# AD Enumeration ## AD **Enumeration** Active Directory (AD) is the backbone of many enterprise IT infrastructures, managing user authentication, authorization, and resource access. During penetration testing or red team engagements, **enumerating Active Directory** is a critical step for gathering intelligence about the environment. This process involves systematically identifying valuable information that can be used to map out the network, discover potential attack paths, and exploit misconfigurations or vulnerabilities. **Why Enumerate Active Directory?**\ Active Directory is complex and interconnected, making it a prime target for attackers. Enumeration helps uncover: * Domain structure and trust relationships. * User accounts, groups, and their permissions. * Domain Controllers (DCs) and critical services like DNS, LDAP, SMB, and Kerberos. * Misconfigurations, such as weak passwords, open shares, and insecure policies. **Key Enumeration Goals:** 1. **Map the Environment:** Identify key assets, including Domain Controllers and critical servers. 2. **Identify Users:** Discover domain accounts and their roles. 3. **Assess Permissions:** Look for overprivileged users, groups, or objects. 4. **Locate Weaknesses:** Misconfigurations, legacy systems, or unpatched vulnerabilities. 5. **Set the Stage for Attacks:** Gather the information needed for credential attacks, privilege escalation, or lateral movement. **Common Enumeration Tools and Techniques:**\ Enumeration can be performed using a variety of tools and techniques, including: * **Nmap** for network scanning and service discovery. * **SMB and LDAP enumeration** tools to query shared resources and directory structures. * **BloodHound** for mapping AD relationships and privilege escalation paths. * **Kerberos-based tools** like Kerbrute to discover valid accounts through pre-authentication failures. * **PowerShell scripts** for gathering system and domain information. **Reconnaissance Without Credentials:**\ Even without valid domain credentials, attackers can leverage null sessions, misconfigured services, and network discovery tools to gain valuable information. These findings often serve as a foothold to further access. ## **Host Identification** ### **`Fping`** The `fping` tool allows quick identification of active hosts within a network range. For instance: ```bash fping -asgq 192.168.1.0/24 ``` **Parameters Explained:** * `-a`: Display only active hosts. * `-s`: Print statistics at the end of the scan. * `-g`: Generate a list of destinations from a CIDR network. * `-q`: Suppress output for individual hosts. Once the scan is complete, you can create a list of active hosts for further enumeration. *** ### **Nmap** `nmap` can also be used to perform a **Ping Scan** for host discovery: ```bash sudo nmap -sn 192.168.1.0/24 ``` **Parameters Explained:** * `-sn`: Skip port scanning and focus on host discovery by sending ICMP echo requests. This scan provides a list of active hosts within the network. After identifying live hosts, we can move to detailed enumeration to identify services, critical hosts (e.g., domain controllers, web servers), and potential vulnerabilities. *** **Nmap Advanced Scans** 1. **Enumerate Active Hosts from a List** ```bash sudo nmap -v -A -iL hosts.txt -oN hostEnum ``` * `-v`: Increase verbosity. * `-A`: Perform OS detection, version detection, script scanning, and traceroute. * `-iL`: Input file containing list of target hosts. * `-oN`: Save results in a standard output format. 2. **Comprehensive Port Scan** ```bash nmap -p- -sS --open --min-rate 5000 -vvv -Pn -n 192.168.1.10 -oG scanPorts ``` * `-p-`: Scan all 65,535 ports. * `-sS`: Perform a TCP SYN scan. * `--open`: Display only open ports. * `--min-rate 5000`: Ensure a minimum scan rate of 5000 packets per second. * `-Pn`: Skip ping checks. * `-n`: Skip DNS resolution. * `-oG`: Save results in greppable format for easy parsing. 3. **Targeted Service Scan** ```bash nmap -sCV -p 192.168.1.10 -oN targeted ``` * `-sCV`: Perform service and version detection, and run default scripts. * `-p`: Specify ports to scan. *** ## **User Identification** **Obtaining Valid Domain Users** 1. **Using Kerbrute** `Kerbrute` is a stealthy tool for enumerating domain accounts by exploiting Kerberos pre-authentication failures, which often avoid logging or alerts: ```bash kerbrute userenum -d DC.LOCAL --dc 192.168.1.1 usernames.txt -o valid_ad_users.txt ``` **Extract valid usernames from results:** ```bash cat valid_ad_users.txt | awk -F "VALID USERNAME:\t" '{print $2}' | tr -d ' ' | sed '/^$/d' | awk -F '@' '{print $1}' | tee users.txt ``` 2. **Checking for Passwords Matching Usernames**\ Some