New feature: HTB Academy Badges Learn More

Active Directory PowerView

This module covers AD enumeration focusing on the PowerView and SharpView tools. We will cover various techniques for enumerating key AD objects that will inform our attacks in later modules.


Created by mrb3n
Co-Authors: ippsec-3

Medium Offensive


This module introduces third-party, open-source tools such as PowerView and SharpView. We will learn how to gather and analyze data from these tools and how they can be used as input to other tools during later parts of an AD-focused penetration test. In this module, we will cover:

  • PowerView/SharpView usage
  • Enumerating key AD objects such as users, groups, computers, ACLs, and GPOs
  • Enumerating AD trust relationships

This module is broken down into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts introduced in each section. You can do this in the Pwnbox provided in the interactive sections, Windows machines in a lab environment as directed, or your own virtual machine.

You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

The module is classified as "Medium." It assumes a working knowledge of Active Directory, the Linux and Windows command line, PowerShell, an understanding of information security fundamentals, and a firm grasp of AD enumeration processes and techniques.

A firm grasp of the following modules can be considered prerequisites for successful completion of this module:

  • Introduction to Networking
  • Linux Fundamentals
  • Active Directory LDAP
  • Windows Fundamentals

AD Enumeration Toolkit

As discussed in the Active Directory LDAP module, in-depth enumeration is arguably the most important phase of any security assessment. Attackers are continuing to find new (and old) techniques and methodologies for abusing and attacking AD. In AD, this phase helps us to get a "lay of the land" and understand the design of the internal network, including the number of OUs, users, groups, computers, ACLs, and other AD objects and the hundreds and thousands of relationships that make up an AD environment. Our job is to untangle these often very complex relationships by gathering relevant data in various formats and organizing in a way that helps us uncover the flaws and misconfigurations hiding inside the network.

The Active Directory LDAP module provided an overview of Active Directory, introduced a variety of built-in tools that can be extremely useful when performing AD enumeration, and perhaps the most important, covered LDAP and AD search filters which, when combined with these built-in tools, provide us with a powerful arsenal to drill down into the intricacies of AD and discover nuanced, but serious, misconfigurations before the attackers do. While it is important for us to be able to "live off the land" when performing assessments, it is equally important to understand the wide variety of third-party open-source tools available to us for enumerating and attacking AD. Each of the tools that we will cover in this module performs AD enumeration in slightly different ways. We often need to gather, analyze, and interpret data from many of them iteratively throughout and assessment. The knowledge of and ability to use built-in tools and third-party tools effectively is what can set us apart from other assessors.

Tools of the Trade

Depending on the type of engagement we are on, there are various tools available to us to perform AD enumeration. Some of the most important ones for us to be able to use effectively are:

