Active Directory Enumeration

In this network, I will cover several methods that can be used to enumerate AD. This is by no means a complete list as available methods are usually highly situational and dependent on the acquired breach. However, I will cover the following techniques for enumerating AD:

1. Credential Injection
2. Enumeration through Microsoft Management Console (AD snap-ins)
3. Enumeration through Command Prompt (net commands)
4. Enumeration through PowerShell (AD-RSAT cmdlets)
5. Enumeration through Blood-Hound
6. Conclusions

This write-up is based on the Enumerating Active Directory room from Try Hack Me. Please find this room here:- https://tryhackme.com/room/adenumeration

Who's this for:

• Beginner and intermediate pentesters.
• Students currently taking or planning to take the PWK/OSCP course

This write-up is aimed to understand you about a various of Active Directory Enumeration Techniques.

Network Diagram:

Connecting to the Network

Throughout this network, DNS will be used for the tasks. You will have to configure DNS on the host on which you are running the VPN connection. In order to configure our DNS, we must edit the? /etc/systemd/resolved.conf file. Uncomment the DNS line and add the IP of THMDC shown in the Network Diagram:

Requesting Your Credentials

To simulate an AD breach, you will be provided with your first set of AD credentials. Once your networking setup has been completed. Navigate to https://distributor.za.tryhackme.com/creds to request your credential pair. Click the "Get Credentials" button to receive your credential pair that can be used for initial access.

This credential pair will provide you RDP and SSH access to THMJMP1.za.tryhackme.com.

For SSH access, you can use the following SSH command

ssh za.tryhackme.com\\<AD Username>@thmjmp1.za.tryhackme.com:        

NOTE: Before Jump to the Hands-on you must understand a little bit theory of AD

1. Credential Injection:

Runas Explained

Have you ever found AD credentials but nowhere to log in with them? Runas may be the answer you've been looking for!

If we have the AD credentials in the format of <username>:<password>, we can use Runas, a legitimate Windows binary, to inject the credentials into memory. The usual Runas command would look something like this:

runas.exe /netonly /user:<domain>\<username> cmd.exe        

Let's look at the parameters:

• /netonly - Since we are not domain-joined, we want to load the credentials for network authentication but not authenticate against a domain controller. So commands executed locally on the computer will run in the context of your standard Windows account, but any network connections will occur using the account specified here.
• /user - Here, we provide the details of the domain and the username. It is always a safe bet to use the Fully Qualified Domain Name (FQDN) instead of just the NetBIOS name of the domain since this will help with resolution.
• cmd.exe - This is the program we want to execute once the credentials are injected. This can be changed to anything, but the safest bet is cmd.exe since you can then use that to launch whatever you want, with the credentials injected.

Once you run this command, you will be prompted to supply a password. Note that since we added the /netonly parameter, the credentials will not be verified directly by a domain controller so that it will accept any password. We still need to confirm that the network credentials are loaded successfully and correctly.

After providing the password, a new command prompt window will open. Now we still need to verify that our credentials are working. The most surefire way to do this is to list SYSVOL.

SYSVOL directory?

Any AD account, no matter how low-privileged, can read the contents of the SYSVOL directory. SYSVOL is a folder that exists on all domain controllers. It is a shared folder storing the Group Policy Objects (GPOs) and information along with any other domain related scripts. It is an essential component for Active Directory since it delivers these GPOs to all computers on the domain. Domain-joined computers can then read these GPOs and apply the applicable ones, making domain-wide configuration changes from a central location.

Before we can list SYSVOL, we need to configure our DNS. It is good to understand how to do it manually. Your safest bet for a DNS server is usually a domain controller. Using the IP of the domain controller, we can execute the following commands in a PowerShell window:

$dnsip = "<DC IP>
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip"        

We can verify that DNS is working by running the following:

nslookup za.tryhackme.com        

Now that DNS is working, we can finally test our credentials. We can use the following command to force a network-based listing of the SYSVOL directory:

won't go too much in-depth now into the contents of SYSVOL, but note that it is also good to enumerate its contents since there may be some additional AD credentials lurking there.

