Active Directory Enumeration

Table of contents

  1. Vulnerability
  2. Prerequisites
  3. Automated tools
    1. BloodHound
    2. BloodHound.py
    3. SharpHound
    4. PingCastle
    5. PowerView and SharpView
    6. ADSearch
    7. ADRecon
  4. Manual enumeration
    1. AppLocker
    2. Custom LDAP search
    3. Delegations
    4. GPO
    5. LAPS
    6. SCCM
    7. Shares
    8. Trust relationships
    9. Users
  5. Recommentations

At this point, you might be authenticated on a domain joined computer - via RDP, WinRM or whatever so do not forget to enumerate Windows as well.

Vulnerability

Active Directory enumeration is not a vulnerability by itself. Actually, it is more like a feature because Active Directory is built this way. Once you are authenticated on a domain, you are able to list all Active Directory objects and their relations. It is a very useful way to discover how to escalate you privileges by better understanding how the domain is organized.

Prerequisites

  • Low privileged domain account.

Automated tools

BloodHound

The best tool to enumerate and get graphical insights of an Active Directory domain is BloodHound and associated ingestors like BloodHound.py or SharpHound.

First, you will need to extract all objects of the domain. These ingestors will do it and will generate multiple files containing domain’s objects. You can now import these files in BloodHound to visualize domain’s organization and find attack paths.

BloodHound.py

With BloodHound.py.

# From Kali, ingest domain objects with BloodHound.py.
bloodhound-python -d $domain -u $username -p $password -c All

SharpHound

With SharpHound.

# From a domain joined Windows computer.
.\SharpHound.exe -c All

# From a Windows computer which is not joined to the domain.
.\SharpHound.exe -d $domain --ldapusername $username --ldappassword $password -c All

You might be connected on a domain joined computer with a local account. In such a case, you won’t be able to start SharpHound.exe from a PowerShell started with this local account. To bypass this, you must run SharpHound.exe from a PowerShell started as NT AUTHORITY\SYSTEM so SharpHound.exe will use domain computer credentials to authenticate on the Active Directory domain. To do so, you can use PSExec by running Psexec.exe -i -s C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.

PingCastle

PingCastle is also a very good candidate to enumerate the Active Directory domain. It will provide risks insights, highlighting misconfigurations and recommendations to apply.

# From the domain controller itself.
.\PingCastle.exe --healthcheck

# From a distant computer.
.\PingCastle.exe --healthcheck --server $domain --user $username --password $password

PowerView and SharpView

PowerView from PowerSploit framework is a PowerShell module that provides many buitins to enumerate an Active Directory domain.

powershell -ep bypass
Import=Module ./PowerView.ps1
Get-DomainController -Domain $domain

SharpView is a .NET port for PowerView, with the same features.

.\SharpView.exe Get-DomainController -Domain $domain
.\SharView.exe $command $options

ADSearch

ADSearch allows to perform custom LDAP queries.

.\ADSearch.exe --search "$ldap_filter"

ADRecon

ADRecon will do a quick enumeration of basic information about an Active Directory domain.

# From a domain joined computer.
.\ADRecon.ps1

# From a workgroup computer.
.\ADRecon.ps1 -DomainController $dc_ip -Credential $domain\$username

Manual enumeration

This section references who to manually enumerate a Windows host using one or more of the following methods (in the order):

  • Using Windows builtins that can be invoked via cmd.exe.
  • Using native PowerShell.
  • Using ActiveDirectory PowerShell module.
  • Using ADSearch.
  • Using - your best friend - PowerView.

AppLocker

If AppLocker is enabled, take a look at some ways to bypass it.

reg query "HKLM\Software\Policies\Microsoft\Windows\SrpV2"
Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2"
Get-AppLockerPolicy -Effective -XML
Get-AppLockerFileInformation | Format-List
Get-DomainGPO -Domain dev-studio.com | ? { $_.DisplayName -like "*AppLocker*" } | select displayname, gpcfilesyspath

# In a PowerShell file...
function LDAPSearch {
    param (
        [string]$LDAPQuery
    )

    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
    $DistinguishedName = ([adsi]'').distinguishedName
    $DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$PDC/$DistinguishedName")
    $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)
    return $DirectorySearcher.FindAll()
}

# ...then import and use it
powershep -ep bypass
Import-Module ./ldapsearch.ps1
LDAPSearch -LDAPQuery "$ldap_filter"

Delegations

If you identify domain computers vulnerable to unconstrained delegation, refer to this page to leverage them.

# Look for domain computers vulnerable to unconstrained delegation.
./ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname

GPO

If you can create or modify GPO, refer to GPO Abuse attack to leverage the situation.

# List GPOs and lookup on principals that can CreateChild or modify them.
Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" }

# Get domain objects that can create new GPO.
Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=$domain,DC=$com" -ResolveGUIDs | ? { $_.ObjectAceType -Eq "Group-Policy-Container" -And $_.ActiveDirectoryRights -Contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }

# Get domain objects that can link GPO to an OU.
Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | Select-Object -Property ObjectDN,ActiveDirectoryRights,ObjectAceType,SecurityIdentifier | Format-List

LAPS

If LAPS is enabled, you could abuse its configuration to escalate your privileges.

dir "C:\Program Files\LAPS\CSE\"
Get-DomainComputer | ? { $_."ms-Mcs-AdmPwdExpirationTime" -ne $null } | select dnsHostName
Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | Format-List

SCCM

If following commands returns something, take a look at SCCM Abuse attack.

Get-WmiObject -Class SMS_Authority -Namespace root\CCM | select Name, CurrentManagementPoint | Format-List

Shares 

Find-DomainShare -CheckShareAccess
Find-InterestingDomainShareFile -Include *.doc*, *.xls*, *.csv, *.ppt*

Trust relationships

If you discover trust relationships, you could abuse them to lateralize on trusted and/or trusting domains.

.\ADSearch.exe --search "(objectCategory=trustedDomain)" --domain $domain --attributes distinguishedName,name,flatName,trustDirection
Get-DomainTrust -Domain $domain

Users 

# Using Net.exe
net user /domain
net user
net user $username /domain
net group /domain
net localgroup
net group $group [/domain]
net accounts

# Using ActiveDirectory PowerShell module.
Get-ADGroupMember 'domain admins' | select samaccountname
Get-ADUser -Filter {PasswordExpired -eq $True} -Properties PasswordLastSet, PasswordExpired, PasswordNeverExpires | Sort-Object Name

Recommentations

  • There is no way to avoid Active Directory enumeration for an authenticated user on the domain. The only recommendation here is to harden enough the domain to avoid privilege escalation, even if the attacker has an initial foothold.