Enumeration, Hacking

Start ADEnum – Tool that Automates Active Directory Enumeration

A tool to automate Active Directory enumeration.

Tool Prereq

This tool requires that you have a runas /netonly shell.


  • Start-PreReqCheck
  • Install-Tools
  • Start-ADEnum


This function determines if the current Windows 10 OS is 1809+ and installs all the prerequisites. The list of prerequisites includes the following:

  • Identifies if current Windows 10 host is on version 1809+ and installs RSAT tools via Feature on Demand.
  • Determines if Powerview, Bloodhound, Grouper and PingCastle exist in the C:\tools\ directory. If not the script will invoke the Install-Tools script.
  • Disables Defender real time monitoring to allow 3rd party modules to run.
Also read: ADRecon – Active Directory Recon


This function is invoked from Start-PreReqCheck in the event the below modules aren’t currently installed. Furthermore, chocolatey (https://chocolatey.org/) and git (https://chocolatey.org/packages/git) are installed to allow cloning of the GitHub repositories.

  • PowerView
  • Bloodhound
  • Grouper
  • PingCastle


This function performs the following actions:

  • Performs individual scans on specific domains or on all domains automatically identified via trust enumeration.
  • Creates PowerShell jobs for each domain and for each type of scan.

The following scans types are available:

  • Powerview – Run various commands to dump a list of users, computers, local group membership, high value domain group membership, etc. Refer to https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon for a full list of commands.
  • Bloodhound – Runs collection method All with the skipping option. Refer to to https://github.com/BloodHoundAD/BloodHound/wiki/Data-Collector for a full list of collector options.
  • Grouper – Utilizes RSAT Get-GPOReport to extract a GPO Report in xml format that can then be parsed by Grouper to identify any vulnerable settings within Group Policy.
  • Ping Castle – Perform an Active Directory health check and runs various scanners such as open share, SMB version and signing enabled, spooler service available, null sessions on hosts/trusts and laps/bitlocker checks.


  • ClientNameEnter the client name for folder structure.
  • PathEnter path where evidence will be placed. If folder doesn’t already exist, the script will create it.
  • DomainsEnter individual domain to enumerate or let the script automatically identify all vailable domains via trust enumeration.
  • ScanEnter individual scan(s) to perform. Scans that are available include Active Directory Certificate Services (ADCS) , Bloodhound, GPOReport, PowerView, PingCastle, PrivExchange, and All


Gathers a list of all domain/forest by enumerating trusts and runs all scans against each domain found.

Start-ADEnum -ClientName lkylabs -Path C:\Projects -Scan All 

Runs all scans against lkylabs.com and corp.lkylabs.com.

Start-ADEnum -ClientName lkylabs -Path C:\Projects -Domain lkylabs.com -Scan All 

Runs PowerView and Bloodhound scans against lkylabs.com and corp.lkylabs.com domains.

Start-ADEnum -ClientName lkylabs -Path C:\Projects -Domain lkylabs.com,corp.lkylabs.com -Scan PowerView,Bloodhound 

You can read more about the tool and developers projects here – https://github.com/lkys37en/Start-ADEnum

Source : Haxf4rall

Previous ArticleNext Article
Send this to a friend