2. Enumeration through Microsoft Management Console

Connect to THMJMP1 using RDP as provided credentials

We will be using the Microsoft Management Console (MMC) with the Remote Server Administration Tools' (RSAT) AD Snap-Ins. You can perform the following steps to install the Snap-Ins:

1. Press Start
2. Search "Apps & Features" and press enter
3. Click Manage Optional Features
4. Click Add a feature
5. Search for "RSAT"
6. Select "RSAT: Active Directory Domain Services and Lightweight Directory Tools" and click Install

You can start MMC by using the Windows Start button, searching run, and typing in MMC.

In MMC, we can now attach the AD RSAT Snap-In:

1. Click File -> Add/Remove Snap-in
2. Select and Add all three Active Directory Snap-ins
3. Click through any errors and warnings
4. Right-click on Active Directory Domains and Trusts and select Change Forest
5. Enter za.tryhackme.com as the Root domain and Click OK
6. Right-click on Active Directory Sites and Services and select Change Forest
7. Enter za.tryhackme.com as the Root domain and Click OK
8. Right-click on Active Directory Users and Computers and select Change Domain
9. Enter za.tryhackme.com as the Domain and Click OK
10. Right-click on Active Directory Users and Computers in the left-hand pane
11. Click on View -> Advanced Features

If everything up to this point worked correctly, your MMC should now be pointed to, and authenticated against, the target Domain

We can now start enumerating information about the AD structure here.

Users and Computers

Let's take a look at the Active Directory structure. For this task, we will focus on AD Users and Computers. Expand that snap-in and expand the za domain to see the initial Organisational Unit (OU) structure:

Let's take a look at the People directory. Here we see that the users are divided according to department OUs. Clicking on each of these OUs will show the users that belong to that department

Clicking on any of these users will allow us to review all of their properties and attributes. We can also see what groups they are a member of:

We can also use MMC to find hosts in the environment. If we click on either Servers or Workstations, the list of domain-joined machines will be displayed.

If we had the relevant permissions, we could also use MMC to directly make changes to AD, such as changing the user's password or adding an account to a specific group. Play around with MMC to better understand the AD domain structure. Make use of the search feature to look for objects.

What is the value of the flag stored in the description attribute of the t0_tinus.green account?

3. Enumeration through Command Prompt

The net command is a handy tool to enumerate information about the local system and AD.

Users

We can use the net command to list all users in the AD domain by using the user sub-option:

net user /domain        

This will return all AD users for us and can be helpful in determining the size of the domain to stage further attacks. We can also use this sub-option to enumerate more detailed information about a single user account:

net user zoe.marshall /domain        

Note: If the user is only part of a small number of AD groups, this command will be able to show us group memberships. However, usually, after more than ten group memberships, the command will fail to list them all.

Groups

We can use the net command to enumerate the groups of the domain by using the group sub-option:

net group /domain        

This information can help us find specific groups to target for goal execution. We could also enumerate more details such as membership to a group by specifying the group in the same command:

net group "Tier 1 Admins" /domain        

Password Policy

We can use the net command to enumerate the password policy of the domain by using the accounts sub-option:

This will provide us with helpful information such as:

• Length of password history kept. Meaning how many unique passwords must the user provide before they can reuse an old password.
• The lockout threshold for incorrect password attempts and for how long the account will be locked.
• The minimum length of the password.
• The maximum age that passwords are allowed to reach indicating if passwords have to be rotated at a regular interval.

You can find the full range of options associated with the net command here. Play around with these net commands to gather information about specific users and groups.

4. Enumeration through PowerShell

Using our SSH terminal, we can upgrade it to a PowerShell terminal using the following command: powershell

Users

We can use the Get-ADUser cmdlet to enumerate AD users:

Get-ADUser -Identity gordon.stevens -Server za.tryhackme.com -Properties *        

The parameters are used for the following:

• -Identity - The account name that we are enumerating
• -Properties - Which properties associated with the account will be shown, * will show all properties
• -Server - Since we are not domain-joined, we have to use this parameter to point it to our domain controller

For most of these cmdlets, we can also use the -Filter parameter that allows more control over enumeration and use the Format-Table cmdlet to display the results such as the following neatly:

Get-ADUser -Filter 'Name -like "*stevens"' -Server za.tryhackme.com | Format-Table Name,SamAccountName -A        

