AD Enumeration

AD Enumeration

Active Directory (AD) is the backbone of many enterprise IT infrastructures, managing user authentication, authorization, and resource access. During penetration testing or red team engagements, enumerating Active Directory is a critical step for gathering intelligence about the environment. This process involves systematically identifying valuable information that can be used to map out the network, discover potential attack paths, and exploit misconfigurations or vulnerabilities.

Why Enumerate Active Directory? Active Directory is complex and interconnected, making it a prime target for attackers. Enumeration helps uncover:

• Domain structure and trust relationships.

• User accounts, groups, and their permissions.

• Domain Controllers (DCs) and critical services like DNS, LDAP, SMB, and Kerberos.

• Misconfigurations, such as weak passwords, open shares, and insecure policies.

Key Enumeration Goals:

1. Map the Environment: Identify key assets, including Domain Controllers and critical servers.

2. Identify Users: Discover domain accounts and their roles.

3. Assess Permissions: Look for overprivileged users, groups, or objects.

4. Locate Weaknesses: Misconfigurations, legacy systems, or unpatched vulnerabilities.

5. Set the Stage for Attacks: Gather the information needed for credential attacks, privilege escalation, or lateral movement.

Common Enumeration Tools and Techniques: Enumeration can be performed using a variety of tools and techniques, including:

• Nmap for network scanning and service discovery.

• SMB and LDAP enumeration tools to query shared resources and directory structures.

• BloodHound for mapping AD relationships and privilege escalation paths.

• Kerberos-based tools like Kerbrute to discover valid accounts through pre-authentication failures.

• PowerShell scripts for gathering system and domain information.

Reconnaissance Without Credentials: Even without valid domain credentials, attackers can leverage null sessions, misconfigured services, and network discovery tools to gain valuable information. These findings often serve as a foothold to further access.

Host Identification

Fping

The fping tool allows quick identification of active hosts within a network range. For instance:

fping -asgq 192.168.1.0/24

Parameters Explained:

• -a: Display only active hosts.

• -s: Print statistics at the end of the scan.

• -g: Generate a list of destinations from a CIDR network.

• -q: Suppress output for individual hosts.

Once the scan is complete, you can create a list of active hosts for further enumeration.

---

Nmap

nmap can also be used to perform a Ping Scan for host discovery:

sudo nmap -sn 192.168.1.0/24

Parameters Explained:

• -sn: Skip port scanning and focus on host discovery by sending ICMP echo requests.

This scan provides a list of active hosts within the network. After identifying live hosts, we can move to detailed enumeration to identify services, critical hosts (e.g., domain controllers, web servers), and potential vulnerabilities.

---

Nmap Advanced Scans

1. Enumerate Active Hosts from a List

   sudo nmap -v -A -iL hosts.txt -oN hostEnum

   • -v: Increase verbosity.

   • -A: Perform OS detection, version detection, script scanning, and traceroute.

   • -iL: Input file containing list of target hosts.

   • -oN: Save results in a standard output format.

2. Comprehensive Port Scan

   nmap -p- -sS --open --min-rate 5000 -vvv -Pn -n 192.168.1.10 -oG scanPorts

   • -p-: Scan all 65,535 ports.

   • -sS: Perform a TCP SYN scan.

   • --open: Display only open ports.

   • --min-rate 5000: Ensure a minimum scan rate of 5000 packets per second.

   • -Pn: Skip ping checks.

   • -n: Skip DNS resolution.

   • -oG: Save results in greppable format for easy parsing.

3. Targeted Service Scan

   nmap -sCV -p <PORTS> 192.168.1.10 -oN targeted

   • -sCV: Perform service and version detection, and run default scripts.

   • -p: Specify ports to scan.

