AD Enumeration

AD Enumeration

Active Directory (AD) is the backbone of many enterprise IT infrastructures, managing user authentication, authorization, and resource access. During penetration testing or red team engagements, enumerating Active Directory is a critical step for gathering intelligence about the environment. This process involves systematically identifying valuable information that can be used to map out the network, discover potential attack paths, and exploit misconfigurations or vulnerabilities.

Why Enumerate Active Directory? Active Directory is complex and interconnected, making it a prime target for attackers. Enumeration helps uncover:

• Domain structure and trust relationships.

• User accounts, groups, and their permissions.

• Domain Controllers (DCs) and critical services like DNS, LDAP, SMB, and Kerberos.

• Misconfigurations, such as weak passwords, open shares, and insecure policies.

Key Enumeration Goals:

1. Map the Environment: Identify key assets, including Domain Controllers and critical servers.

2. Identify Users: Discover domain accounts and their roles.

3. Assess Permissions: Look for overprivileged users, groups, or objects.

4. Locate Weaknesses: Misconfigurations, legacy systems, or unpatched vulnerabilities.

5. Set the Stage for Attacks: Gather the information needed for credential attacks, privilege escalation, or lateral movement.

Common Enumeration Tools and Techniques: Enumeration can be performed using a variety of tools and techniques, including:

• Nmap for network scanning and service discovery.

• SMB and LDAP enumeration tools to query shared resources and directory structures.

• BloodHound for mapping AD relationships and privilege escalation paths.

• Kerberos-based tools like Kerbrute to discover valid accounts through pre-authentication failures.

• PowerShell scripts for gathering system and domain information.

Reconnaissance Without Credentials: Even without valid domain credentials, attackers can leverage null sessions, misconfigured services, and network discovery tools to gain valuable information. These findings often serve as a foothold to further access.

Host Identification

Fping

The fping tool allows quick identification of active hosts within a network range. For instance:

fping -asgq 192.168.1.0/24

Parameters Explained:

• -a: Display only active hosts.

• -s: Print statistics at the end of the scan.

• -g: Generate a list of destinations from a CIDR network.

• -q: Suppress output for individual hosts.

Once the scan is complete, you can create a list of active hosts for further enumeration.

---

Nmap

nmap can also be used to perform a Ping Scan for host discovery:

sudo nmap -sn 192.168.1.0/24

Parameters Explained:

• -sn: Skip port scanning and focus on host discovery by sending ICMP echo requests.

This scan provides a list of active hosts within the network. After identifying live hosts, we can move to detailed enumeration to identify services, critical hosts (e.g., domain controllers, web servers), and potential vulnerabilities.

---

Nmap Advanced Scans

1. Enumerate Active Hosts from a List

   sudo nmap -v -A -iL hosts.txt -oN hostEnum

   • -v: Increase verbosity.

   • -A: Perform OS detection, version detection, script scanning, and traceroute.

   • -iL: Input file containing list of target hosts.

   • -oN: Save results in a standard output format.

2. Comprehensive Port Scan

   nmap -p- -sS --open --min-rate 5000 -vvv -Pn -n 192.168.1.10 -oG scanPorts

   • -p-: Scan all 65,535 ports.

   • -sS: Perform a TCP SYN scan.

   • --open: Display only open ports.

   • --min-rate 5000: Ensure a minimum scan rate of 5000 packets per second.

   • -Pn: Skip ping checks.

   • -n: Skip DNS resolution.

   • -oG: Save results in greppable format for easy parsing.

3. Targeted Service Scan

   nmap -sCV -p <PORTS> 192.168.1.10 -oN targeted

   • -sCV: Perform service and version detection, and run default scripts.

   • -p: Specify ports to scan.

