Active Directory Enumeration
Zakwan Abid
Senior Cyber Security Consultant | OSCP l eCPPT | CEH | Penetration Tester | IT/ CS Auditor | GRC Specialist
In this network, I will cover several methods that can be used to enumerate AD. This is by no means a complete list as available methods are usually highly situational and dependent on the acquired breach. However, I will cover the following techniques for enumerating AD:
This write-up is based on the Enumerating Active Directory room from Try Hack Me. Please find this room here:- https://tryhackme.com/room/adenumeration
Who's this for:
This write-up is aimed to understand you about a various of Active Directory Enumeration Techniques.
Network Diagram:
Connecting to the Network
Throughout this network, DNS will be used for the tasks. You will have to configure DNS on the host on which you are running the VPN connection. In order to configure our DNS, we must edit the? /etc/systemd/resolved.conf file. Uncomment the DNS line and add the IP of THMDC shown in the Network Diagram:
Requesting Your Credentials
To simulate an AD breach, you will be provided with your first set of AD credentials. Once your networking setup has been completed. Navigate to https://distributor.za.tryhackme.com/creds to request your credential pair. Click the "Get Credentials" button to receive your credential pair that can be used for initial access.
This credential pair will provide you RDP and SSH access to THMJMP1.za.tryhackme.com.
For SSH access, you can use the following SSH command
ssh za.tryhackme.com\\<AD Username>@thmjmp1.za.tryhackme.com:
NOTE: Before Jump to the Hands-on you must understand a little bit theory of AD
1. Credential Injection:
Runas Explained
Have you ever found AD credentials but nowhere to log in with them? Runas may be the answer you've been looking for!
If we have the AD credentials in the format of <username>:<password>, we can use Runas, a legitimate Windows binary, to inject the credentials into memory. The usual Runas command would look something like this:
runas.exe /netonly /user:<domain>\<username> cmd.exe
Let's look at the parameters:
Once you run this command, you will be prompted to supply a password. Note that since we added the /netonly parameter, the credentials will not be verified directly by a domain controller so that it will accept any password. We still need to confirm that the network credentials are loaded successfully and correctly.
After providing the password, a new command prompt window will open. Now we still need to verify that our credentials are working. The most surefire way to do this is to list SYSVOL.
SYSVOL directory?
Any AD account, no matter how low-privileged, can read the contents of the SYSVOL directory. SYSVOL is a folder that exists on all domain controllers. It is a shared folder storing the Group Policy Objects (GPOs) and information along with any other domain related scripts. It is an essential component for Active Directory since it delivers these GPOs to all computers on the domain. Domain-joined computers can then read these GPOs and apply the applicable ones, making domain-wide configuration changes from a central location.
Before we can list SYSVOL, we need to configure our DNS. It is good to understand how to do it manually. Your safest bet for a DNS server is usually a domain controller. Using the IP of the domain controller, we can execute the following commands in a PowerShell window:
$dnsip = "<DC IP>
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip"
We can verify that DNS is working by running the following:
nslookup za.tryhackme.com
Now that DNS is working, we can finally test our credentials. We can use the following command to force a network-based listing of the SYSVOL directory:
won't go too much in-depth now into the contents of SYSVOL, but note that it is also good to enumerate its contents since there may be some additional AD credentials lurking there.
2. Enumeration through Microsoft Management Console
Connect to THMJMP1 using RDP as provided credentials
We will be using the Microsoft Management Console (MMC) with the Remote Server Administration Tools' (RSAT) AD Snap-Ins. You can perform the following steps to install the Snap-Ins:
You can start MMC by using the Windows Start button, searching run, and typing in MMC.
In MMC, we can now attach the AD RSAT Snap-In:
If everything up to this point worked correctly, your MMC should now be pointed to, and authenticated against, the target Domain
We can now start enumerating information about the AD structure here.