---

User Identification

Obtaining Valid Domain Users

1. Using Kerbrute Kerbrute is a stealthy tool for enumerating domain accounts by exploiting Kerberos pre-authentication failures, which often avoid logging or alerts:

kerbrute userenum -d DC.LOCAL --dc 192.168.1.1 usernames.txt -o valid_ad_users.txt

Extract valid usernames from results:

cat valid_ad_users.txt | awk -F "VALID USERNAME:\t" '{print $2}' | tr -d ' ' | sed '/^$/d' | awk -F '@' '{print $1}' | tee users.txt

1. Checking for Passwords Matching Usernames Some users may have their username as their password:

kerbrute bruteuser -d DC.LOCAL -dc 192.168.1.1 usernames.txt passwords.txt

---

SMB Enumeration

Netexec

1. Enumerate Domain Machines for SMB Signing

   nxc smb 192.168.1.0/24

2. Validate Credentials

   nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123'

3. Find Valid Machines for Connection

   nxc smb 192.168.1.0/24 -u 'jdoe' -p 'Password123'

4. Enumerate Shared Resources

   nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --shares

5. Enumerate Users and Groups

   nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --users
   nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --groups

6. Dump LSA and NTDS If you have domain admin privileges:

   nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --lsa
   nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --ntds

---

LDAP Enumeration

LdapSearch

Perform anonymous or credentialed enumeration of the LDAP directory:

ldapsearch -H ldap://192.168.1.1 -x -s base namingcontexts
ldapsearch -H ldap://192.168.1.1 -D 'jdoe@DC.LOCAL' -w 'Password123' -x -b "DC=DC,DC=LOCAL"

LdapDomainDump

Dump LDAP data in JSON and HTML formats for easier analysis:

ldapdomaindump -u 'DC.LOCAL\jdoe' -p 'Password123' 192.168.1.1

---

BloodHound

1. Option 1: Using bloodhound.py

   python3 bloodhound.py -u 'jdoe' -p 'Password123' -d DC.LOCAL -ns 192.168.1.1 --zip -c All

2. Option 2: Using SharpHound.ps1

   • Download and upload SharpHound.ps1 to the target.

   • Run:

     Import-Module .\SharpHound.ps1
     Invoke-BloodHound -CollectionMethod All

3. Option 3: Using SharpHound.exe

   • Run directly:

     .\SharpHound.exe -c all

Download the resulting .zip file and upload it to BloodHound for analysis.

---

PowerView

PowerView is a versatile PowerShell tool specifically designed for Active Directory reconnaissance. Part of the PowerSploit framework, it allows penetration testers and red teamers to perform in-depth enumeration of AD environments. PowerView provides a comprehensive suite of cmdlets to gather information about users, groups, computers, permissions, trust relationships, and more.

PowerView Usage

• Get Domain Information

  Get-NetDomain

  Retrieves information about the current domain.

• Enumerate Domain Controllers

  Get-NetDomainController

  Lists all Domain Controllers in the current domain.

• List Domain Users

  Get-NetUser

  Displays all users in the domain, along with detailed attributes.

• Find High-Value Targets

  Get-NetUser -AdminCount 1

  Lists all users flagged as administrators.

• Enumerate Domain Groups

  Get-NetGroup

  Retrieves all domain groups.

  Get-NetGroupMember -GroupName "Domain Admins"

  Lists members of the "Domain Admins" group.

• Locate Domain Computers

  Get-NetComputer

  Lists all computers in the domain.

• Analyze Trust Relationships

  Get-NetDomainTrust

  Displays trust relationships between domains.

• Check ACLs on AD Objects

  Get-ObjectAcl -SamAccountName "Administrator" -ResolveGUIDs

  Shows ACLs for a specific user account, resolving GUIDs to human-readable names.

• Find Shares on Domain Computers

  Invoke-ShareFinder

  Locates shared folders across domain computers.

• Identify Delegation Configurations

  Get-NetUser -SPN

  Finds user accounts with Service Principal Names (SPNs), often used in Kerberos-based attacks.

---

SMB Clients

1. Using smbclient:

   smbclient -L 192.168.1.1 -U 'jdoe%Password123'

2. Using impacket-smbclient:

   impacket-smbclient DC.LOCAL/jdoe:Password123@192.168.1.1

DNS Enumeration

Resolve DNS name using nslookup for retrieving useful info regarding target:

nslookup -type=SRV DC.LOCAL

---

Lab

To practice I created a local lab thanks to the following guide, then I run the enumeration of a Domain Controller (an unrealistic hypothesis because it is rarely directly exposed to the network).

