When attacking an Active Directory, or in fact any system, it is essential to gather useful information that will help define who, what, when and where. Here are some examples of what information to look for.

• The location of the domain controllers (and other major AD services like KDC, DNS and so on). This can be achieved by resolving standard names, by scanning the network and with standard LDAP queries

• The domain name. It can be found with standard LDAP queries, recon through MS-RPC named pipes, by combining different recon techniques with enum4linux, by inspecting multicast and broadcast name resolution queries, ...

• Domain objects and relations between them with BloodHound, with MS-RPC named pipes and with enum4linux.