Whether you’re conducting penetration testing or participating in Capture The Flag (CTF) competitions, one of the most critical phases is enumeration.
This is part two of a two part series on Windows enumeration. For the first part, see https://chasepd.github.io/posts/tools-for-windows-enum/.
Impacket: Deep Protocol Interaction
While NetExec provides broad coverage, Impacket offers deep, protocol-specific interaction capabilities. Think of Impacket as a specialized toolkit where each tool is designed for precise, targeted enumeration of specific Windows services and protocols.
Impacket’s strength lies in its pure Python implementation of Windows protocols, which means it can interact with Windows services at a low level without requiring Windows-specific libraries or environments. I.e. you can run them from Kali Linux or whatever else you prefer instead of having to test from Windows.
There are three ways to get Impacket, and the way you get it onto your machine can change the command name slightly. It’s also important to note that Impacket itself is actually just a python library, but the authors also wrote a number of example tools using it. To install, you can:
- Install from your distro’s package manager (if applicable)
Many distros actually include some portion of the Impacket tool library in their official package repos, but how much of it is available can vary widely. It’s pretty thorough in pentesting distros like Kali, but things like Ubuntu install a much more limited toolset. The package is called different things in different distros, so you will likely need to just search for Impacket in your package manager.
In this method, all of your tools will be run with
impacket-[toolname]instead of the.pynames for the other two methods.
- Create a Python virtual environment and install via pip
- Install with
pip install impacket. This will install a consistent toolset no matter the environment but will only be available when that virtual environment is active unless you change your path to include it.
- Install with
- Clone the repo directly
- You can also clone the source directly from the official repo, and install it however the junk you want. The example scripts are in
/examples. The biggest benefit of this method is you get exactly the version you want, and you get all the pre-built tools, not just what a package manager decided you probably wanted.
- You can also clone the source directly from the official repo, and install it however the junk you want. The example scripts are in
A significant number of Impacket’s scripts need credentials to really function, so they are often a better tool for privilege escalation enumeration than just blind enumeration for a machine you have no access to.
Here’s an example of GetADUsers.py:
# Enumerate all domain users with detailed attributes
GetADUsers.py -all domain.local/username:password -dc-ip 192.168.1.10
# This reveals not just usernames, but also:
# - Account creation dates
# - Last logon times
# - Password policy information
# - Account status (enabled/disabled)
# - Group memberships
Similarly, GetNPUsers.py targets a specific vulnerability pattern—accounts that don’t require Kerberos pre-authentication. This tool demonstrates how Impacket combines enumeration with vulnerability identification:
# Identify accounts vulnerable to ASREPRoasting
GetNPUsers.py domain.local/ -usersfile users.txt -format hashcat -outputfile hashes.txt
The secretsdump.py tool represents the ultimate goal of many enumeration exercises—extracting credential material from compromised systems:
# Extract password hashes and other secrets
secretsdump.py domain.local/username:password@192.168.1.100
What often sets Impacket apart is its reliability. Because it implements Windows protocols from scratch, it often works in situations where other tools might fail due to compatibility issues or protocol variations.
BloodHound: Mapping the Active Directory Landscape
BloodHound represents a paradigm shift in Active Directory enumeration. Rather than focusing on individual hosts or services, BloodHound creates a comprehensive map of relationships within the Active Directory environment. Think of it as creating a detailed organizational chart that shows not just who reports to whom, but also who has access to what, and how those access patterns create pathways through the network.
The thing I didn’t understand when I first tried to use Bloodhound is that Bloodhound itself is just a relationship visualizer. The tool itself actually never connects to other hosts. Instead, it ingests data from other tools that output compatible data. Some of these include SharpHound.exe for running on a domain joined Windows machine, or bloodhound-python for running remotely from Linux.
The power of BloodHound lies in its graph-based approach to understanding Active Directory relationships. It collects data about users, groups, computers, and their interconnections, then presents this information in a visual format that makes complex attack paths immediately apparent.
# Collect comprehensive AD data using SharpHound
# From a Windows system with domain access:
SharpHound.exe -c All -d domain.local
# From a Linux system using BloodHound.py:
bloodhound-python -u username -p password -ns 192.168.1.10 -d domain.local -c All
What makes BloodHound particularly valuable is its ability to identify attack paths that might not be obvious through traditional enumeration. For example, it might reveal that a service account you’ve compromised has administrative rights on a server that contains sensitive data, or that a particular user group has privileges that could be chained together to achieve domain administrator access. Often, the default queries can be used to map a path for how you can go from a user you own to a domain administrator via abusing different permissions.
