Active Directory enumeration from non-domain system

ADEnumerator allows red teamers to query LDAP with a standard user account from a system not joined to a domain. It’s common that during a red team assessment you will harvest credentials from printers, files, etc. But sometimes you don’t know
what these credentials do.

Instead of throwing the one set of credentials you got at all systems to see where you are local admin, you can tailor your attack to specific systems. ADEnumerator.ps1 allows you to find out information about the account you compromised. It will also perform all the Active Directory enumeration you can do from a domain system using the creds you obtained.


git clone

1) Since this is a module, you may need to disable the execution policy. From an elevated prompt, execute the following: Set-ExecutionPolicy Unrestricted

2) From a regular PowerShell prompt, you can now import the module. Import-Module ADEnumerator.psm1

ADEnumerator.psm1 contains a lot of functions which will each accept an existing LDAP session parameteter (LDAPSession) or a new one (DCHostName). Call the New-LDAPSession function and set it to a variable to create an existing LDAP session that will be passed to the other functions.

This is only ever intended to be executed on your attacker system.

It will run on any system though, but you will always have to provide creds. You will need a valid domain controller for this to work.

How do you get a list of domain controllers without a domain system?
Two ways:


will get you a DNS suffix

nltest /dclist:{domain}

will give you an error, but will also list one DC

set type=any

will list name servers…generally those are DCs

Use Cases
1. You harvest a domain credential from a printer, responder, etc. But don’t have access to a domain system. You can use the credential to perform additional enumeration on the domain.

2. Find out what you can do with the credential you harvested. What group membership, maybe a system with similiar naming convetion of the username which indicates the user may have local admin on the system.

3. You are provided credentials to start an internal assessment, but not a domain system.

4. You just want to do domain enumeration quickly

Function Overview
New-LDAPSession – Creates an LDAP Session
Invoke-SearchAD – Searches Active Directory for string
Get-AllADUsers – Will get all user accounts from Active Directory
Get-GroupMembership – Will get user accounts who are members of specified group
Get-AllGroups – Gets a list of all groups
Get-DomainControllers – Gets a list of domain controllers
Get-Computers – Gets a list of computers or computer versions
Get-UserMembership – Will get details about specified user

Categories: Active Directory Tags: , , ,
%d bloggers like this: