Enumerating Active Directory

Level Medium

Status Completed

Sumary
in this module various methods of AD enumeration will be discussed, also the pros
and cons of each of them will also be analyzed in detail. At the end of this module
user should be able to get a good idea of the network posture in the AD
environment and after initial access and find a path for privilege escalation and
pivoting.

Task 1 - Check Connections

[~] - hak101> nslookup thmdc.za.tryhackme.com

Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: thmdc.za.tryhackme.com
Address: 10.200.55.101

If you have issues connecting to the AD environment please refer to the Breaching
Active Directory module

echo "server=/za.tryhackme.com/10.200.8.101" \
| sudo tee /etc/NetworkManager/dnsmasq.d/tryhackme.conf

3. Restart NetworkManager

Enumerating Active Directory 1

 sudo systemctl restart NetworkManager

Verify Connection

grep ^nameserver /etc/resolv.conf

# → nameserver 127.0.0.1

nslookup za.tryhackme.com
# → Address: 10.200.88.101

Now we need to visit http://distributor.za.tryhackme.com/creds before that we need to

nslookup the domain and add the ip to /etc/hosts

[~] - hak101> nslookup distributor.za.tryhackme.com

Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: distributor.za.tryhackme.com
Address: 10.200.8.201

10.200.8.201 distributor.za.tryhackme.com

Now we can access our credentials

Enumerating Active Directory 2

 Next let’s try to access the thmjmp1 box with the ssh command

ssh za.tryhackme.com\\[email protected]

RDP into that machine

xfreerdp /v:10.200.8.248 /u:andrea.mitchell /p:Password1 +clipboard

Task 2 - Credential Injection

In this task we will look at how to use runas module for enumerating the AD
environment
This will be helpful in scenarios where we have found ad credentials but not sure
where to use them in

If we have the username and the password of an AD user we can use the
following command to enumerate

runas.exe /netonly /user:<domain>\<username> cmd.exe

Before we can list SYSVOL, we need to configure our DNS. Sometimes you are
lucky, and internal DNS will be configured for you automatically through DHCP or
the VPN connection, but not always (like this TryHackMe network). It is good to
understand how to do it manually. Your safest bet for a DNS server is usually a
domain controller. Using the IP of the domain controller, we can execute the
following commands in a PowerShell window:

$dnsip = 10.200.8.101
$index = Get-NetAdapter -Name 'Ethernet 4' | Select-Object -ExpandProperty 'if

Enumerating Active Directory 3

 Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

If you get this error, we need to check the ethernet connection

Get-NetAdapter |
Format-Table –AutoSize Name, InterfaceIndex, Status

We can see our connection is Ethernet 4

Now the commands work, now we can do the nslookup command to check if the
DC ip dns works properly

nslookup za.tryhackme.com

Enumerating Active Directory 4

 Now we can go to the SYSVOL directory

dir \\za.tryhackme.com\SYSVOL\

Task - 3
If you are using your own windows machine access Microsoft Management Tools by:

1. Press Start

2. Search "Apps & Features" and press enter

3. Click Manage Optional Features

4. Click Add a feature

5. Search for "RSAT"

6. Select "RSAT: Active Directory Domain Services and Lightweight Directory

Tools" and click Install

If we are on the RDP machine then:

In MMC, we can now attach the AD RSAT Snap-In:

Enumerating Active Directory 5

 1. Click File -> Add/Remove Snap-in

2. Select and Add all three Active Directory Snap-ins

3. Click through any errors and warnings

4. Right-click on Active Directory Domains and Trusts and select Change Forest

Enumerating Active Directory 6

 5. Enter za.tryhackme.com as the Root domain and Click OK

6. Right-click on Active Directory Sites and Services and select Change Forest

7. Enter za.tryhackme.com as the Root domain and Click OK

8. Right-click on Active Directory Users and Computers and select Change

Domain

9. Enter za.tryhackme.com as the Domain and Click OK

10. Right-click on Active Directory Users and Computers in the left-hand pane

11. Click on View -> Advanced Features

Enumerating Active Directory 7

 Now we should see

Enumerating Active Directory 8

 Now we can enumerate the domain za.tryhackme.com

Enumerating Active Directory 9

 Let's take a look at the People directory. Here we see that the users are divided
according to department OUs. Clicking on each of these OUs will show the users
that belong to that department

