killchain-compendium/Miscellaneous/Active Directory/ad_enumeration.md

Enumerate Active Directory

Enumeration following after initial credentials are gained

SYSVOL

• On windows use runas and gain local administrative permissions via

runas.exe /netonly /user:%FQDNORNETBIOSDOMAIN%\%USERNAME% cmd.exe

• Check validity of credentials against SYSVOL, it stores Group Policy Objects (GPO). Every AD account will gain access
  • Query DNS, for example the DC

$dnsip = "<DC IPaddress>"
$index = Get-NetAdapter -Name '<Ethernet>' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

* Check `SYSVOL` afterwards via `hostname` to verify via Kerberos auth

dir \\%HOSTNAME%\SYSVOL\

* Check `SYSVOL` via `IP` address to force `NTLM` authentication

Microsoft Management Console (MMC)

• Use AD Snap-ins of Remote Server Administrative Tools
  • Start -> Apps & Features -> Manage Optional Features -> Add a feature -> Search RSAT -> Select RSAT: Active Directory Domain Services and Lightweight Directory Tools -> Install
  • Win + r -> MMC -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click Active Directory Sites and Services -> Change Forest -> Add root domain -> right click Active Directory Users and Computers -> Change Domain -> enter root domain -> right click Active Directory Users and Computers -> View -> Advanced Features
  • Start enumerating via click on the domain object in the tree on the left
  • Take a look at People directory -> right click on them to see properties
  • Change or create user or change groups
  • Also use MMC to enumerate

CMD enumeration

Execute from domain joined machine

• Users

net user /domain

• Specific user

net user <username> /domain

• Groups

net group /domain

• Specific group

net group <groupname> /domain

• Password Policy via accounts

net accounts /domain

Powershell Cmdlets

• User details via

 Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *

• Groups

Get-ADGroup -Identity Administrators -Server exampleDC.com  -Properties *

• Group membership

Get-ADGroupMember -Identity Administrators -Server exampleDC.com

• Generic AD objects

Get-ADObject -Filter <filterstuff>  -includeDeletedObjects -Server exampleDC.com
Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com

• Domains

 Get-ADDomain -Server exampleDC.com

Sharphound and Bloodhound

• BloodHound documentation

• Change to AD user via runas.exe and collect via one of the following

  • Sharphound.ps1
  • sharphound.exe
  • Azurehound.ps1

• For example

Sharphound.exe --CollectionMethods <Default/Session/All> --Domain example.com --ExcludeDCs

• After some time collect the current sessions via

Sharphound.exe --CollectionMethods Session --Domain example.com --ExcludeDCs

• Start neo4j db

neo4j console start

• Start bloodhound

bloodhound --no-sandbox

• Drag and Drop the zip file from Sharphound
• Either search for AD objects and use Analysis to find an attack path through the info on the edges
• Shows exploitable accounts in the Analysis tab, for example kerberroastable accounts

LDAP

PowerView

WMI