users may have their username as their password: ```bash kerbrute bruteuser -d DC.LOCAL -dc 192.168.1.1 usernames.txt passwords.txt ``` *** ## **SMB Enumeration** ### **Netexec** 1. **Enumerate Domain Machines for SMB Signing** ```bash nxc smb 192.168.1.0/24 ``` 2. **Validate Credentials** ```bash nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' ``` 3. **Find Valid Machines for Connection** ```bash nxc smb 192.168.1.0/24 -u 'jdoe' -p 'Password123' ``` 4. **Enumerate Shared Resources** ```bash nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --shares ``` 5. **Enumerate Users and Groups** ```bash nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --users nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --groups ``` 6. **Dump LSA and NTDS**\ If you have domain admin privileges: ```bash nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --lsa nxc smb 192.168.1.1 -u 'jdoe' -p 'Password123' --ntds ``` *** ## **LDAP Enumeration** ### **`LdapSearch`** Perform anonymous or credentialed enumeration of the LDAP directory: ```bash ldapsearch -H ldap://192.168.1.1 -x -s base namingcontexts ldapsearch -H ldap://192.168.1.1 -D 'jdoe@DC.LOCAL' -w 'Password123' -x -b "DC=DC,DC=LOCAL" ``` ### **`LdapDomainDump`** Dump LDAP data in JSON and HTML formats for easier analysis: ```bash ldapdomaindump -u 'DC.LOCAL\jdoe' -p 'Password123' 192.168.1.1 ``` *** ## **BloodHound** 1. **Option 1: Using `bloodhound.py`** ```bash python3 bloodhound.py -u 'jdoe' -p 'Password123' -d DC.LOCAL -ns 192.168.1.1 --zip -c All ``` 2. **Option 2: Using `SharpHound.ps1`** * Download and upload `SharpHound.ps1` to the target. * Run: ```powershell Import-Module .\SharpHound.ps1 Invoke-BloodHound -CollectionMethod All ``` 3. **Option 3: Using `SharpHound.exe`** * Run directly: ```bash .\SharpHound.exe -c all ``` Download the resulting `.zip` file and upload it to BloodHound for analysis. *** ## **PowerView** **PowerView** is a versatile PowerShell tool specifically designed for Active Directory reconnaissance. Part of the PowerSploit framework, it allows penetration testers and red teamers to perform in-depth enumeration of AD environments. PowerView provides a comprehensive suite of cmdlets to gather information about users, groups, computers, permissions, trust relationships, and more. ### **PowerView Usage** * **Get Domain Information** ```powershell Get-NetDomain ``` Retrieves information about the current domain. * **Enumerate Domain Controllers** ```powershell Get-NetDomainController ``` Lists all Domain Controllers in the current domain. * **List Domain Users** ```powershell Get-NetUser ``` Displays all users in the domain, along with detailed attributes. * **Find High-Value Targets** ```powershell Get-NetUser -AdminCount 1 ``` Lists all users flagged as administrators. * **Enumerate Domain Groups** ```powershell Get-NetGroup ``` Retrieves all domain groups. ```powershell Get-NetGroupMember -GroupName "Domain Admins" ``` Lists members of the "Domain Admins" group. * **Locate Domain Computers** ```powershell Get-NetComputer ``` Lists all computers in the domain. * **Analyze Trust Relationships** ```powershell Get-NetDomainTrust ``` Displays trust relationships between domains. * **Check ACLs on AD Objects** ```powershell Get-ObjectAcl -SamAccountName "Administrator" -ResolveGUIDs ``` Shows ACLs for a specific user account, resolving GUIDs to human-readable names. * **Find Shares on Domain Computers** ```powershell Invoke-ShareFinder ``` Locates shared folders across domain computers. * **Identify Delegation Configurations** ```powershell Get-NetUser -SPN ``` Finds user accounts with Service Principal Names (SPNs), often used in Kerberos-based attacks. *** ## **SMB Clients** 1. **Using `smbclient`:** ```bash smbclient -L 192.168.1.1 -U 'jdoe%Password123' ``` 2. **Using `impacket-smbclient`:** ```bash impacket-smbclient DC.LOCAL/jdoe:Password123@192.168.1.1 ``` ## DNS Enumeration Resolve DNS name using nslookup for retrieving useful info regarding target: ```bash nslookup -type=SRV DC.LOCAL ``` *** ## Lab To practice I created a local lab thanks to the following [guide](https://dev-angelist.gitbook.io/building-a-vulnerable-active-directory-lab), then I run the enumeration of a Domain Controller (an unrealistic hypothesis because it is rarely directly exposed to the network). In addition to what is indicated in the guide, i've added DNS and Web Server (IIS) services. The target is a DC running Windows Server 2019, while the attacking machine is a Kali Linux machine (both machines are into a custom NAT\_Network called: NAT\_AD `192.168.57.0/24`). #### Host Identification ```bash sudo nmap -sn 192.168.57.0/24 #Host Discovery ```