Tool Description
BloodHound Used to visually map out AD relationships and help plan attack paths that may otherwise go unnoticed. Uses the SharpHound PowerShell or C# ingestor to gather data to later be imported into the BloodHound JavaScript (Electron) application with a Neo4j database for graphical analysis of the AD environment. A Python-based BloodHound ingestor based on the Impacket toolkit. It supports most BloodHound collection methods and can be run from a non-domain joined attack box. The output can be ingested into BloodHound 3.0 for analysis.
PowerView/SharpView A PowerShell tool and a .NET port of the same used to gain situational awareness in AD. These tools can be used as replacements for various Windows net* commands and more. PowerView and SharpView can help us gather much of the data that BloodHound does, but it requires more work to make meaningful relationships among all of the data points. These tools are great for checking what additional access we may have with a new set of credentials, targeting specific users or computers, or finding some "quick wins" such as users that can be attacked via Kerberoasting or ASREPRoasting
CrackMapExec (CME) CME is an enumeration, attack, and post-exploitation toolkit which can help us greatly in enumeration and performing attacks with the data we gather. CME attempts to "live off the land" and abuse built-in AD features and protocols such as SMB, WMI, WinRM, and more.
PingCastle Used for auditing the security level of an AD environment based on a risk assessment and maturity framework (based on CMMI adapted to AD security).
PowerUpSQL This tool is used for SQL Server discovery, configuration auditing, privilege escalation, and post-exploitation.
Snaffler Useful for finding information (such as credentials) in Active Directory on computers with accessible file shares.
Grouper2 Grouper2 is useful for auditing and finding security misconfigurations in AD Group Policy Objects (GPO)
MailSniper A tool for searching through email inboxes in a Microsoft Exchange environment for specific keywords/terms that may be used to enumerate sensitive data (such as credentials) which could be used for lateral movement and privilege escalation. It can search a user's individual mailbox or by a user with Exchange Administrator privileges to enumerate all mailboxes in a domain. It can also be used for password spraying, enumerating domain users/domains, checking mailbox permissions, and gathering the Global Address List (GAL) from Outlook Web Access (OWA) and Exchange Web Services (EWS).
windapsearch A Python script used to enumerate AD users, groups, and computers using LDAP queries. Useful for automating custom LDAP queries.
ADRecon A tool used to extract various data from a target AD environment. The data can be output in Microsoft Excel format with summary views and analysis to assist with analysis and paint a picture of the environment's overall security state.
Active Directory Explorer Active Directory Explorer (AD Explorer) is an AD viewer and editor. It can be used to navigate an AD database and view object properties and attributes. It can also be used to save a snapshot of an AD database for off-line analysis. When an AD snapshot is loaded, it can be explored as a live version of the database. It can also be used to compare two AD database snapshots to see changes in objects, attributes, and security permissions.

This module will focus on the PowerView and SharpView tools to cover various AD enumeration techniques. As penetration testers, it is important to have a wide range of tools available to us and understand how they work to troubleshoot if we are not getting expected results. While we may not use every one of these tools on an engagement, it is important to understand how they work, complement each other, and can be combined to provide the deepest possible coverage of the target AD environment, based on the goals of the assessment. The tools listed above will be covered in other modules.

Next Steps

During this module, we will target a fictional company called INLANEFREIGHT with the internal domain INLANEFREIGHT.LOCAL. The module sections will build on each other, culminating in a mock penetration testing skills assessment to showcase our skills before moving on to the next module in this series. For all exercises, we will assume that the target company Inlanefreight has hired us to perform an in-depth penetration test with a heavy focus on AD security, where stealth and bypassing stringent security controls are not a requirement.

Module Exercises

Throughout this module, you will connect to various target hosts via the Remote Desktop Protocol (RDP) to complete the exercises. Any necessary credentials will be provided with each exercise, and the RDP connection can be made via xfreerdp from the Pwnbox as follows:

xfreerdp /v:<target IP address> /u:htb-student /p:<password>

Any necessary tools can be found in the c:\tools directory after logging in to the target host.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Relevant Paths

This module progresses you towards the following Paths

Active Directory Enumeration

Active Directory (AD) is widely used by companies across all verticals/sectors, non-profits, government agencies, and educational institutions of all sizes. By its nature, AD is easily misconfigured and has many inherent flaws and widely known vulnerabilities. Due to the sheer number of objects and in AD and complex intertwined relationships that form as an AD network grows, it becomes increasingly difficult to secure and presents a vast attack surface. AD environments can become quite large and often hold many obvious and more difficult to discover flaws. A deep understanding of AD enumeration techniques and tools is essential to becoming a well-rounded information security professional.

Hard Path Sections 35 Sections
Required: 2500
Reward: +500
Path Modules
Active Directory LDAP
Path Sections 12 Sections
Reward: +200
This module provides an overview of Active Directory (AD), introduces core AD enumeration concepts, and covers enumeration with built-in tools.
Active Directory PowerView
Path Sections 9 Sections
Reward: +200
This module covers AD enumeration focusing on the PowerView and SharpView tools. We will cover various techniques for enumerating key AD objects that will inform our attacks in later modules.
Active Directory BloodHound
Path Sections 14 Sections
Reward: +100 UPDATED
This module covers AD enumeration focusing on the BloodHound tool. We will cover various techniques for enumerating key AD objects that will inform our attacks in later modules.