{"id":1297,"date":"2020-04-25T14:10:02","date_gmt":"2020-04-25T12:10:02","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1297"},"modified":"2025-03-19T10:07:10","modified_gmt":"2025-03-19T09:07:10","slug":"active-directory-checklist","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1297","title":{"rendered":"Basic Active Directory Enumeration"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">Without shell access<\/h1>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Run <i>auxiliary\/gather\/kerberos_enumusers <\/i>or ker\u00adbrute to enu\u00admer\u00adate users.\n<pre>python kerbrute.py -domain thinc.local -users \/usr\/share\/seclists\/Usernames\/Names\/names.txt -dc-ip $victim<\/pre>\n<\/li>\n<\/ol>\n\n\n\n<h1 class=\"wp-block-heading\">With shell access<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Choose one method to enumerate.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. User and group enumeration with&nbsp;net<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">(!) See what roles\/privileges <span class=\"caps\">THIS<\/span> <span class=\"caps\">USER<\/span> has. Also localy. Maybe he\/she has already admin\u00adis\u00adtra\u00adtive privileges.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">whoami \/all<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">List (and store!) the users of the domain<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">net user \/domain<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">List (and store!) infor\u00adma\u00adtion like full names, group mem\u00adber\u00adships, etc. from&nbsp;users:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">net user $user \/domain<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">List (and store!) the groups of the domain  (<a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-r2-and-2012\/cc754051(v%3Dws.11)\">An * before groups means, that this group con\u00adtains addi\u00adtion\u00adal per\u00admis\u00adsions for the users.<\/a>)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">net group \/domain<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">List (and store!) mem\u00adbers of inter\u00adest\u00ading groups:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">net group \"IT Department\" \/domain<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">1. User and group enumeration with PowerShell<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Add this func\u00adtion into a Pow\u00ader\u00adShell session:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>function LDAPSearch {\n    param (\n        [string]$LDAPQuery\n    )\n    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name\n    $DistinguishedName = ([adsi]'').distinguishedName\n    $DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry(\"LDAP:\/\/$PDC\/$DistinguishedName\")\n    $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)\n    return $DirectorySearcher.FindAll()\n}<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate all users of the domain<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">LDAPSearch -LDAPQuery \"(samAccountType=805306368)\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate all groups of the domain  (<a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-r2-and-2012\/cc754051(v%3Dws.11)\">An * before groups means, that this group con\u00adtains addi\u00adtion\u00adal per\u00admis\u00adsions for the users.<\/a>)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">LDAPSearch -LDAPQuery \"(objectclass=group)\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate all mem\u00adbers (which could also be groups!) of groups:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">foreach ($group in $(LDAPSearch -LDAPQuery \"(objectCategory=group)\")) { $group.properties | select {$_.cn}, {$_.member} }<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate all mem\u00adbers of a giv\u00aden&nbsp;group:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$group = LDAPSearch -LDAPQuery \"(&amp;(objectCategory=group)(cn=Admin Department*))\"<br>$group.properties.member<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate the objects from inter\u00adest\u00ading groups and their <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/secauthz\/access-rights-and-access-masks\">ADRights<\/a>. Pay atten\u00adtion to objects\/users with unusu\u00adal high rights like GenericAll<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>Get-ObjectAcl -Identity \"Management Department\" |\nWhere-Object { $_.ActiveDirectoryRights -eq \"GenericAll\" } |\nForEach-Object {\n$sid = $_.SecurityIdentifier\n$right = $_.ActiveDirectoryRights\n[pscustomobject]@{\nName = Convert-SidToName $sid\nSID = $sid\nRight = $right\n}\n}<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">1. User and group enumeration with PowerView<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1284\" data-type=\"post\" data-id=\"1284\">See the Pow\u00ader\u00adsploit \/ Pow\u00aderview blog&nbsp;post<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Enumeration with ADFind<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">See <a href=\"https:\/\/www.joeware.net\/freetools\/tools\/adfind\/\">AdFind<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">TODO<\/span><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">2. Network enumeration<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">List \u201call\u201d com\u00adput\u00ader in the domain:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">. .\\PowerView.ps1<br>Get-NetComputer<br>Get-NetComputer | select operatingsystem,dnshostname,operatingsystemversion \/\/ Shorter overview<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get more infor\u00adma\u00adtion about a found computer:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetSession -Verbose -ComputerName $systemName<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Find sys\u00adtems where the cur\u00adrent user has admin\u00adis\u00adtra\u00adtive priv\u00adi\u00adleges. Pow\u00aderView tries to con\u00adnect to each group com\u00adput\u00ader and open the <span class=\"caps\">SCM<\/span> Ser\u00advice Con\u00adtrol Man\u00adag\u00ader. If that worked, we have some admin\u00adis\u00adtra\u00adtive priv\u00adi\u00adleges on that system.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Find-LocalAdminAccess<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">For inter\u00adest\u00ading com\u00adput\u00aders, check if they have active ses\u00adsions. Upload PSLoggedon.exe from <a href=\"https:\/\/learn.microsoft.com\/de-de\/sysinternals\/downloads\/pstools\">PSTools<\/a>. This only works if the Remote Reg\u00adistry ser\u00advice is enabled, which is not the case since Win\u00addows 8, but is often acti\u00advat\u00aded by admins.