Without shell access

Run auxiliary/gather/kerberos_enumusers or kerbrute to enumerate users.

python kerbrute.py -domain thinc.local -users /usr/share/seclists/Usernames/Names/names.txt -dc-ip $victim

With shell access

Choose one method to enumerate.

1. User and group enumeration with net

(!) See what roles/privileges THIS USER has. Also localy. Maybe he/she has already administrative privileges.

whoami /all

List (and store!) the users of the domain

net user /domain

List (and store!) information like full names, group memberships, etc. from users:

net user $user /domain

List (and store!) the groups of the domain (An * before groups means, that this group contains additional permissions for the users.)

net group /domain

List (and store!) members of interesting groups:

net group "IT Department" /domain

1. User and group enumeration with PowerShell

Add this function into a PowerShell session:

function LDAPSearch {
    param (
        [string]$LDAPQuery
    )
    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
    $DistinguishedName = ([adsi]'').distinguishedName
    $DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$PDC/$DistinguishedName")
    $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)
    return $DirectorySearcher.FindAll()
}

Enumerate all users of the domain

LDAPSearch -LDAPQuery "(samAccountType=805306368)"

Enumerate all groups of the domain (An * before groups means, that this group contains additional permissions for the users.)

LDAPSearch -LDAPQuery "(objectclass=group)"

Enumerate all members (which could also be groups!) of groups:

foreach ($group in $(LDAPSearch -LDAPQuery "(objectCategory=group)")) { $group.properties | select {$_.cn}, {$_.member} }

Enumerate all members of a given group:

$group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Admin Department*))"
$group.properties.member

Enumerate the objects from interesting groups and their ADRights. Pay attention to objects/users with unusual high rights like GenericAll

Get-ObjectAcl -Identity "Management Department" |
Where-Object { $_.ActiveDirectoryRights -eq "GenericAll" } |
ForEach-Object {
$sid = $_.SecurityIdentifier
$right = $_.ActiveDirectoryRights
[pscustomobject]@{
Name = Convert-SidToName $sid
SID = $sid
Right = $right
}
}

1. User and group enumeration with PowerView

See the Powersploit / Powerview blog post

1. Enumeration with ADFind

See AdFind

TODO

2. Network enumeration

List “all” computer in the domain:

. .\PowerView.ps1
Get-NetComputer
Get-NetComputer | select operatingsystem,dnshostname,operatingsystemversion // Shorter overview

Get more information about a found computer:

Get-NetSession -Verbose -ComputerName $systemName

Find systems where the current user has administrative privileges. PowerView tries to connect to each group computer and open the SCM Service Control Manager. If that worked, we have some administrative privileges on that system.

Find-LocalAdminAccess

For interesting computers, check if they have active sessions. Upload PSLoggedon.exe from PSTools. This only works if the Remote Registry service is enabled, which is not the case since Windows 8, but is often activated by admins.

PSLoggedOn.exe \\$sysemName

3. Service enumeration

If you found a service user (e.g. before in Get-NetUser | select cn,pwdlastset,lastlogon), you can try to get more information about that service:

Natively in cmd:
setspn -L iis_service
With PowerView:
Get-NetUser -SPN | select samaccountname,serviceprincipalname

Enumerate shares:

Find-DomainShare

Afterwards, enumerate the found shares one by one with (yes, from Powershell!)

ls \\dc1.dom.ain\sysvol\dom.ain\
cat \\FILES04\docshare\docs\email.txt
...

Note: If you find a AES-256 password, e.g. in a policy.xml file, you may be decrypt it with gpp-decrypt $pass on Kali.

4. Step back and connect

Stare some time to the found information and try to connect / reorganize them.

5. Enumerate with BloodHound

See the BloodHound post

6. Things to do after the initial enumeration

Try Password Spraying
If you have a user/password combination,
- try AS-REP Roasting
- try a Service Account Attack
If you have high-privilege user credentials, try

N. Helpful PowerShell commands during enumeration

Get ACE Access Control Entries from an object (subject, computer, share, …)

Get-ObjectAcl -Identity $object
Get-ObjectAcl -Identity $object | select ObjectSID,ActiveDirectoryRights,SecurityIdentifier

Convert a SID into a domain object name

Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104

Check all AD objects for specific permissions:

# Get all users from Active Directory
$users = Get-ADUser -Filter * | ForEach-Object {
    $_.DistinguishedName
}

# Define the permissions to check for
$permissionsToCheck = @(
    "Replicating Directory Changes",
    "Replicating Directory Changes All",
    "Replicating Directory Changes in Filtered Set"
)

# Loop through each user and retrieve their ACLs and permissions
$users | ForEach-Object {
    $userDN = $_

    # Get the ACL for the user object and filter for replication-related permissions
    Get-ObjectAcl -Identity $userDN | Where-Object {
        $permissionsToCheck -contains $_.ActiveDirectoryRights.ToString()
    } | ForEach-Object {
        $sid = $_.SecurityIdentifier
        $rights = $_.ActiveDirectoryRights
        $name = Convert-SidToName $sid  # Convert the SID to a human-readable name

        # Output the permissions
        [pscustomobject]@{
            UserDN = $userDN
            SID = $sid
            Name = $name  # Add the converted name
            Rights = $rights
        }
    }
}

Older notes / links

Attack Kerberos
1. Try to ASREPRoast tickets
2. Try a Service Account attack, if there are service user accounts.

Other things, not neccessarly connected to AD:

Try msf> use post/multi/recon/local_exploit_suggester
Try empire> usemodule privesc/powerup/allchecks

Basic Active Directory Enumeration