Groups

We can use the Get-ADGroup cmdlet to enumerate AD groups:

Get-ADGroup -Identity Administrators -Server za.tryhackme.co
m        

We can also enumerate group membership using the Get-ADGroupMember cmdlet:

Get-ADGroupMember -Identity Administrators -Server za.tryhackme.co
m        

AD Objects

A more generic search for any AD objects can be performed using the Get-ADObject cmdlet. For example, if we are looking for all AD objects that were changed after a specific date:

$ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)

Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server za.tryhackme.com)        

If we wanted to, for example, perform a password spraying attack without locking out accounts, we can use this to enumerate accounts that have a badPwdCount that is greater than 0, to avoid these accounts in our attack:

Get-ADObject -Filter 'badPwdCount -gt 0' -Server za.tryhackme.com        

This will only show results if one of the users in the network mistyped their password a couple of times.

Domains

We can use Get-ADDomain to retrieve additional information about the specific domain:

Get-ADDomain -Server za.tryhackme.com        

5. Enumeration through SharpHound & Bloodhound

Bloodhound allowed attackers (and by now defenders too) to visualise the AD environment in a graph format with interconnected nodes. Each connection is a possible path that could be exploited to reach a goal. In contrast, the defenders used lists, like a list of Domain Admins or a list of all the hosts in the environment.

Sharphound

Sharphound is the enumeration tool of Bloodhound. It is used to enumerate the AD information that can then be visually displayed in Bloodhound.

Bloodhound is the actual GUI used to display the AD attack graphs. Therefore, we first need to learn how to use Sharphound to enumerate AD before we can look at the results visually using Bloodhound.

There are three different Sharphound collectors:

• Sharphound.ps1 - PowerShell script for running Sharphound. However, the latest release of Sharphound has stopped releasing the Powershell script version. This version is good to use with RATs since the script can be loaded directly into memory, evading on-disk AV scans.
• Sharphound.exe - A Windows executable version for running Sharphound.
• AzureHound.ps1 - PowerShell script for running Sharphound for Azure (Microsoft Cloud Computing Services) instances. Bloodhound can ingest data enumerated from Azure to find attack paths related to the configuration of Azure Identity and Access Management.

We will use the SharpHound.exe version for our enumeration.

Sharphound.exe --CollectionMethods <Methods> --Domain za.tryhackme.com --ExcludeDCs        

Parameters explained:

• CollectionMethods - Determines what kind of data Sharphound would collect. The most common options are Default or All. Also, since Sharphound caches information, once the first run has been completed, you can only use the Session collection method to retrieve new user sessions to speed up the process.
• Domain - Here, we specify the domain we want to enumerate. In some instances, you may want to enumerate a parent or other domain that has trust with your existing domain. You can tell Sharphound which domain should be enumerated by altering this parameter.
• ExcludeDCs -This will instruct Sharphound not to touch domain controllers, which reduces the likelihood that the Sharphound run will raise an alert.

You can find all the various Sharphound parameters here.

Using your SSH PowerShell session on the THMJMP1 machine

copy C:\Tools\Sharphound.exe ~\Documents
cd ~\Documents\\        

We will run Sharphound using the All and Session collection methods:

SharpHound.exe --CollectionMethods All --Domain za.tryhackme.com --ExcludeDCs        

It will take about 1 minute for Sharphound to perform the enumeration. In larger organisations, this can take quite a bit longer, even hours to execute for the first time. Once completed, you will have a timestamped ZIP file in the same folder you executed Sharphound from.

Now transfer this zip file into our attackbox

Bloodhound

Bloodhound uses Neo4j as its backend database and graphing system. Neo4j is a graph database management system.

In another Terminal tab, run bloodhound --no-sandbox.

Drag and drop the ZIP file onto the Bloodhound GUI to import into Bloodhound. It will show that it is extracting the files and initiating the import.

Once all JSON files have been imported, we can start using Bloodhound to enumerate attack paths for this specific domain.

Attack Paths

There are several attack paths that Bloodhound can show. Pressing the three stripes next to "Search for a node" will show the options. The very first tab shows us the information regarding our current imports.

First, we will look at Node Info. Let's search for our AD account in Bloodhound. You must click on the node to refresh the view.