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PSLoggedOn.exe \\\\$sysemName<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">3. Service enumeration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you found a ser\u00advice user (e.g. before in <code>Get-NetUser | select cn,pwdlastset,lastlogon<\/code>), you can try to get more infor\u00adma\u00adtion about that service:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Native\u00adly in cmd:<br><code>setspn -L iis_service<\/code><\/li>\n\n\n\n<li>With Pow\u00aderView:<br><code>Get-NetUser -SPN | select samaccountname,serviceprincipalname<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate shares:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Find-DomainShare<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">After\u00adwards, enu\u00admer\u00adate the found shares one by one with (yes, from Powershell!)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ls \\\\dc1.dom.ain\\sysvol\\dom.ain\\<br>cat \\\\FILES04\\docshare\\docs\\email.txt<br>...<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Note<\/em>: If you find a <span class=\"caps\">AES-256<\/span> pass\u00adword, e.g. in a policy.xml file, you may be decrypt it with <code>gpp-decrypt $pass<\/code> on&nbsp;Kali.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. Step back and connect<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Stare some time to the found infor\u00adma\u00adtion and try to con\u00adnect \/ reor\u00adga\u00adnize&nbsp;them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">5. Enumerate with BloodHound<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1307\" data-type=\"post\" data-id=\"1307\">See the Blood\u00adHound&nbsp;post<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">6. Things to do after the initial enumeration<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Try <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1923\" data-type=\"post\" data-id=\"1923\">Pass\u00adword Spraying<\/a><\/li>\n\n\n\n<li>If you have a user\/password combination,&nbsp;<ul class=\"wp-block-list\">\n<li>try <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=641\" data-type=\"post\" data-id=\"641\"><span class=\"caps\">AS-REP<\/span> Roast\u00ading<\/a><\/li>\n\n\n\n<li>try a <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=641\" data-type=\"post\" data-id=\"641\">Ser\u00advice Account Attack<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>If you have high-priv\u00adi\u00adlege user cre\u00adden\u00adtials, try&nbsp;<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=4333\" data-type=\"post\" data-id=\"4333\">Domain Con\u00adtroller Syn\u00adchro\u00adniza\u00adtion techniques<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=641\" data-type=\"post\" data-id=\"641\">Sil\u00adver tick\u00adet attack<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=641\" data-type=\"post\" data-id=\"641\">Gold\u00aden tick\u00adet attack<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=761\" data-type=\"post\" data-id=\"761\">Extract Shad\u00adow Copies<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">N. Helpful PowerShell commands during enumeration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Get <span class=\"caps\">ACE<\/span> Access Con\u00adtrol Entries from an object (sub\u00adject, com\u00adput\u00ader,&nbsp;share,&nbsp;\u2026)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-ObjectAcl -Identity $object<br>Get-ObjectAcl -Identity $object | select ObjectSID,ActiveDirectoryRights,SecurityIdentifier<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Con\u00advert a <span class=\"caps\">SID<\/span> into a domain object name<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Check all <span class=\"caps\">AD<\/span> objects for spe\u00adcif\u00adic permissions:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group># Get all users from Active Directory\n$users = Get-ADUser -Filter * | ForEach-Object {\n    $_.DistinguishedName\n}\n\n# Define the permissions to check for\n$permissionsToCheck = @(\n    \"Replicating Directory Changes\",\n    \"Replicating Directory Changes All\",\n    \"Replicating Directory Changes in Filtered Set\"\n)\n\n# Loop through each user and retrieve their ACLs and permissions\n$users | ForEach-Object {\n    $userDN = $_\n\n    # Get the ACL for the user object and filter for replication-related permissions\n    Get-ObjectAcl -Identity $userDN | Where-Object {\n        $permissionsToCheck -contains $_.ActiveDirectoryRights.ToString()\n    } | ForEach-Object {\n        $sid = $_.SecurityIdentifier\n        $rights = $_.ActiveDirectoryRights\n        $name = Convert-SidToName $sid  # Convert the SID to a human-readable name\n\n        # Output the permissions\n        [pscustomobject]@{\n            UserDN = $userDN\n            SID = $sid\n            Name = $name  # Add the converted name\n            Rights = $rights\n        }\n    }\n}<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Older notes \/&nbsp;links<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><\/li>\n\n\n\n<li>Attack Ker\u00adberos\n<ol class=\"wp-block-list\">\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=641\">Try to ASRE\u00adPRoast tickets<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=641\">Try a Ser\u00advice Account attack<\/a>, if there are ser\u00advice user accounts.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Oth\u00ader things, not nec\u00adces\u00adsar\u00adly con\u00adnect\u00aded to&nbsp;<span class=\"caps\">AD<\/span>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Try msf&gt; use post\/multi\/recon\/local_exploit_suggester<\/li>\n\n\n\n<li>Try empire&gt; use\u00admod\u00adule privesc\/powerup\/allchecks<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>With\u00adout shell access With shell access Choose one method to enu\u00admer\u00adate. 1. User and group enu\u00admer\u00ada\u00adtion with&nbsp;net (!) See what roles\/privileges <span class=\"caps\">THIS<\/span> <span class=\"caps\">USER<\/span> has. Also localy. Maybe he\/she has already admin\u00adis\u00adtra\u00adtive priv\u00adi\u00adleges. whoa\u00admi \/all List (and store!) the users of the domain net user \/domain List (and store!) infor\u00adma\u00adtion like full names, group mem\u00adber\u00adships, etc.&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470,471],"tags":[194,37,24],"class_list":["post-1297","post","type-post","status-publish","format-standard","hentry","category-active-enum","category-privesc","tag-active-directory","tag-checklist","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1297","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1297"}],"version-history":[{"count":35,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1297\/revisions"}],"predecessor-version":[{"id":4671,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1297\/revisions\/4671"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1297"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1297"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1297"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}