Users and Computers
Let's take a look at the Active Directory structure. For this task, we will focus on AD Users and Computers. Expand that snap-in and expand the za domain to see the initial Organisational Unit (OU) structure:
Let's take a look at the People directory. Here we see that the users are divided according to department OUs. Clicking on each of these OUs will show the users that belong to that department
Clicking on any of these users will allow us to review all of their properties and attributes. We can also see what groups they are a member of:
We can also use MMC to find hosts in the environment. If we click on either Servers or Workstations, the list of domain-joined machines will be displayed.
If we had the relevant permissions, we could also use MMC to directly make changes to AD, such as changing the user's password or adding an account to a specific group. Play around with MMC to better understand the AD domain structure. Make use of the search feature to look for objects.
What is the value of the flag stored in the description attribute of the t0_tinus.green account?
3. Enumeration through Command Prompt
The net command is a handy tool to enumerate information about the local system and AD.
Users
We can use the net command to list all users in the AD domain by using the user sub-option:
net user /domain
This will return all AD users for us and can be helpful in determining the size of the domain to stage further attacks. We can also use this sub-option to enumerate more detailed information about a single user account:
net user zoe.marshall /domain
Note: If the user is only part of a small number of AD groups, this command will be able to show us group memberships. However, usually, after more than ten group memberships, the command will fail to list them all.
Groups
We can use the net command to enumerate the groups of the domain by using the group sub-option:
net group /domain
This information can help us find specific groups to target for goal execution. We could also enumerate more details such as membership to a group by specifying the group in the same command:
net group "Tier 1 Admins" /domain
Password Policy
We can use the net command to enumerate the password policy of the domain by using the accounts sub-option:
This will provide us with helpful information such as:
You can find the full range of options associated with the net command here. Play around with these net commands to gather information about specific users and groups.
4. Enumeration through PowerShell
Using our SSH terminal, we can upgrade it to a PowerShell terminal using the following command: powershell
领英推荐
Users
We can use the Get-ADUser cmdlet to enumerate AD users:
Get-ADUser -Identity gordon.stevens -Server za.tryhackme.com -Properties *
The parameters are used for the following:
For most of these cmdlets, we can also use the -Filter parameter that allows more control over enumeration and use the Format-Table cmdlet to display the results such as the following neatly:
Get-ADUser -Filter 'Name -like "*stevens"' -Server za.tryhackme.com | Format-Table Name,SamAccountName -A
Groups
We can use the Get-ADGroup cmdlet to enumerate AD groups:
Get-ADGroup -Identity Administrators -Server za.tryhackme.co
m
We can also enumerate group membership using the Get-ADGroupMember cmdlet:
Get-ADGroupMember -Identity Administrators -Server za.tryhackme.co
m
AD Objects
A more generic search for any AD objects can be performed using the Get-ADObject cmdlet. For example, if we are looking for all AD objects that were changed after a specific date:
$ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server za.tryhackme.com)
If we wanted to, for example, perform a password spraying attack without locking out accounts, we can use this to enumerate accounts that have a badPwdCount that is greater than 0, to avoid these accounts in our attack:
Get-ADObject -Filter 'badPwdCount -gt 0' -Server za.tryhackme.com
This will only show results if one of the users in the network mistyped their password a couple of times.
Domains
We can use Get-ADDomain to retrieve additional information about the specific domain:
Get-ADDomain -Server za.tryhackme.com
5. Enumeration through SharpHound & Bloodhound
Bloodhound allowed attackers (and by now defenders too) to visualise the AD environment in a graph format with interconnected nodes. Each connection is a possible path that could be exploited to reach a goal. In contrast, the defenders used lists, like a list of Domain Admins or a list of all the hosts in the environment.
Sharphound
Sharphound is the enumeration tool of Bloodhound. It is used to enumerate the AD information that can then be visually displayed in Bloodhound.
Bloodhound is the actual GUI used to display the AD attack graphs. Therefore, we first need to learn how to use Sharphound to enumerate AD before we can look at the results visually using Bloodhound.
There are three different Sharphound collectors:
We will use the SharpHound.exe version for our enumeration.
Sharphound.exe --CollectionMethods <Methods> --Domain za.tryhackme.com --ExcludeDCs
Parameters explained:
You can find all the various Sharphound parameters here.
