# Enumerate Active Directory

Enumeration following after initial credentials are gained


## SYSVOL

* On windows use `runas` and gain local administrative permissions via
```sh
runas.exe /netonly /user:%FQDNORNETBIOSDOMAIN%\%USERNAME% cmd.exe
```
* Check validity of credentials against `SYSVOL`, it stores __Group Policy Objects (GPO)__. Every AD account will gain access
    * Query DNS, for example the DC
```sh
$dnsip = "<DC IPaddress>"
$index = Get-NetAdapter -Name '<Ethernet>' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip
```
    * Check `SYSVOL` afterwards via `hostname` to verify via Kerberos auth
```sh
dir \\%HOSTNAME%\SYSVOL\
```
    * Check `SYSVOL` via `IP` address to force `NTLM` authentication

## Microsoft Management Console (MMC)

* Use AD Snap-ins of `Remote Server Administrative Tools`
    * Start -> Apps & Features -> Manage Optional Features -> Add a feature -> Search `RSAT` -> Select `RSAT: Active Directory Domain Services and Lightweight Directory Tools` -> Install
    * `Win` + `r` -> `MMC` -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click `Active Directory Sites and Services` -> `Change Forest` -> Add root domain -> right click `Active Directory Users and Computers` -> Change Domain -> enter root domain -> right click `Active Directory Users and Computers ` -> View -> Advanced Features
    * Start enumerating via click on the domain object in the tree on the left
    * Take a look at `People` directory -> right click on them to see properties
    * Change or create user or change groups 
    * Also use `MMC` to enumerate 

## CMD enumeration

Execute from domain joined machine

* Users
```sh
net user /domain
```
* Specific user
```sh
net user <username> /domain
```
* Groups
```sh
net group /domain
```
* Specific group
```sh
net group <groupname> /domain
```
* Password Policy via accounts
```sh
net accounts /domain
```

## Powershell Cmdlets

* User details via
```sh
 Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *
```
* Groups
```sh
Get-ADGroup -Identity Administrators -Server exampleDC.com  -Properties *
```
* Group membership
```sh
Get-ADGroupMember -Identity Administrators -Server exampleDC.com
```
* Generic AD objects
```sh
Get-ADObject -Filter <filterstuff>  -includeDeletedObjects -Server exampleDC.com
Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com
```
* Domains
```sh
 Get-ADDomain -Server exampleDC.com
``` 

## Sharphound and Bloodhound

* [BloodHound documentation](https://bloodhound.readthedocs.io/en/latest/index.html#)

* Change to AD user via `runas.exe` and collect via one of the following
    * Sharphound.ps1
    * sharphound.exe
    * Azurehound.ps1
 
* For example
```sh
Sharphound.exe --CollectionMethods <Default/Session/All> --Domain example.com --ExcludeDCs
```
* After some time collect the current sessions via
```sh
Sharphound.exe --CollectionMethods Session --Domain example.com --ExcludeDCs
```
* Start neo4j db
```sh
neo4j console start
```
* Start bloodhound
```sh
bloodhound --no-sandbox
```
* Drag and Drop the zip file from Sharphound
* Either search for AD objects and use `Analysis` to find an attack path through the info on the edges
* Shows exploitable accounts in the `Analysis` tab, for example kerberroastable accounts

## LDAP

## PowerView 

## WMI