---

User Identification

Obtaining Valid Domain Users

1. Using Kerbrute Kerbrute is a stealthy tool for enumerating domain accounts by exploiting Kerberos pre-authentication failures, which often avoid logging or alerts:

kerbrute userenum -d DC.LOCAL --dc 192.168.1.1 usernames.txt -o valid_ad_users.txt

Extract valid usernames from results:

cat valid_ad_users.txt | awk -F "VALID USERNAME:\t" '{print $2}' | tr -d ' ' | sed '/^$/d' | awk -F '@' '{print $1}' | tee users.txt

1. Checking for Passwords Matching Usernames Some users may have their username as their password:

kerbrute bruteuser -d DC.LOCAL -dc 192.168.1.1 usernames.txt passwords.txt

---

SMB Enumeration

Netexec

1. Enumerate Domain Machines for SMB Signing

   nxc smb 192.168.1.0/24

2. Validate Credentials

   nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123'

3. Find Valid Machines for Connection

   nxc smb 192.168.1.0/24 -u 'jdoe' -p 'Password123'

4. Enumerate Shared Resources

   nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --shares

5. Enumerate Users and Groups

   nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --users
   nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --groups

6. Dump LSA and NTDS If you have domain admin privileges:

   nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --lsa
   nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --ntds

---

LDAP Enumeration

LdapSearch

Perform anonymous or credentialed enumeration of the LDAP directory:

ldapsearch -H ldap://192.168.1.1 -x -s base namingcontexts
ldapsearch -H ldap://192.168.1.1 -D 'jdoe@DC.LOCAL' -w 'Password123' -x -b "DC=DC,DC=LOCAL"

LdapDomainDump

Dump LDAP data in JSON and HTML formats for easier analysis:

ldapdomaindump -u 'DC.LOCAL\jdoe' -p 'Password123' 192.168.1.1

---

BloodHound

1. Option 1: Using bloodhound.py

   python3 bloodhound.py -u 'jdoe' -p 'Password123' -d DC.LOCAL -ns 192.168.1.1 --zip -c All

2. Option 2: Using SharpHound.ps1

   • Download and upload SharpHound.ps1 to the target.

   • Run:

     Import-Module .\SharpHound.ps1
     Invoke-BloodHound -CollectionMethod All

3. Option 3: Using SharpHound.exe

   • Run directly:

     .\SharpHound.exe -c all

Download the resulting .zip file and upload it to BloodHound for analysis.

---

PowerView

PowerView is a versatile PowerShell tool specifically designed for Active Directory reconnaissance. Part of the PowerSploit framework, it allows penetration testers and red teamers to perform in-depth enumeration of AD environments. PowerView provides a comprehensive suite of cmdlets to gather information about users, groups, computers, permissions, trust relationships, and more.

PowerView Usage

• Get Domain Information

  Get-NetDomain

  Retrieves information about the current domain.

• Enumerate Domain Controllers

  Get-NetDomainController

  Lists all Domain Controllers in the current domain.

• List Domain Users

  Get-NetUser

  Displays all users in the domain, along with detailed attributes.

• Find High-Value Targets

  Get-NetUser -AdminCount 1

  Lists all users flagged as administrators.

• Enumerate Domain Groups

  Get-NetGroup

  Retrieves all domain groups.

  Get-NetGroupMember -GroupName "Domain Admins"

  Lists members of the "Domain Admins" group.

• Locate Domain Computers

  Get-NetComputer

  Lists all computers in the domain.

• Analyze Trust Relationships

  Get-NetDomainTrust

  Displays trust relationships between domains.

• Check ACLs on AD Objects

  Get-ObjectAcl -SamAccountName "Administrator" -ResolveGUIDs

  Shows ACLs for a specific user account, resolving GUIDs to human-readable names.

• Find Shares on Domain Computers

  Invoke-ShareFinder

  Locates shared folders across domain computers.

• Identify Delegation Configurations

  Get-NetUser -SPN

  Finds user accounts with Service Principal Names (SPNs), often used in Kerberos-based attacks.

---

SMB Clients

1. Using smbclient:

   smbclient -L 192.168.1.1 -U 'jdoe%Password123'

2. Using impacket-smbclient:

   impacket-smbclient DC.LOCAL/jdoe:Password123@192.168.1.1

---

References

• Kerbrute GitHub Repository

• PayloadsAllTheThings

• HackTricks: SMB and Active Directory Enumeration