM, SYSTEM, SECURITY) from the DC, effectively giving access to all domain password hashes.

Recursively get all members

it Gets a list of all current users in a specified domain group, recursively resolving any nested group memberships to return the full effective member list

pywerview get-netgroupmember -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --groupname "Backup Operators" --recurse

Get full data for all members of Group

Get-NetGroupMember -FullData — Gets a list of all current users in a specified domain group, returning the full LDAP property set for each member object instead of just the default translated fields.

pywerview get-netgroupmember -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --groupname "Domain Admins" –full-data

Computer Enumeration

List of All Computers

it Gets a list of all current servers/computers in the domain

pywerview get-netcomputer -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11

List of All Computers in Details

Get-NetComputer -FullData — Gets a list of all current servers/computers in the domain with complete LDAP attribute data returned for each computer object.

pywerview get-netcomputer -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --full-data

List of Computer (operating-system)

it Returns computers in the domain with a specific operating system, with wildcards accepted. It builds a custom LDAP filter based on the -OperatingSystem parameter to query Active Directory for matching computer objects.

pywerview get-netcomputer -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --operating-system "*Windows Server*"

Unconstrained Delegation

Get-NetComputer -Unconstrained – Returns all computers in the domain that have Unconstrained Delegation enabled, by filtering for the TrustedForDelegation attribute set to True in Active Directory

pywerview get-netcomputer -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --unconstrained

Unconstrained Delegation in Details

Get-NetComputer -Unconstrained -FullData — Returns all domain computers that have Unconstrained Delegation enabled (TrustedForDelegation = True), with all LDAP properties returned for each computer object rather than just the hostname.

pywerview get-netcomputer -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 –unconstrained –full-data

List of All Share Folder

Get-NetShare – Returns open shares on the local (or a remote) machine. This function executes the NetShareEnum Win32 API call to query a given host for open shares. Network shares are a critical attack surface: they may contain sensitive files, scripts with hardcoded credentials, or Group Policy files with clear text passwords.

pywerview get-netshare -w ignite.local -u raj -p 'Password@1' --computername 192.168.1.11

List of ALL Disks

Get-LocalDisk to enumerate all locally attached disk drives on a system, returning details like drive letters, sizes, and free space. It is typically used during post-exploitation host enumeration to understand the target machine’s storage layout before staging payloads or exfiltrate data.

pywerview get-localdisks -w ignite.local -u administrator -p 'Ignite@987' --computername 192.168.1.11

Machine Current Session

Get-NetSession – Returns session information for the local (or a remote) machine. A ‘session’ means a user or computer that currently has an open connection to the target machine. This is critical intelligence for an attacker — it reveals which users are actively authenticated to the machine and from which IP addresses, enabling targeted credential theft.

pywerview get-netsession -w ignite.local -u administrator -p 'Ignite@987' --computername 192.168.1.11

Logged in User Details

Get-NetLoggedon – Returns users logged onto the local (or a remote) machine. Unlike get-netsession which shows network connections, get-netloggedon shows interactive desktop/console sessions — i.e., users who are physically or remotely (RDP) logged into the machine at the OS level. These users have active LSASS sessions with credentials in memory.

pywerview get-netloggedon -w ignite.local -u administrator -p 'Ignite@987' --computername 192.168.1.11

List of All Groups

It Enumerates the local groups on the local (or remote) machine

pywerview get-netlocalgroup -w ignite.local -u raj -p 'Password@1' --computername 192.168.1.11 --list-groups

List of ALL OU

Get-NetOU queries Active Directory for all OU containers, which are used by administrators to group users, computers, and other AD objects by department, location, or role.

pywerview get-netou -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11

List of ALL OU in Details

pywerview get-netou -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --full-data

List of ALL Sites

Get-NetSite — Gets a list of all current sites in the domain. It builds a directory searcher using the Configuration naming context and returns all AD site objects.

pywerview get-netsite -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --full-data

List of All Subnets

Get-NetSubnet — Gets a list of all current subnets in a domain. It queries the Active Directory Sites and Services configuration to return all registered subnet objects and their associated site information.

pywerview get-netsubnet -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --full-data

get-netgpo

Get-NetGPO queries the domain for all configured Group Policy Objects and return details such as their display names, GUIDs, creation/modification dates, and associated permissions

pywerview get-netgpo -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11

get-domainpolicy

The get-domainpolicy module reads the Default Domain Policy GPO from SYSVOL and parses the GptTmpl.inf file to extract password policy, account lockout policy, and Kerberos policy settings. This is extremely valuable for attackers because it reveals the exact constraints on password attacks — minimum length, complexity, lockout thresholds, and Kerberos ticket lifetimes.

pywerview get-domainpolicy -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11

Check User Rights

Invoke-CheckLocalAdminAccess uses the Win32 API (OpenSCManagerW) to attempt opening the Service Control Manager on the target host — a call that only succeeds if the current user has local administrator rights on that machine.

pywerview invoke-checklocaladminaccess -w ignite.local -u raj -p 'Password@1' --computername 192.168.1.11

List of All Process

Get-NetProcess uses WMI (Windows Management Instrumentation) to query running processes on a remote machine, returning details such as process name, process ID (PID), and the owning user. It is especially useful during post-exploitation when an attacker wants to identify processes like antivirus tools, command shells, or credential managers running on target machines.

pywerview get-netprocess -w ignite.local -u administrator -p 'Ignite@987' --computername 192.168.1.11

List of Log-on Events

The get-userevent module queries the Windows Security Event Log on the target machine for logon-related events. Specifically, it pulls Event ID 4624 (Successful Logon) and Event ID 4634 (Account Logoff) records. This reveals historical authentication activity: who has logged in, from where, when, and what logon type.

pywerview get-userevent -w ignite.local -u administrator -p 'Ignite@987' --computername 192.168.1.11

Hunt for High Privileged users

Invoke-UserHunter — Finds machines on the local domain where specified users are logged into and can optionally check if the current user has local admin access to those found machines.

pywerview invoke-userhunter -w ignite.local -u administrator -p 'Ignite@987' --dc-ip 192.168.1.11

Hunt for a Specific Process

Without -ProcessName, Invoke-ProcessHunter returns processes owned by a specified user across all domain machines. With –ProcessName, it filters results to only machines running a process matching the specified name

pywerview invoke-processhunter -w ignite.local -u administrator -p 'Ignite@987' --dc-ip 192.168.1.11 --computername 192.168.1.11 --processname lsass.exe

Get any AD object (user, computer, group) by SAM account name

Get-ADObject -SamAccountName “<name>“ Gets a specific Active Directory object identified by its SAM account name (sAMAccountName attribute). It works across all object types — users, computers, and groups

pywerview get-adobject -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --sam-account-name shivam

Get ACL for a specific user with all SIDs and GUIDs resolved

Get-ObjectAcl in PowerView is a command used to retrieve the Access Control List (ACL) of an object in Active Directory, showing which users or groups have permissions over that object and what actions they are allowed to perform.

pywerview get-objectacl -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11 --sam-account-name raj --resolve-sids --resolve-guids

Enumerate all trusts for the current domain

Get-NetDomainTrust — Enumerates trust relationships for the current or a specified domain. It retrieves details about the trusted domain’s name, domain SID, and trust type, and is used to identify potential attack vectors such as pivoting across domain boundaries.

pywerview get-netdomaintrust -w ignite.local -u raj -p 'Password@1' --dc-ip 192.168.1.11

Leave a Reply

Your email address will not be published. Required fields are marked *

You may like

Kerberos Constrained Delegation Exploitation

April 2, 2026

Lateral Movement: Pass the Certificate

March 31, 2026