Enumerating Active Directory 10

 Clicking on any of these users will allow us to review all of their properties and
attributes. We can also see what groups they are a member of:

Enumerating Active Directory 11

 We can also use MMC to find hosts in the environment. If we click on either
Servers or Workstations, the list of domain-joined machines will be displayed

Enumerating Active Directory 12

Enumerating Active Directory 13
 Task 4 - Enumeration through command prompt
Enumerates all the users in the domain

net user /domain

Enumerating a specific user

net user zoe.marshall /domain

Enumerating Active Directory 14

 Enumerating all the groups in the domain

net group /domain

Enumerate membership to a group

Enumerating Active Directory 15

 net group "Tier 1 Admins" /domain

Enumerating Password Policy

net accounts /domain

Task 5 - Enumeration through PowerShell

Open PowerShell on the RDP machine
First we can use the Get-ADUser cmdlet to enumerate AD users:

Get-ADUser -Identity gordon.stevens -Server za.tryhackme.com -Properties *

Enumerating Active Directory 16

 Next we can use the -Filter parameter that allows more control over enumeration
and use the Format-Table cmdlet to display the results such as the following neatly:

Get-ADUser -Filter 'Name -like "*stevens"' -Server za.tryhackme.com | Format-T

Enumerating Groups

Enumerating Active Directory 17

 We can use the Get-ADGroup cmdlet to enumerate AD groups:

Get-ADGroup -Identity Administrators -Server za.tryhackme.com

We can also enumerate group membership using the Get-ADGroupMember cmdlet:

Get-ADGroupMember -Identity Administrators -Server za.tryhackme.com

AD Objects
A more generic search for any AD objects can be performed using the Get-
ADObject cmdlet. For example, if we are looking for all AD objects that were

changed after a specific date:

Enumerating Active Directory 18

 PS C:\> $ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
PS C:\> Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedO

If we wanted to, for example, perform a password spraying attack without locking out
accounts, we can use this to enumerate accounts that have a badPwdCount that is
greater than 0, to avoid these accounts in our attack:

Get-ADObject -Filter 'badPwdCount -gt 0' -Server za.tryhackme.com

Enumerating Active Directory 19

 Domains
We can use Get-ADDomain to retrieve additional information about the specific
domain:

Get-ADDomain -Server za.tryhackme.com

Enumerating Active Directory 20

 Altering AD Objects
This is an example of this by force changing the password of our AD user by using
the Set-ADAccountPassword cmdlet:

Set-ADAccountPassword -Identity gordon.stevens -Server za.tryhackme.com -O

Answers
Answer 1

Get-ADUser -Identity beth.nolan -Server za.tryhackme.com -Properties *

Answer 2

Get-ADUser -Identity annette.manning -Server za.tryhackme.com -Properties *

Answer 3

Get-ADGroup -Server za.tryhackme.com -Filter "Name -eq 'Tier 2 Admins'" -Pro

Answer 4

Get-ADGroup -Identity "Enterprise Admins" -Server za.tryhackme.com -Propertie

Answer 5

Get-ADDomain -Server za.tryhackme.com

Task 6 - Enumeration through Bloodhound

[~] - hak101> bloodhound-python -d za.tryhackme.com -u 'andrea.mitchell' -p 'P

Enumerating Active Directory 21

 Start the neo4j console

neo4j console

Now run bloodhound and input your credentials, once logged in, drag and drop
the json files in the GUI

Now we can see that stats have been updated

Enumerating Active Directory 22

 Summary
At the end of this module it made AD enumeration very easy by learning tools and
techniques such as credential injection, Enumeration through CMD, Enumeration
using PowerShell and also using Bloodhound and analyzing the results, overall it
was very helpful module for enumerating AD network.

Enumerating Active Directory 23