3. Enumerating Active Directory

Once you have established foothold on the machine, we can enumerate for more valid accounts and credentials

Microsoft Management Console (MMC) + RSAT

RSAT or Remote Server Administration is an AD "add-on" to the MMC application, and allows you to administer AD objects

On Windows, Start->Run->mmc

In mmc, File->Add/Remove Snap-in and add in these 3 Snap-ins

We can now start to enumerate AD objects in the AD

Command line

Getting users in a domain

C:\> net user /domain
The request will be processed at a domain controller for domain za.tryhackme.com

User accounts for \\THMDC

-------------------------------------------------------------------------------
aaron.conway             aaron.hancock            aaron.harris
aaron.johnson            aaron.lewis              aaron.moore

Inspecting a single user

C:\> net user zoe.marshall /domain
The request will be processed at a domain controller for domain za.tryhackme.com

User name                    zoe.marshall
Full Name                    Zoe Marshall
Comment

Getting all groups in a domain

C:\> net group /domain
The request will be processed at a domain controller for domain za.tryhackme.com

Group Accounts for \\THMDC

-------------------------------------------------------------------------------
*Cloneable Domain Controllers

*Domain Users
[...]
*Schema Admins

Getting users in a group

C:\> net group "Tier 1 Admins" /domain
The request will be processed at a domain controller for domain za.tryhackme.com

Group name     Tier 1 Admins
Comment

Members

-------------------------------------------------------------------------------
t1_arthur.tyler          t1_gary.moss             t1_henry.miller

Getting password policy for a domain for brute-forcing

C:\> net accounts /domain
The request will be processed at a domain controller for domain za.tryhackme.com

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          Unlimited

PowerView

Import PowerView for running subsequent commands

powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1

# Gets domain name, the forest name and the domain controllers.
powershell> Get-Domain

Forest                  : cyberbotic.io
DomainControllers       : {dc-2.dev.cyberbotic.io}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  : cyberbotic.io
PdcRoleOwner            : dc-2.dev.cyberbotic.io

# Returns the domain controllers for the current or specified domain.
powershell> Get-DomainController | select Forest, Name, OSVersion | fl

Forest    : cyberbotic.io
Name      : dc-2.dev.cyberbotic.io
OSVersion : Windows Server 2022 Datacenter

# Returns all domains for the current forest or the forest specified by -Forest.
powershell> Get-ForestDomain

Forest                  : cyberbotic.io
DomainControllers       : {dc-1.cyberbotic.io}
Children                : {dev.cyberbotic.io}

# Useful for finding domain password policy for password cracking
powershell> Get-DomainPolicyData | select -expand SystemAccess

MinimumPasswordAge           : 1
MaximumPasswordAge           : 42
MinimumPasswordLength        : 7
PasswordComplexity           : 1
PasswordHistorySize          : 24


# Return all users in the Domain.
# To only return specific properties, use -Properties.
# use -Identity to return a specific user.
powershell> Get-DomainUser -Identity jking -Properties DisplayName, MemberOf | fl

displayname : John King
memberof    : {CN=Internet Users,CN=Users,DC=dev,DC=cyberbotic,DC=io, CN=Support 
              Engineers,CN=Users,DC=dev,DC=cyberbotic,DC=io}


# Return all computers or specific computer objects in the domain
powershell> Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName

dnshostname              
-----------              
dc-2.dev.cyberbotic.io
fs.dev.cyberbotic.io


# Search for all organization units (OUs) or specific OU objects.
powershell> Get-DomainOU -Properties Name | sort -Property Name

name              
----              
Domain Controllers
File Servers
Servers


# Return all domain groups or specific domain group objects.
powershell> Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName

samaccountname
--------------
Domain Admins 
Key Admins    
DnsAdmins


# Return the members of a specific domain group.
powershell> Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName

MemberDistinguishedName                             
-----------------------                             
CN=Nina Lamb,CN=Users,DC=dev,DC=cyberbotic,DC=io    
CN=Administrator,CN=Users,DC=dev,DC=cyberbotic,DC=io


# Return all Group Policy Objects (GPOs) or specific GPO objects.
# To enumerate all GPOs that are applied to a particular machine, use -ComputerIdentity.
powershell> Get-DomainGPO -Properties DisplayName | sort -Property DisplayName

displayname                      
-----------                      
Computer Certificates
Default Domain Controllers Policy
Default Domain Policy


# Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences.
powershell> Get-DomainGPOLocalGroup | select GPODisplayName, GroupName

GPODisplayName     GroupName            powershell
--------------     ---------            
Workstation Admins DEV\Support Engineers
Server Admins      DEV\Support Engineers


# Returns machines in a specific local group.
# This is useful for finding where domain groups have local admin access
powershell> Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl

ObjectName     : Support Engineers
GPODisplayName : Server Admins
ContainerName  : {OU=Servers,DC=dev,DC=cyberbotic,DC=io}
ComputerName   : {web.dev.cyberbotic.io, sql-2.dev.cyberbotic.io, fs.dev.cyberbotic.io}

# Return all domain trusts for the current or specified domain.
# Refer to Active Directory page for how to exploit this
powershell> Get-DomainTrust

SourceName      : dev.cyberbotic.io
TargetName      : cyberbotic.io
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 8/15/2022 4:00:00 PM
WhenChanged     : 8/15/2022 4:00:00 PM

BloodHound + SharpHound

Sharphound is the enumeration tool of Bloodhound.

Collecting information on the host machine using Sharphound

Sharphound.exe --CollectionMethods All  --Domain za.tryhackme.com --ExcludeDCs

Once done, move the artifacts to the attacker machine to open them with Bloodhound

Previous2. Windows Exploitation Next4. Dumping Credentials

Last updated 1 year ago