Pentest - Active Directory

Active Directory Enumeration

Legacy Windows Tools

Use net.exe to gather user information

1

net user /domain

A more detailed view of specific users in the output above:

1

net user <username> /domain

Enumerate groups:

1

net group /domain

Specifying a group:

1

net group <groupname> /domain

PowerShell and .NET

When RSAT tools aren’t available, we can use an Active Directory Services Interface ADSI (a set of interfaces built on COM as an LDAP provider. The LDAP ADsPath we need to consider to interact with the AD service is based on the following recipe:

1

LDAP://HostName[:PortNumber][/DistinguishedName]

We could use the domain as the hostname, but this could potentially resolve to any of the DCs on the domain. To obtain the most accurate information, we’ll look for the primary domain controller (PDC), which is the one holding the PdcRoleOwner attribute.

Looking to .NET, we have the namespace System.DirectoryServices.ActiveDirectory, and specifically the Domain Class therein. A method of interest is the following:

1

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

which will provide the PdcRoleOwner property, among others. We can use ADSI directly in PowerShell to retrieve the DN. We’ll use two single quotes to indicate that the search starts at the top of the AD hierarchy.

1

([adsi]'').distinguishedName

Putting it together, we can obtain the LDAP string:

1
2
3
4


$PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName
$LDAP = "LDAP://$PDC/$DN"
$LDAP

In order to gather information, utilize two other classes in the System.DirectoryServices namespace: DirectoryEntry and DirectorySearcher. We’ll pass the LDAP path to DirectoryEntry in order to start the search at the top of the directory heirarchy. To perform queries with DirectorySearcher, we’ll pass the DirectoryEntry object as the SearchRoot.

1
2
3
4


$direntry = New-Object System.DirectoryServices.DirectoryEntry($LDAP)
$dirsearcher = New-Object System.DirectoryServices.DirectorySearcher($direntry)
$dirsearcher.filter="samAccountType=805306368"
$dirsearcher.FindAll()

where we’ve added the samAccountType for users. Iterate through the user properties and print:

1
2
3
4
5
6
7
8
9


Foreach($obj in $result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop
    }

    Write-Host "-------------------------------"
}

Wrap all of the above into a function:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


function LDAPSearch {
    param (
        [string]$LDAPQuery
    )

    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
    $DistinguishedName = ([adsi]'').distinguishedName

    $DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$PDC/$DistinguishedName")

    $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)

    return $DirectorySearcher.FindAll()

}

We can import and run LDAPSearch -LDAPQuery "(samAccountType=805306368)", or LDAPSearch -LDAPQuery "(objectclass=group)"

Permissions and Sessions

PowerView: `Find-LocalAdminAccess`

Determine if the current user has admin access on any domain machines. Relies on OpenServiceW function, which will connect to the Service Control Manager (SCM) on the target machines.

PowerView: `Get-NetSession`

Determine which users are logged into which machines. It utilizes two Windows APIs: NetWkstaUserEnum and NetSessionEnum. First requires admin privs, the second does not.

SysInternals: `PSLoggedon`

Service Accounts

PowerView: `Get-NetUser -SPN | select samaccountname,serviceprincipalname`

Enumerate Service Principal Names (SPNs)

Object Permissions

PowerView: `Get-ObjectAcl`

Check the ActiveDirectoryRights and SecurityIdentifier attributes
Dealing with SIDs: Convert-SidToName

Bloodhound

Active Directory Authentication

NTLM Authentication

Kerberos Authentication

Cached AD Credentials

Mimikatz

References

dw3113r

Owlglass