AD: Authenticated Enumeration

Real purpose of the technique

AS-REP Roasting

Enumeration and Exploitation

Manual Enumeration

The real goal is to find out everything about the Windows computer you've broken into (as an ethical hacker), without using any extra tools – just built-in commands like CMD and PowerShell.

Enumeration With BloodHound

• From Lists to Graphs: Go from simply listing users to visualizing relationships between them.
• Identifying Attack Paths: Find the shortest path to Domain Admin by exploiting inherited privileges and active sessions.
• Offline Analysis: Collect data quickly ("Noisy"), but plan the attack quietly, offline, without interacting with the target.

How it works on real bounty targets

AS-REP Roasting

If the administrator sets “Do not require Kerberos preauthentication”, the attacker can steal the hash and crack the offline password.

Manual Enumeration

Do a manual enumeration to see admin accounts or services with old passwords

Enumeration With BloodHound

• Stage 1 (Ingestion): A collector (SharpHound) queries the Domain Controller via LDAP and other protocols to extract permissions, groups, and sessions.
• Stage 2 (Analysis): The data is saved in JSON/ZIP format and uploaded to BloodHound-CE (web interface).
• Relationship Analysis (Edges):
  • MemberOf: The user belongs to a group.
  • AdminTo: The user has administrator rights on a PC.
  • HasSession: A user (perhaps an admin) is logged in to a compromised machine.

Main tools/commands + what they do