Skip to content

Active Directory - Enumeration

Using BloodHound

Use the appropriate data collector to gather information for BloodHound or BloodHound Community Edition (CE) across various platforms.

Examples:

.\SharpHound.exe -c all -d active.htb --searchforest
.\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default
.\SharpHound.exe --CollectionMethod DCOnly # only collect from the DC, doesn't query the computers (more stealthy)

.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 -d active.htb

.\SharpHound.exe -c All,GPOLocalGroup --outputdirectory C:\Windows\Temp --prettyprint --randomfilenames --collectallproperties --throttle 10000 --jitter 23  --outputprefix internalallthething

Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
Invoke-BloodHound -CollectionMethod All  -LDAPUser <UserName> -LDAPPass <Password> -OutputDirectory <PathToFile>

certipy find 'corp.local/john:Passw0rd@dc.corp.local' -bloodhound
certipy find 'corp.local/john:Passw0rd@dc.corp.local' -old-bloodhound
certipy find 'corp.local/john:Passw0rd@dc.corp.local' -vulnerable -hide-admins -username user@domain -password Password123

# Windows with GSSAPI session
rusthound.exe -d domain.local --ldapfqdn domain
# Windows/Linux simple bind connection username:password
rusthound.exe -d domain.local -u user@domain.local -p Password123 -o output -z
# Linux with username:password and ADCS module for @ly4k BloodHound version
rusthound -d domain.local -u 'user@domain.local' -p 'Password123' -o /tmp/adcs --adcs -z

--buildcache: Only build cache and not perform further actions
--bhdump: Dump BloodHound data
--certdump: Dump AD Certificate Services (ADCS) data
--dnsdump: Dump AD Integrated DNS data

SOAPHound.exe --buildcache -c c:\temp\cache.txt
SOAPHound.exe -c c:\temp\cache.txt --bhdump -o c:\temp\bloodhound-output
SOAPHound.exe -c c:\temp\cache.txt --bhdump -o c:\temp\bloodhound-output --autosplit --threshold 1000
SOAPHound.exe -c c:\temp\cache.txt --certdump -o c:\temp\bloodhound-output
SOAPHound.exe --dnsdump -o c:\temp\dns-output

pip install bloodhound
bloodhound-python -d domain.local -u username -p password -gc LAB2008DC01.domain.local -c all
  • Use c3c/ADExplorerSnapshot.py to query data from SysInternals/ADExplorer snapshot (ADExplorer remains a legitimate binary signed by Microsoft, avoiding detection with security solutions).
ADExplorerSnapshot.py <snapshot path> -o <*.json output folder path>

Then import the zip/json files into the Neo4J database and query them.

root@payload$ apt install bloodhound 

# start BloodHound and the database
root@payload$ neo4j console
# or use docker
root@payload$ docker run -itd -p 7687:7687 -p 7474:7474 --env NEO4J_AUTH=neo4j/bloodhound -v $(pwd)/neo4j:/data neo4j:4.4-community

root@payload$ ./bloodhound --no-sandbox
Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j

NOTE: Currently BloodHound Community Edition is still a work in progress, it is highly recommended to stay on the original BloodHoundAD/BloodHound version.

git clone https://github.com/SpecterOps/BloodHound
cd examples/docker-compose/
cat docker-compose.yml | docker compose -f - up
# UI: http://localhost:8080/ui/login
# Username: admin
# Password: see your Docker logs

You can add some custom queries like :

Replace the customqueries.json file located at /home/username/.config/bloodhound/customqueries.json or C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json.

Using PowerView

  • Get Current Domain: Get-NetDomain
  • Enum Other Domains: Get-NetDomain -Domain <DomainName>
  • Get Domain SID: Get-DomainSID
  • Get Domain Policy:
Get-DomainPolicy

#Will show us the policy configurations of the Domain about system access or kerberos
(Get-DomainPolicy)."system access"
(Get-DomainPolicy)."kerberos policy"
  • Get Domain Controlers:
Get-NetDomainController
Get-NetDomainController -Domain <DomainName>
  • Enumerate Domain Users:
Get-NetUser
Get-NetUser -SamAccountName <user> 
Get-NetUser | select cn
Get-UserProperty

#Check last password change
Get-UserProperty -Properties pwdlastset

#Get a specific "string" on a user's attribute
Find-UserField -SearchField Description -SearchTerm "wtver"

#Enumerate user logged on a machine
Get-NetLoggedon -ComputerName <ComputerName>

#Enumerate Session Information for a machine
Get-NetSession -ComputerName <ComputerName>

#Enumerate domain machines of the current/specified domain where specific users are logged into
Find-DomainUserLocation -Domain <DomainName> | Select-Object UserName, SessionFromName
  • Enum Domain Computers:
Get-NetComputer -FullData
Get-DomainGroup

#Enumerate Live machines 
Get-NetComputer -Ping
  • Enum Groups and Group Members:
Get-NetGroupMember -GroupName "<GroupName>" -Domain <DomainName>

