PenTest – Active Directory – Enumeration

Using BloodHound

Use the correct collector * AzureHound for Azure Active Directory * SharpHound for local Active Directory * RustHound for local Active Directory

  • use BloodHoundAD/AzureHound (more info: Cloud – Azure Pentest)
  • use BloodHoundAD/BloodHound
    # run the collector on the machine using SharpHound.exe
    # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
    # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe
    .\SharpHound.exe -c all -d active.htb --searchforest
    .\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default
    .\SharpHound.exe --CollectionMethod DCOnly # only collect from the DC, doesn't query the computers (more stealthy)
    
    .\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
    .\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 -d active.htb
    .\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
    
    # or run the collector on the machine using Powershell
    # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
    # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1
    Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
    Invoke-BloodHound -CollectionMethod All  -LDAPUser <UserName> -LDAPPass <Password> -OutputDirectory <PathToFile>
    
    # or remotely via BloodHound Python
    # https://github.com/fox-it/BloodHound.py
    pip install bloodhound
    bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all
    
    # or locally/remotely from an ADExplorer snapshot from SysInternals (ADExplorer remains a legitimate binary signed by Microsoft, avoiding detection with security solutions)
    # https://github.com/c3c/ADExplorerSnapshot.py
    pip3 install --user .
    ADExplorerSnapshot.py <snapshot path> -o <*.json output folder path>
    

     

  • Collect more data for certificates exploitation using Certipy
    certipy find 'corp.local/john:Passw0rd@dc.corp.local' -bloodhound
    certipy find 'corp.local/john:Passw0rd@dc.corp.local' -old-bloodhound
    certipy find 'corp.local/john:Passw0rd@dc.corp.local' -vulnerable -hide-admins -username user@domain -password Password123
    
  • use OPENCYBER-FR/RustHound
    # Windows with GSSAPI session
    rusthound.exe -d domain.local --ldapfqdn domain
    # Windows/Linux simple bind connection username:password
    rusthound.exe -d domain.local -u user@domain.local -p Password123 -o output -z
    # Linux with username:password and ADCS module for @ly4k BloodHound version
    rusthound -d domain.local -u 'user@domain.local' -p 'Password123' -o /tmp/adcs --adcs -z
    

Then import the zip/json files into the Neo4J database and query them.

root@payload$ apt install bloodhound 

# start BloodHound and the database
root@payload$ neo4j console
# or use docker
root@payload$ docker run -itd -p 7687:7687 -p 7474:7474 --env NEO4J_AUTH=neo4j/bloodhound -v $(pwd)/neo4j:/data neo4j:4.4-community

root@payload$ ./bloodhound --no-sandbox
Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j

NOTE: Currently BloodHound Community Edition is still a work in progress, it is highly recommended to stay on the original BloodHoundAD/BloodHound version.

git clone https://github.com/SpecterOps/BloodHound
cd examples/docker-compose/
cat docker-compose.yml | docker compose -f - up
# UI: http://localhost:8080/ui/login
# Username: admin
# Password: see your Docker logs

You can add some custom queries like : * Bloodhound-Custom-Queries from @hausec * BloodHoundQueries from CompassSecurity * BloodHound Custom Queries from Exegol – @ShutdownRepo * Certipy BloodHound Custom Queries from ly4k

Replace the customqueries.json file located at /home/username/.config/bloodhound/customqueries.json or C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json.

Using PowerView

  • Get Current Domain: Get-NetDomain
  • Enum Other Domains: Get-NetDomain -Domain <DomainName>
  • Get Domain SID: Get-DomainSID
  • Get Domain Policy:
    Get-DomainPolicy
    
    #Will show us the policy configurations of the Domain about system access or kerberos
    (Get-DomainPolicy)."system access"
    (Get-DomainPolicy)."kerberos policy"
    
  • Get Domain Controlers:
    Get-NetDomainController
    Get-NetDomainController -Domain <DomainName>
    
  • Enumerate Domain Users:
    Get-NetUser
    Get-NetUser -SamAccountName <user> 
    Get-NetUser | select cn
    Get-UserProperty
    
    #Check last password change
    Get-UserProperty -Properties pwdlastset
    
    #Get a specific "string" on a user's attribute
    Find-UserField -SearchField Description -SearchTerm "wtver"
    
    #Enumerate user logged on a machine
    Get-NetLoggedon -ComputerName <ComputerName>
    
    #Enumerate Session Information for a machine
    Get-NetSession -ComputerName <ComputerName>
    
    #Enumerate domain machines of the current/specified domain where specific users are logged into
    Find-DomainUserLocation -Domain <DomainName> | Select-Object UserName, SessionFromName
    