Using your SSH PowerShell session on the THMJMP1 machine
copy C:\Tools\Sharphound.exe ~\Documents
cd ~\Documents\\
We will run Sharphound using the All and Session collection methods:
SharpHound.exe --CollectionMethods All --Domain za.tryhackme.com --ExcludeDCs
It will take about 1 minute for Sharphound to perform the enumeration. In larger organisations, this can take quite a bit longer, even hours to execute for the first time. Once completed, you will have a timestamped ZIP file in the same folder you executed Sharphound from.
Now transfer this zip file into our attackbox
Bloodhound
Bloodhound uses Neo4j as its backend database and graphing system. Neo4j is a graph database management system.
In another Terminal tab, run bloodhound --no-sandbox.
Drag and drop the ZIP file onto the Bloodhound GUI to import into Bloodhound. It will show that it is extracting the files and initiating the import.
Once all JSON files have been imported, we can start using Bloodhound to enumerate attack paths for this specific domain.
Attack Paths
There are several attack paths that Bloodhound can show. Pressing the three stripes next to "Search for a node" will show the options. The very first tab shows us the information regarding our current imports.
First, we will look at Node Info. Let's search for our AD account in Bloodhound. You must click on the node to refresh the view.
We can see that there is a significant amount of information returned regarding our use. Each of the categories provides the following information:
If you want more information in each of these categories, you can press the number next to the information query. For instance, let's look at the group membership associated with our account. By pressing the number next to "First Degree Group Membership", we can see that our account is a member of two groups.
Next, we will be looking at the Analysis queries. These are queries that the creators of Bloodhound have written themselves to enumerate helpful information.
Under the Domain Information section, we can run the Find all Domain Admins query.
There is an AD user account with the username of T0_TINUS.GREEN, that is a member of the group Tier 0 ADMINS. But, this group is a nested group into the DOMAIN ADMINS group, meaning all users that are part of the Tier 0 ADMINS group are effectively DAs.
Furthermore, there is an additional AD account with the username of ADMINISTRATOR that is part of the DOMAIN ADMINS group. Hence, there are two accounts in our attack surface that we can probably attempt to compromise if we want to gain DA rights. Since the ADMINISTRATOR account is a built-in account, we would likely focus on the user account instead.
let's look at the most basic attack path using only the default and some special edges. We will run a search in Bloodhound to enumerate the attack path. Press the path icon to allow for path searching.
Our Start Node would be our AD username, and our End Node will be the Tier 1 ADMINS group since this group has administrative privileges over servers.
If there is no available attack path using the selected edge filters, Bloodhound will display "No Results Found". However, in our case, Bloodhound shows an attack path. It shows that one of the T1 ADMINS, ACCOUNT,?broke the tiering model by using their credentials to authenticate to THMJMP1, which is a workstation. It also shows that any user that is part of the DOMAIN USERS group, including our AD account, has the ability to RDP into this host.
We could do something like the following to exploit this path:
The attack paths may be relatively complex in normal circumstances and require several actions to reach the final goal. If you are interested in the exploits associated with each edge, the following Bloodhound documentation provides an excellent guide.
Conclusion
Enumerating AD is a massive task. Proper AD enumeration is required to better understand the structure of the domain and determine attack paths that can be leveraged to perform privilege escalation or lateral movement.
Additional Enumeration Techniques
In this network, we covered several techniques that can be used to enumerate AD. This is by no means an exhaustive list. Here is a list of enumeration techniques that also deserve mention:
We should also note that this room focussed on enumerating the structure of the AD domain in its entirety instead of concentrating only on identifying misconfigurations and weaknesses. Enumeration focused on identifying weaknesses, such as insecure shares or breaks in the tiering model, will be discussed in future rooms.
......xx....xx....xx....xx...
That's all guys. If you like this article then please share this to your network, follow me as well for future write-ups and don’t forgot to leave a comment
Identity and Access Management Engineer
1 年Quite extensive article with useful information.
Partner - Commercial Forensics & Cyber Security @ SIFTCON | Specialist in Cybersecurity and Digital Forensics
2 年Thanks for sharing, Zakwan.