We can see that there is a significant amount of information returned regarding our use. Each of the categories provides the following information:

• Overview - Provides summaries information such as the number of active sessions the account has and if it can reach high-value targets.
• Node Properties - Shows information regarding the AD account, such as the display name and the title.
• Extra Properties - Provides more detailed AD information such as the distinguished name and when the account was created.
• Group Membership - Shows information regarding the groups that the account is a member of.
• Local Admin Rights - Provides information on domain-joined hosts where the account has administrative privileges.
• Execution Rights - Provides information on special privileges such as the ability to RDP into a machine.
• Outbound Control Rights - Shows information regarding AD objects where this account has permissions to modify their attributes.
• Inbound Control Rights -?Provides information regarding AD objects that can modify the attributes of this account.

If you want more information in each of these categories, you can press the number next to the information query. For instance, let's look at the group membership associated with our account. By pressing the number next to "First Degree Group Membership", we can see that our account is a member of two groups.

Next, we will be looking at the Analysis queries. These are queries that the creators of Bloodhound have written themselves to enumerate helpful information.

Under the Domain Information section, we can run the Find all Domain Admins query.

There is an AD user account with the username of T0_TINUS.GREEN, that is a member of the group Tier 0 ADMINS. But, this group is a nested group into the DOMAIN ADMINS group, meaning all users that are part of the Tier 0 ADMINS group are effectively DAs.

Furthermore, there is an additional AD account with the username of ADMINISTRATOR that is part of the DOMAIN ADMINS group. Hence, there are two accounts in our attack surface that we can probably attempt to compromise if we want to gain DA rights. Since the ADMINISTRATOR account is a built-in account, we would likely focus on the user account instead.

let's look at the most basic attack path using only the default and some special edges. We will run a search in Bloodhound to enumerate the attack path. Press the path icon to allow for path searching.

Our Start Node would be our AD username, and our End Node will be the Tier 1 ADMINS group since this group has administrative privileges over servers.

If there is no available attack path using the selected edge filters, Bloodhound will display "No Results Found". However, in our case, Bloodhound shows an attack path. It shows that one of the T1 ADMINS, ACCOUNT,?broke the tiering model by using their credentials to authenticate to THMJMP1, which is a workstation. It also shows that any user that is part of the DOMAIN USERS group, including our AD account, has the ability to RDP into this host.

We could do something like the following to exploit this path:

1. Use our AD credentials to RDP into THMJMP1.
2. Look for a privilege escalation vector on the host that would provide us with Administrative access.
3. Using Administrative access, we can use credential harvesting techniques and tools such as Mimikatz.
4. Since the T1 Admin has an active session on THMJMP1, our credential harvesting would provide us with the NTLM hash of the associated account.

The attack paths may be relatively complex in normal circumstances and require several actions to reach the final goal. If you are interested in the exploits associated with each edge, the following Bloodhound documentation provides an excellent guide.

Conclusion

Enumerating AD is a massive task. Proper AD enumeration is required to better understand the structure of the domain and determine attack paths that can be leveraged to perform privilege escalation or lateral movement.

Additional Enumeration Techniques

In this network, we covered several techniques that can be used to enumerate AD. This is by no means an exhaustive list. Here is a list of enumeration techniques that also deserve mention:

• LDAP enumeration - Any valid AD credential pair should be able to bind to a Domain Controller's LDAP interface. This will allow you to write LDAP search queries to enumerate information regarding the AD objects in the domain.
• PowerView - PowerView is a recon script part of the PowerSploit project. Although this project is no longer receiving support, scripts such as PowerView can be incredibly useful to perform semi-manual enumeration of AD objects in a pinch.
• Windows Management Instrumentation (WMI) - WMI can be used to enumerate information from Windows hosts. It has a provider called "root\directory\ldap" that can be used to interact with AD. We can use this provider and WMI in PowerShell to perform AD enumeration.

We should also note that this room focussed on enumerating the structure of the AD domain in its entirety instead of concentrating only on identifying misconfigurations and weaknesses. Enumeration focused on identifying weaknesses, such as insecure shares or breaks in the tiering model, will be discussed in future rooms.

......xx....xx....xx....xx...

That's all guys. If you like this article then please share this to your network, follow me as well for future write-ups and don’t forgot to leave a comment