In addition to what is indicated in the guide, i've added DNS and Web Server (IIS) services.

The target is a DC running Windows Server 2019, while the attacking machine is a Kali Linux machine (both machines are into a custom NAT_Network called: NAT_AD 192.168.57.0/24).

Host Identification

sudo nmap -sn 192.168.57.0/24 #Host Discovery

Save it into /etc/hosts file: sudo echo "192.168.57.9 corp-dc" >> /etc/hosts (optional)

Open Ports Discovery

nmap -p0- -sCV -Pn  corp-dc -oN open_ports

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-02-21 18:19:55Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: dev-angelist.lab0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: dev-angelist.lab0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5357/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
49687/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:C0:12:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_nbstat: NetBIOS name: CORP-DC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:c0:12:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
|_clock-skew: -1s
| smb2-time: 
|   date: 2025-02-21T18:20:44
|_  start_date: N/A

I will focus on potentially active and vulnerable services, in this case for example I have not configured the DNS so I will skip it.

HTTP/80

We can use whatweb command to retrieve info regarding web server, a GET request using curl or visiting page via browser.

whatweb http://corp-dc
curl -v http://corp-dc          

Kerberos protocol is a master topic of AD, but in this case i'm doing enumeration phase.

135 - Microsoft Remote Procedure Call (msrpc)

This protocol allows application to communicate with other machine into network.

We can user RPC Client for login and enumerate domain users

rpcclient -U devan corp-dc     #access via recclient (devan::P@ssword123!)
enumdomusers     #enumerate domain users

139 - NetBios

Protocol that facilitate communication for file and printer sharing into networks, it is the predecessor of SMB.

nbtscan 192.168.57.9

in this case we obtain NetBIOS Name, eventually server, user and MAC address info.

389 - LDAP

Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly. We can perform enumerion using various tools:

LdapSearch

Perform anonymous or credentialed enumeration of the LDAP directory:

ldapsearch -H ldap://192.168.1.1 -x -s base namingcontexts
ldapsearch -H ldap://CORP-DC -D "devan@dev-angelist.lab" -w "P@ssword123!" -b "DC=dev-angelist,DC=lab" "(objectClass=user)"
#Other additional useful queries:
$Filter = "(objectClass=user)"
$RootOU = "DC=dev-angelist,DC=lab"
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($RootOU)")
$Searcher.Filter = $Filter
$Searcher.SearchScope = "Subtree"
$Searcher.FindAll()

LdapWhoami

Obtain user via Ldapwhoami

ldapwhoami -H ldap://CORP-DC -D "CN=devan,CN=Users,DC=dev-angelist,DC=lab" -w "P@ssword123!"

LdapDomainDump

Dump LDAP data in JSON and HTML formats for easier analysis:

ldapdomaindump -u 'dev-angelist\devan' -p 'P@ssword123!' 192.168.57.9

445 - SMB

The SMB protocol is a network file sharing protocol that allows applications on a computer to read and write to files. SMB also requests services from server programs in a computer network. It's the most critical attack vector if it's not protected well.

The v1 is deprecated and have several vulnerabilities (Eternal Blue, WannaCry, etc).

It can run over multiple ports: 445, 137-139 (NetBIOS), and over UDP.

To test it, i've created a share folder called "SharedFiles" with a text file. This directory is shared with 'devan' with read/write rights (Properties->Share->AddUser: 'devan')

Location: \\CORP-DC\SharedFiles

Then, we can access to it on Devan's workstation machine using that location

We can enumerate SMB shares and access to system using these tools:

smbmap -H corp-dc
smbclient //corp-dc/SharedFiles -U "dev-angelist.lab/devan%P@ssword123!"

---

References

• Kerbrute GitHub Repository
• PayloadsAllTheThings
• WADComs
• AD Exploitation YT
• HackTricks: SMB and Active Directory Enumeration