#Enumerate the members of a specified group of the domain
Get-DomainGroup -Identity <GroupName> | Select-Object -ExpandProperty Member

#Returns all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences
Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
  • Enumerate Shares
#Enumerate Domain Shares
Find-DomainShare

#Enumerate Domain Shares the current user has access
Find-DomainShare -CheckShareAccess
  • Enum Group Policies:
Get-NetGPO

# Shows active Policy on specified machine
Get-NetGPO -ComputerName <Name of the PC>
Get-NetGPOGroup

#Get users that are part of a Machine's local Admin group
Find-GPOComputerAdmin -ComputerName <ComputerName>
  • Enum OUs:
Get-NetOU -FullData 
Get-NetGPO -GPOname <The GUID of the GPO>
  • Enum ACLs:
# Returns the ACLs associated with the specified account
Get-ObjectAcl -SamAccountName <AccountName> -ResolveGUIDs
Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose

#Search for interesting ACEs
Invoke-ACLScanner -ResolveGUIDs

#Check the ACLs associated with a specified path (e.g smb share)
Get-PathAcl -Path "\\Path\Of\A\Share"
  • Enum Domain Trust:
Get-NetDomainTrust
Get-NetDomainTrust -Domain <DomainName>
  • Enum Forest Trust:
Get-NetForestDomain
Get-NetForestDomain Forest <ForestName>

#Domains of Forest Enumeration
Get-NetForestDomain
Get-NetForestDomain Forest <ForestName>

#Map the Trust of the Forest
Get-NetForestTrust
Get-NetDomainTrust -Forest <ForestName>
  • User Hunting:
#Finds all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose

#Find local admins on all machines of the domain:
Invoke-EnumerateLocalAdmin -Verbose

#Find computers were a Domain Admin OR a specified user has a session
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -Stealth

#Confirming admin access:
Invoke-UserHunter -CheckAccess

Using AD Module

  • Get Current Domain: Get-ADDomain
  • Enum Other Domains: Get-ADDomain -Identity <Domain>
  • Get Domain SID: Get-DomainSID
  • Get Domain Controlers:
Get-ADDomainController
Get-ADDomainController -Identity <DomainName>
  • Enumerate Domain Users:
Get-ADUser -Filter * -Identity <user> -Properties *

#Get a specific "string" on a user's attribute
Get-ADUser -Filter 'Description -like "*wtver*"' -Properties Description | select Name, Description
  • Enum Domain Computers:
Get-ADComputer -Filter * -Properties *
Get-ADGroup -Filter *
  • Enum Domain Trust:
Get-ADTrust -Filter *
Get-ADTrust -Identity <DomainName>
  • Enum Forest Trust:
Get-ADForest
Get-ADForest -Identity <ForestName>

#Domains of Forest Enumeration
(Get-ADForest).Domains
  • Enum Local AppLocker Effective Policy:
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

User Hunting

Sometimes you need to find a machine where a specific user is logged in. You can remotely query every machines on the network to get a list of the users's sessions.

  • netexec
nxc smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions
SMB         10.10.10.10    445    WIN-8OJFTLMU1IG  [+] Enumerated sessions
SMB         10.10.10.10    445    WIN-8OJFTLMU1IG  \\10.10.10.10            User:Administrator
  • Impacket Smbclient
$ impacket-smbclient Administrator@10.10.10.10
# who
host:  \\10.10.10.10, user: Administrator, active:     1, idle:     0
  • PowerView Invoke-UserHunter
# Find computers were a Domain Admin OR a specified user has a session
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -Stealth

RID cycling

In Windows, every security principal (user, group, etc.) has a Security Identifier (SID). The SID is a unique identifier used for access control.

S-1-5-21-<domain>-<RID>
  • S-1-5-21-<domain> = Base domain SID
  • <RID> = Unique ID assigned to a user/group

RID cycling involves brute-forcing a range of RIDs (like 500–1500) by appending them to the known domain SID, and attempting to resolve each SID into a username.

netexec smb 10.10.11.231 -u guest -p '' --rid-brute 10000 --log rid-brute.txt
SMB         10.10.11.231    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.231    445    DC01             [+] rebound.htb\guest: 
SMB         10.10.11.231    445    DC01             498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.231    445    DC01             500: rebound\Administrator (SidTypeUser)
SMB         10.10.11.231    445    DC01             501: rebound\Guest (SidTypeUser)
SMB         10.10.11.231    445    DC01             502: rebound\krbtgt (SidTypeUser)

lookupsid.py -no-pass 'guest@rebound.htb' 20000

Other Interesting Commands

  • Find Domain Controllers
nslookup domain.com
nslookup -type=srv _ldap._tcp.dc._msdcs.<domain>.com
nltest /dclist:domain.com
Get-ADDomainController -filter * | Select-Object name
gpresult /r
$Env:LOGONSERVER 
echo %LOGONSERVER%

References