AD Enumeration

https://dev-angelist.gitbook.io/home/active-directory/ad-enumeration

To practice I created a local lab thanks to the following guide, then I run the enumeration of a Domain Controller (an unrealistic hypothesis because it is rarely directly exposed to the network).

In addition to what is indicated in the guide, i've added DNS and Web Server (IIS) services.

The target is a DC running Windows Server 2019, while the attacking machine is a Kali Linux machine (both machines are into a custom NAT_Network called: NAT_AD 192.168.57.0/24).

AD Lab Setup

AD Enumeration Methodology

Host Identification

sudo nmap -sn 192.168.57.0/24 #Host Discovery

Save it into /etc/hosts file: sudo echo "192.168.57.9 corp-dc" >> /etc/hosts (optional)

Open Ports Discovery

nmap -p0- -sCV -Pn  corp-dc -oN open_ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-02-21 18:19:55Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: dev-angelist.lab0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: dev-angelist.lab0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5357/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
49687/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:C0:12:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_nbstat: NetBIOS name: CORP-DC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:c0:12:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
|_clock-skew: -1s
| smb2-time: 
|   date: 2025-02-21T18:20:44
|_  start_date: N/A

I will focus on potentially active and vulnerable services, in this case for example I have not configured the DNS so I will skip it.

80 - HTTP

We can use whatweb command to retrieve info regarding web server, a GET request using curl or visiting page via browser.

whatweb http://corp-dc
curl -v http://corp-dc          

Kerberos protocol is a master topic of AD, but in this case i'm doing enumeration phase.

135 - Microsoft Remote Procedure Call (msrpc)

This protocol allows application to communicate with other machine into network.

We can user RPC Client for login and enumerate domain users

rpcclient -U devan corp-dc     #access via recclient (devan::P@ssword123!)
enumdomusers     #enumerate domain users

139 - NetBios

Protocol that facilitate communication for file and printer sharing into networks, it is the predecessor of SMB.

nbtscan 192.168.57.9

in this case we obtain NetBIOS Name, eventually server, user and MAC address info.

389 - LDAP

Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly. We can perform enumerion using various tools:

LdapSearch

Perform anonymous or credentialed enumeration of the LDAP directory:

ldapsearch -H ldap://192.168.1.1 -x -s base namingcontexts
ldapsearch -H ldap://CORP-DC -D "devan@dev-angelist.lab" -w "P@ssword123!" -b "DC=dev-angelist,DC=lab" "(objectClass=user)"
#Other additional useful queries:
$Filter = "(objectClass=user)"
$RootOU = "DC=dev-angelist,DC=lab"
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($RootOU)")
$Searcher.Filter = $Filter
$Searcher.SearchScope = "Subtree"
$Searcher.FindAll()

LdapWhoami

Obtain user via Ldapwhoami

ldapwhoami -H ldap://CORP-DC -D "CN=devan,CN=Users,DC=dev-angelist,DC=lab" -w "P@ssword123!"

LdapDomainDump

Dump LDAP data in JSON and HTML formats for easier analysis:

ldapdomaindump -u 'dev-angelist\devan' -p 'P@ssword123!' 192.168.57.9

445 - SMB

The SMB protocol is a network file sharing protocol that allows applications on a computer to read and write to files. SMB also requests services from server programs in a computer network. It's the most critical attack vector if it's not protected well.

The v1 is deprecated and have several vulnerabilities (Eternal Blue, WannaCry, etc).

It can run over multiple ports: 445, 137-139 (NetBIOS), and over UDP.

To test it, i've created a share folder called "SharedFiles" with a text file. This directory is shared with 'devan' with read/write rights (Properties->Share->AddUser: 'devan')

Location: \\CORP-DC\SharedFiles

Then, we can access to it on Devan's workstation machine using that location

We can enumerate SMB shares and access to system using these tools:

smbmap -H corp-dc
smbclient //corp-dc/SharedFiles -U "dev-angelist.lab/devan%P@ssword123!"

Last updated