Active Directory Enumeration Part-1

INTRODUCTION

In this blog post, we will be enumerating data manually from the current domain, other sub-domains, forest, external trusts along with getting a basic understanding of the Active Directory infrastructure.

This all enumeration can also be achieved using BloodHound (an excellent tool) to enumerate the Active Directory Environment. However, we need to understand on a surface level that how things work in AD to proceed with the further exploitation and lateral movement.

High-level understanding of Active Directory:

Understanding on the AD Environment

DOMAIN TRUST

We need to understand the domain trust as we will be enumerating the data from other domains.

Trust Direction

  • Uni-directional

  • Bi-Directional

Unidirectional (One-way trust): Users in the trustee domain can access resources in the trusting domain but not vice-versa.

Bi-directional (Two-way trust): Users of both domains can access resources from each other.

Trust Transitivity

  • Transitive

  • Non-transitive

Transitive - Can be extended to establish a trust relationship with other domains.

  • All the default intra-forest trust relationship (Tree-root, Parent-Child) between domains within the same forest are transitive (two-way trusts).

Nontransitive - cannot be extended to other domains in the forest. Can be two-way or one-way.

  • This is the default trust (called external trust) between two domains in different forests when forests do not have a trust relationship.

Enumeration Topics:

  • Current Domain

  • Sister/child Domain

  • Forest

From all the above-mentioned points we will be enumerating the following data:

  • Users

  • Computers

  • Groups

  • Group Membership of users

  • ACLs

  • Logged ON Users

  • Domain Administrators

  • Enterprise Administrators

  • Network Shares

  • OUs

  • GPOs

  • Applied ACLs for the user group

  • Domain Trust Mapping

  • Forest Mapping

  • Local Admin Access

Tools Used

  • PowerView

  • ADModule

CHALLENGE

Before enumerating the data from other domains we need to understand the trust between the current domain(where the current laptop is assigned) and other domains.

I want you to analyze which kind of trust and connectivity should be established to enumerate data from other domains

ENUMERATION STEPS & COMMANDS

Dividing into multiple parts:

Part-1:

  • Trust Enumeration

  • Domain Enumeration

  • Forest Enumeration

  • Domain Controllers

Trust Enumeration

Domain trusts for the current & other domain

PowerView
    Get-NetDomainTrust
    Get-NetDomainTrust -Domain <for other domains>
ADModule
    Get-ADTrust
    Get-ADTrust -Identity <for other domains>

Forest Trust Enumeration

Get-NetForestTrust (PowerView)
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"' (ADModule)

Get Current Domain (where the current laptop is assigned)

Get-NetDomain (PowerView)
Get-ADDomain (ADModule)

Get the object of another domain

Get-NetDomain -Domain <any other domain> (PowerView)
Get-ADDomain -Identity <any other domain> (ADModule)

Get details about the current forest

Get-NetForest (PowerView)
ADModule (Get-ADForest)

Get details about the other forest

Get-NetForest -Forest <forest.local> (PowerView)
Get-ADForest -Identity <forest.local> (ADModule)

Get all domains in the current forest

Get-NetForestDomain (PowerView)
(Get-ADForest).Domains (ADModule)

Global catalogs for the current forest

Get-NetForestCatalog (PowerView)
Get-ADForest | select -ExpandProperty GlobalCatalogs (ADModule)

Get SID of the current domain

Get-DomainSID (PowerView)
(Get-ADDomain).DomainSID (ADModule)

Get the domain policy of the current domain

Get-DomainPolicy; (Get-DomainPolicy)."system access" ; (Get-DomainPolicy)."Kerberos Policy"

Get the domain policy of another domain

(Get-DomainPolicy -domain <domainname>)."system access"

Get the domain controller for the current domain

Get-NetDomainController (PowerView)
Get-ADDomainController (ADModule)

Get the domain controller for another domain

Get-NetDomainController -Domain <domain.local> (PowerView)
Get-ADDomainController -DomainName <domain.local> -Discover (ADModule)

NOTE: You may find challenges while loading these scripts. To avoid it kindly refer execution policy and AMSI bypassing techniques which can be achieved without privileged/local admin access.

References

https://adsecurity.org/ https://github.com/samratashok/ADModule https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

PreviousReal-Time BlackBox Internal Penetration Testing

Last updated

Was this helpful?