Enumeration

Create a Domain Map. Repeat enumeration for each new access.

Identify:

Network (Active hosts)
AD Key Services (Kerberos, NetBIOS, LDAP, DNS)
AD computers
AD users
Vulnerabilities

Automated

Start neo4j

sudo neo4j start

bloodhound
# automatically find the port where neo4j database is running.

On http://localhost:7474 log in with your neo4j credentials. Import data (single JSON or ZIP) with “Upload Data”

Linux

From remote attacker with domain credentials (bloodhound.py ingestor)

pipx install bloodhound

bloodhound-python -u <USER> -p <PASS> -ns <IP> -d <DOMAIN> -c all --zip

Or with netexec

netexec ldap <IP> -u <USER> [-H <HASH>/-P <PASS>] -d <DOMAIN> --bloodhound --collection All --dns-server <IP>

Windows

On the windows host in the AD domain

SharpHound (.exe and .ps1)

.\SharpHound.exe -c All --zipfilename <FILE_NAME>

Import-Module .\Sharphound.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\<WHERE>\ -OutputPrefix "<NameSTART>"

See all flags (ex. loop)

.bin files can be deleted.

Manually

The ActiveDirectory PowerShell module is a set of PowerShell cmdlets for administering an Active Directory environment. Before using it, we need to make sure it is imported with Get-Module.

Get-Module

Import-Module ActiveDirectory

Domain

Get-ADDomain

echo %USERDOMAIN%

echo %logonserver%  # DC

We get domain information through PowerShell, using LDAP to communicate with AD and extract information.

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = $domainObj.PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName 
$LDAP = "LDAP://$PDC/$DN"
$direntry = New-Object System.DirectoryServices.DirectoryEntry($LDAP)
$dirsearcher = New-Object System.DirectoryServices.DirectorySearcher($direntry)
$dirsearcher.filter="samAccountType=805306368"   # enumerate all users in the domain
# $dirsearcher.filter="name=jeffadmin"    # takes a specific user and instead of printing $prop, it prints $prop.memberof
$result = $dirsearcher.FindAll()
Foreach($obj in $result)
{
 Foreach($prop in $obj.Properties)
 {
 $prop
 }
 Write-Host "-------------------------------"
}

Users

All users

Get-ADUser -Filter *

net user /domain

Info about specific user

Get-ADUser -Identity <USER> [-Properties *]

net user <USER> /domain

Groups

All groups

Get-ADGroup -Filter *

net group /domain

Info about specific group

Get-ADGroup -Identity <GROUP> [-Properties *]

Get-ADGroupMember -Identity <GROUP>

net group "<GROUP>" /domain 
# User members only

net share

net use x: \<COMPUTER>\<SHARE>

Policy Password

net accounts [/domains]

Get-ADDefaultDomainPasswordPolicy

Trust

Get-ADTrust -Filter *

Tickets Kerberos

klist

SPN

setspn.exe -Q */*

ACL

Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt

foreach($line in [System.IO.File]::ReadLines("C:\<PATH>\ad_users.txt")) {get-acl  "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match '<DOMAIN>\\<USER>'}}

$guid= "00299570-246d-11d0-a768-00aa006e0529" # GUID to decode
Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl

CN=<VALUE> take from ActiveDirectoryRights

PowerView

It is a PowerSploit script and there are two versions: Old and New (maintained by Empire)

Import-Module .\PowerView.ps1

Get-NetDomain # basic domain info
Get-NetUser # user info
Get-NetGroup # group info
Get-NetComputer # machine info
Get-DomainPolicy # password policy info
Find-LocalAdminAccess # machines where user has administrator privileges
Get-DomainTrustMapping # trust relationships
Get-DomainUser * -spn # SPN
# Etc.

ACL

$sid = Convert-NameToSid <USER>
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

RDP

Get-NetLocalGroupMember -ComputerName <PC_NAME> -GroupName "Remote Desktop Users"

$computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name
foreach ($computer in $computers) {
    Get-NetLocalGroupMember -ComputerName $computer -GroupName "Remote Desktop Users"
}

WinRM

Get-NetLocalGroupMember -ComputerName <PC_NAME> -GroupName "Remote Management Users"

$computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name
foreach ($computer in $computers) {
    Get-NetLocalGroupMember -ComputerName $computer -GroupName "Remote Management Users"
}

Cypher Query Bloodhound

WinRM

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

SQLAdmin

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2

Remotely

Try with guest and "" or "" and "".

Tool

Details

Active Directory information dumper via LDAP ldapdomaindump -u '<DOMAIN>\<USER>' -p '<PASSWORD>' <IP> -o dump

Enumeration with LDAP query windapsearch --dc-ip <IP_DC> -u <USER>@<DOMAIN> -p <PASSWORD> -G -U -C -PU --da

Enumeration with SMB nxc smb <IP> -u <USER> -p <PASS> [-d <DOMAIN>] --users --groups --loggedon-users --pass-pol --rid-brute

Enumeration with SMB enum4linux -u <USER> -p <PASS> <IP> -a

Detailed enumeration with specific queries rpcclient -U [<DOMAIN>/]<USER>[%<PASS>] <IP> >> <QUERY>

Tool

Details

Allows you to see which users are connected to a specified computer. For this to work, the machine must have Remote Registry enabled. (we can get false positives because we are not sure that Remote Registry is enabled on the target) .\PsLoggedon.exe \<COMPUTER_NAME>

Tool to acquire credentials or other sensitive data in an Active Directory environment by searching between shares. Snaffler.exe -s -d <DOMAIN> -o <OUTPUT_FILE.log> -v data

Last updated 1 month ago

Automated

Linux

Windows

Manually

Domain

Users

Groups

Share

Policy Password

Trust

Tickets Kerberos

SPN

ACL

PowerView

ACL

RDP

WinRM

Cypher Query Bloodhound

WinRM

SQLAdmin

Remotely

Tool