Save it into /etc/hosts file: `sudo echo "192.168.57.9 corp-dc" >> /etc/hosts` (optional) #### Open Ports Discovery ```bash nmap -p0- -sCV -Pn corp-dc -oN open_ports ``` ```bash PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: IIS Windows Server |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-21 18:19:55Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: dev-angelist.lab0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: dev-angelist.lab0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49670/tcp open msrpc Microsoft Windows RPC 49672/tcp open msrpc Microsoft Windows RPC 49673/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49682/tcp open msrpc Microsoft Windows RPC 49687/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:C0:12:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_nbstat: NetBIOS name: CORP-DC, NetBIOS user: , NetBIOS MAC: 08:00:27:c0:12:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) |_clock-skew: -1s | smb2-time: | date: 2025-02-21T18:20:44 |_ start_date: N/A ``` I will focus on potentially active and vulnerable services, in this case for example I have not configured the DNS so I will skip it. #### HTTP/80 We can use whatweb command to retrieve info regarding web server, a GET request using curl or visiting page via browser. ```bash whatweb http://corp-dc curl -v http://corp-dc ```

Kerberos protocol is a master topic of AD, but in this case i'm doing enumeration phase. #### 135 - Microsoft Remote Procedure Call (msrpc) This protocol allows application to communicate with other machine into network. We can user RPC Client for login and enumerate domain users ```bash rpcclient -U devan corp-dc #access via recclient (devan::P@ssword123!) enumdomusers #enumerate domain users ``` #### 139 - NetBios Protocol that facilitate communication for file and printer sharing into networks, it is the predecessor of SMB. ```bash nbtscan 192.168.57.9 ```

in this case we obtain NetBIOS Name, eventually server, user and MAC address info. #### 389 - LDAP Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly. We can perform enumerion using various tools: #### **`LdapSearch`** Perform anonymous or credentialed enumeration of the LDAP directory: ```bash ldapsearch -H ldap://192.168.1.1 -x -s base namingcontexts ldapsearch -H ldap://CORP-DC -D "devan@dev-angelist.lab" -w "P@ssword123!" -b "DC=dev-angelist,DC=lab" "(objectClass=user)" #Other additional useful queries: $Filter = "(objectClass=user)" $RootOU = "DC=dev-angelist,DC=lab" $Searcher = New-Object DirectoryServices.DirectorySearcher $Searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($RootOU)") $Searcher.Filter = $Filter $Searcher.SearchScope = "Subtree" $Searcher.FindAll() ```

**`LdapWhoami`** Obtain user via Ldapwhoami ```bash ldapwhoami -H ldap://CORP-DC -D "CN=devan,CN=Users,DC=dev-angelist,DC=lab" -w "P@ssword123!" ```

#### **`LdapDomainDump`** Dump LDAP data in JSON and HTML formats for easier analysis: ```bash ldapdomaindump -u 'dev-angelist\devan' -p 'P@ssword123!' 192.168.57.9 ``` #### 445 - SMB The SMB protocol is a network file sharing protocol that allows applications on a computer to read and write to files. SMB also requests services from server programs in a computer network. It's the most critical attack vector if it's not protected well. The v1 is deprecated and have several vulnerabilities (Eternal Blue, WannaCry, etc). It can run over multiple ports: 445, 137-139 (NetBIOS), and over UDP. To test it, i've created a share folder called "SharedFiles" with a text file. This directory is shared with 'devan' with read/write rights (Properties->Share->AddUser: 'devan')

Location: `\\CORP-DC\SharedFiles` Then, we can access to it on Devan's workstation machine using that location

We can enumerate SMB shares and access to system using these tools: ```bash smbmap -H corp-dc smbclient //corp-dc/SharedFiles -U "dev-angelist.lab/devan%P@ssword123!" ```

*** ## **References** * [Kerbrute GitHub Repository](https://github.com/ropnop/kerbrute) * [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) * [WADComs](https://wadcoms.github.io/) * [AD Exploitation YT](https://www.youtube.com/watch?v=pXd8DsdcBlw\&list=PLJnLaWkc9xRi71Pso26JlvyBkLUOETLjn) * HackTricks: SMB and Active Directory Enumeration --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dev-angelist.gitbook.io/home/active-directory/ad-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.