  • Enum Domain Computers:
    Get-NetComputer -FullData
    Get-DomainGroup
    
    #Enumerate Live machines 
    Get-NetComputer -Ping
    
  • Enum Groups and Group Members:
    Get-NetGroupMember -GroupName "<GroupName>" -Domain <DomainName>
    
    #Enumerate the members of a specified group of the domain
    Get-DomainGroup -Identity <GroupName> | Select-Object -ExpandProperty Member
    
    #Returns all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences
    Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
    
  • Enumerate Shares
    #Enumerate Domain Shares
    Find-DomainShare
    
    #Enumerate Domain Shares the current user has access
    Find-DomainShare -CheckShareAccess
    
  • Enum Group Policies:
    Get-NetGPO
    
    # Shows active Policy on specified machine
    Get-NetGPO -ComputerName <Name of the PC>
    Get-NetGPOGroup
    
    #Get users that are part of a Machine's local Admin group
    Find-GPOComputerAdmin -ComputerName <ComputerName>
    
  • Enum OUs:
    Get-NetOU -FullData 
    Get-NetGPO -GPOname <The GUID of the GPO>
    
  • Enum ACLs:
    # Returns the ACLs associated with the specified account
    Get-ObjectAcl -SamAccountName <AccountName> -ResolveGUIDs
    Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose
    
    #Search for interesting ACEs
    Invoke-ACLScanner -ResolveGUIDs
    
    #Check the ACLs associated with a specified path (e.g smb share)
    Get-PathAcl -Path "\\Path\Of\A\Share"
    
  • Enum Domain Trust:
    Get-NetDomainTrust
    Get-NetDomainTrust -Domain <DomainName>
    
  • Enum Forest Trust:
    Get-NetForestDomain
    Get-NetForestDomain Forest <ForestName>
    
    #Domains of Forest Enumeration
    Get-NetForestDomain
    Get-NetForestDomain Forest <ForestName>
    
    #Map the Trust of the Forest
    Get-NetForestTrust
    Get-NetDomainTrust -Forest <ForestName>
    
  • User Hunting:
    #Finds all machines on the current domain where the current user has local admin access
    Find-LocalAdminAccess -Verbose
    
    #Find local admins on all machines of the domain:
    Invoke-EnumerateLocalAdmin -Verbose
    
    #Find computers were a Domain Admin OR a specified user has a session
    Invoke-UserHunter
    Invoke-UserHunter -GroupName "RDPUsers"
    Invoke-UserHunter -Stealth
    
    #Confirming admin access:
    Invoke-UserHunter -CheckAccess
    

Using AD Module

  • Get Current Domain: Get-ADDomain
  • Enum Other Domains: Get-ADDomain -Identity <Domain>
  • Get Domain SID: Get-DomainSID
  • Get Domain Controlers:
Get-ADDomainController
Get-ADDomainController -Identity <DomainName>
  • Enumerate Domain Users:
    Get-ADUser -Filter * -Identity <user> -Properties *
    
    #Get a specific "string" on a user's attribute
    Get-ADUser -Filter 'Description -like "*wtver*"' -Properties Description | select Name, Description
    
  • Enum Domain Computers:
    Get-ADComputer -Filter * -Properties *
    Get-ADGroup -Filter * 
    
  • Enum Domain Trust:
    Get-ADTrust -Filter *
    Get-ADTrust -Identity <DomainName>
    
  • Enum Forest Trust:
    Get-ADForest
    Get-ADForest -Identity <ForestName>
    
    #Domains of Forest Enumeration
    (Get-ADForest).Domains
    
  • Enum Local AppLocker Effective Policy:
    Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
    

User Hunting

Sometimes you need to find a machine where a specific user is logged in.
You can remotely query every machines on the network to get a list of the users’s sessions.

  • CrackMapExec
    cme smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions
    SMB         10.10.10.10    445    WIN-8OJFTLMU1IG  [+] Enumerated sessions
    SMB         10.10.10.10    445    WIN-8OJFTLMU1IG  \\10.10.10.10            User:Administrator
    
  • Impacket Smbclient
    $ impacket-smbclient Administrator@10.10.10.10
    # who
    host:  \\10.10.10.10, user: Administrator, active:     1, idle:     0
    
  • PowerView Invoke-UserHunter
    # Find computers were a Domain Admin OR a specified user has a session
    Invoke-UserHunter
    Invoke-UserHunter -GroupName "RDPUsers"
    Invoke-UserHunter -Stealth
    

Other Interesting Commands

  • Find Domain Controllers
    nslookup domain.com
    nslookup -type=srv _ldap._tcp.dc._msdcs.<domain>.com
    nltest /dclist:domain.com
    Get-ADDomainController -filter * | Select-Object name
    gpresult /r
    $Env:LOGONSERVER 
    echo %LOGONSERVER%
    

References

Add a Comment

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *