AD Enumeration
https://dev-angelist.gitbook.io/home/active-directory/ad-enumeration
To practice I created a local lab thanks to the following guide, then I run the enumeration of a Domain Controller (an unrealistic hypothesis because it is rarely directly exposed to the network).
In addition to what is indicated in the guide, i've added DNS and Web Server (IIS) services.
The target is a DC running Windows Server 2019, while the attacking machine is a Kali Linux machine (both machines are into a custom NAT_Network called: NAT_AD 192.168.57.0/24).
Host Identification
sudo nmap -sn 192.168.57.0/24 #Host Discovery
Save it into /etc/hosts file: sudo echo "192.168.57.9 corp-dc" >> /etc/hosts (optional)
Open Ports Discovery
nmap -p0- -sCV -Pn corp-dc -oN open_portsPORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-21 18:19:55Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: dev-angelist.lab0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: dev-angelist.lab0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49687/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:C0:12:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_nbstat: NetBIOS name: CORP-DC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:c0:12:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
|_clock-skew: -1s
| smb2-time:
| date: 2025-02-21T18:20:44
|_ start_date: N/AI will focus on potentially active and vulnerable services, in this case for example I have not configured the DNS so I will skip it.
80 - HTTP
We can use whatweb command to retrieve info regarding web server, a GET request using curl or visiting page via browser.
whatweb http://corp-dc
curl -v http://corp-dc 
Kerberos protocol is a master topic of AD, but in this case i'm doing enumeration phase.
135 - Microsoft Remote Procedure Call (msrpc)
This protocol allows application to communicate with other machine into network.
We can user RPC Client for login and enumerate domain users
rpcclient -U devan corp-dc #access via recclient (devan::P@ssword123!)
enumdomusers #enumerate domain users139 - NetBios
Protocol that facilitate communication for file and printer sharing into networks, it is the predecessor of SMB.
nbtscan 192.168.57.9
in this case we obtain NetBIOS Name, eventually server, user and MAC address info.
389 - LDAP
Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly. We can perform enumerion using various tools:
LdapSearch
LdapSearchPerform anonymous or credentialed enumeration of the LDAP directory:
ldapsearch -H ldap://192.168.1.1 -x -s base namingcontexts
ldapsearch -H ldap://CORP-DC -D "devan@dev-angelist.lab" -w "P@ssword123!" -b "DC=dev-angelist,DC=lab" "(objectClass=user)"
#Other additional useful queries:
$Filter = "(objectClass=user)"
$RootOU = "DC=dev-angelist,DC=lab"
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($RootOU)")
$Searcher.Filter = $Filter
$Searcher.SearchScope = "Subtree"
$Searcher.FindAll()
LdapWhoami
LdapWhoamiObtain user via Ldapwhoami
ldapwhoami -H ldap://CORP-DC -D "CN=devan,CN=Users,DC=dev-angelist,DC=lab" -w "P@ssword123!"
LdapDomainDump
LdapDomainDumpDump LDAP data in JSON and HTML formats for easier analysis:
ldapdomaindump -u 'dev-angelist\devan' -p 'P@ssword123!' 192.168.57.9445 - SMB
The SMB protocol is a network file sharing protocol that allows applications on a computer to read and write to files. SMB also requests services from server programs in a computer network. It's the most critical attack vector if it's not protected well.
The v1 is deprecated and have several vulnerabilities (Eternal Blue, WannaCry, etc).
It can run over multiple ports: 445, 137-139 (NetBIOS), and over UDP.
To test it, i've created a share folder called "SharedFiles" with a text file. This directory is shared with 'devan' with read/write rights (Properties->Share->AddUser: 'devan')
Location: \\CORP-DC\SharedFiles
Then, we can access to it on Devan's workstation machine using that location
We can enumerate SMB shares and access to system using these tools:
smbmap -H corp-dc
smbclient //corp-dc/SharedFiles -U "dev-angelist.lab/devan%P@ssword123!"
Last updated