These queries built into BloodHound help focus your enumeration efforts on the most promising targets. Rather than manually analyzing hundreds of users and computers, you can quickly identify which accounts have the most privileges, which computers are most accessible, or which paths lead to high-value targets like domain controllers.
BloodHound also excels at persistence analysis—showing how an attacker might maintain access to the environment through multiple pathways. This perspective is crucial for both offensive and defensive security, as it reveals the true scope of potential compromise beyond the initial entry point.
ldapdomaindump: Comprehensive LDAP Enumeration
I think of ldapdomaindump as the “poor man’s Bloodhound”. It definitely has its place in a pentesting toolkit, however, and I still use it, simply because sometimes the HTML outputs it produces are a helpful visualization, and don’t rely on searching the way that Bloodhound’s interface does. LDAP serves as the backbone of Active Directory, containing detailed information about every object in the domain. Think of ldapdomaindump as a detailed census taker that methodically catalogs every person, place, and thing in the digital domain.
What sets ldapdomaindump apart is its thoroughness and its presentation format. Rather than simply dumping raw LDAP data, it processes and organizes the information into human-readable HTML reports that make analysis much more manageable. This dump is best combined with Bloodhound for deeper investigation.
# Perform comprehensive LDAP enumeration
ldapdomaindump -u 'domain.local\username' -p 'password' 192.168.1.10
# This creates several HTML files:
# - domain_computers.html: All computer accounts with details
# - domain_users.html: All user accounts with attributes
# - domain_groups.html: All groups and memberships
# - domain_policy.html: Domain and password policies
# - domain_trusts.html: Trust relationships with other domains
Putting It All Together: A Systematic Approach
Effective Windows enumeration requires a systematic approach that builds understanding progressively. Think of it as constructing a detailed map of enemy territory—you start with broad reconnaissance and gradually fill in the details as you gather more information.
The typical enumeration workflow begins with network discovery to identify active hosts and services. nmap, like on linux, serves as your primary tool for this phase, quickly identifying systems running Windows services and providing basic system information. netexec can help you dive in further on those while enum4linux finds interesting places to investigate further. This initial reconnaissance establishes the scope of your target environment and identifies the most promising systems for further investigation. File share enumeration with smbmap and smbclient can help find initial information available, and can be a good place to come back to once you get credentials to the machine.
Once you have credentials or have discovered the machine allows anonymous access, you should begin mapping the Active Directory structure using BloodHound and ldapdomaindump. This tool provides the strategic overview that helps you understand how individual systems and accounts fit into the larger organizational structure. BloodHound’s analysis capabilities help you identify high-value targets and potential attack paths that might not be apparent from individual system enumeration. Impacket’s specialized tools also come into play here, allowing you to interact with specific Windows services to extract detailed information about users, groups, and system configurations, potentially finding new vulnerabilities to exploit to help you pivot through the Active Directory graph.
Credential management becomes increasingly complex as exploitation progresses. You’ll often discover multiple sets of credentials with different privilege levels and access patterns. Maintaining clear records of which credentials work where, and what level of access they provide, prevents confusion and ensures you can leverage each discovered credential effectively.
Conclusion: Building Your Windows Enumeration Expertise
Mastering Windows enumeration requires understanding both the technical capabilities of individual tools and the strategic thinking needed to combine them effectively. Each tool we’ve explored serves a specific purpose in the larger enumeration ecosystem, and their true power emerges when they’re used together systematically.
The tools and techniques covered in this guide provide a solid foundation for Windows enumeration, but remember that the landscape continues to evolve. New tools emerge, existing tools receive updates, and defensive technologies adapt to counter enumeration techniques. Staying current with these developments and practicing in controlled environments like personal labs and CTF competitions ensures your skills remain sharp and relevant.
Most importantly, remember that enumeration is not just about running tools—it’s about understanding the story they tell about your target environment. The most successful penetration testers and CTF participants are those who can synthesize information from multiple sources, identify patterns and relationships, and translate technical findings into actionable intelligence for achieving their objectives.