PowerView: Active Directory Enumeration
overview
Description
Active Directory (AD) is a directory service developed by Microsoft, commonly used in Windows-based networks to manage users, groups, and resources. Active Directory enumeration, refers to the process of systematically querying and extracting information from an Active Directory environment. Active Directory enumeration plays a crucial role in penetration testing, network security assessments, and red teaming activities, as it helps identify potential vulnerabilities and weaknesses within the AD infrastructure.
During the Active Directory enumeration process, several techniques and tools are employed to query the AD and extract valuable information. These techniques may include using PowerShell scripts, performing LDAP enumeration, or utilizing specific Active Directory enumeration tools. The objective is to identify domain controllers, domain names, organizational units, user accounts, group memberships, trust relationships, and other critical details. By conducting thorough Active Directory enumeration, security professionals can evaluate the overall security posture of the AD infrastructure, identify misconfigurations, detect potential attack vectors, and plan targeted attacks or defenses.
Tasks
Lab Environment
In this lab environment, you will be provided with GUI access to a Windows machine (2012). This machine will serve as your attacker machine. Your task in this lab is to enumerate the Active Directory environment.
Objective: Perform Active Directory enumeration.
Below are the tasks that you need to perform:
Enumerate local users & groups
Enumerate Domain
Enumerate Domain Users
Enumerate Domain Computers
Enumerate Domain Groups
Enumerate Domain Shares
Enumerate GPOs and OUs
Enumerate Domain Trust & Forest Trust
Enumerate ACLs
Find Kerberoastable accounts
Find AS-REP roastable accounts
Note: All the tools are present in the C:\Tools directory.
Tools
The best tools for this lab are:
PowerShell
PowerView
solutions
Step 1: Open the lab link to access the attacker machine:
Enumerate local users & groups
Step 2: Open PowerShell. Let's gather information about the local users and groups.
Get current user:
Get current user privileges:
List groups to which the current user belongs to:
To view everything:
List local users:
List account policy settings:
Get details about a specific local user:
List local groups:
Display members belonging to a group:
It can be seen that Domain Admins are a member of the Administrators group on the local system. The Domain Admins group is a built-in group that is created automatically when a domain is set up and typically has the highest level of administrative privileges within the domain. By compromising a user account or group membership within the Domain Admins group, an attacker can potentially gain full control over the entire domain, making it a prime target for exploitation during a red team engagement or an actual security breach.
Additionally, we can also gather information about the network. Display all network interfaces, IP, and DNS:
Enumerate Domain
Step 3: Next, navigate to C:\Tools. We will be using the PowerView.ps1 script present here for the AD enumeration. By default, PowerShell doesn’t allow the user to execute scripts so we need to bypass this. Run the following commands:
Command:
About PowerView.ps1:
“PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.”
Source: https://powersploit.readthedocs.io/en/latest/Recon/
Step 4: Let's gather information about the domain.
Get Current Domain:
It can be seen that the name of the current domain is research.SECURITY.local which is a child domain of the SECURITY.local parent domain. The Fully Qualified Domain Name (FQDN) of the Domain Controller is prod.research.SECURITY.local.
In a similar way you can get details about other domain, say the parent domain:
Get Domain SID:
It retrieves the Security Identifier (SID) of the current domain. The SID is a unique identifier assigned to each object in Active Directory, including domains, users, groups, and computers.
Get Domain policy:
This will show us the policy configurations of the Domain about system access or kerberos.
Get Domain Controllers:
These commands retrieve details about the Domain Controller (DC) of the current domain or the domain specified. The IP address of the DC can also be seen here.
Enumerate Domain Users
Step 5: Let's enumerate domain users.
Get Domain Users:
Get details about a particular domain user:
List specific properties for user:
Enumerate Domain Computers
Step 6: Let's enumerate the computers in the domain.
List details of computers in the current domain:
List specific properties for computers:
List specific properties of computers in the other domain:
Enumerate Domain Groups
Step 7: Let's enumerate domain groups.
List all groups in the current domain:
List information about a specific group:
List members of a specific group:
List group membership of a user:
Enumerate Domain Shares
Step 8: You can enumerate the shares using the following commands:
List shares on a host system in the current domain:
As seen above, the SYSVOL share is an important share as it is responsible for storing and replicating important domain-related data and files, such as Group Policy Objects (GPOs) and logon scripts. The SYSVOL share is automatically created on each domain controller in an Active Directory domain and is shared by default. It serves as a central repository for GPOs, which are used to manage security policies, software deployment, and other configuration settings across the domain. All the domain computers access this share to check the domain policies.
Enumerate shares that the current user has read access to:
List active shares on the local host:
Enumerate GPOs and OUs
Group Policy Objects (GPOs) are used to manage and control the behavior of user accounts and computer accounts within a domain. Each GPO contains a collection of settings and configurations that are applied to targeted users or computers in the domain. They can be linked to sites, domains, or OUs within the Active Directory hierarchy to define their scope and targeting. Some common use cases for GPOs include setting desktop wallpaper, managing software installations, restricting access to specific features or applications, defining security settings etc. GPOs can be abused for a variety of attacks, including privilege escalation, deploying backdoors, establishing persistence etc.
Organizational Units (OUs) are containers within Active Directory that help organize and manage objects such as users, computers, groups, and other resources for easier management and application of policies. They provide a way to structure and delegate administrative control within the domain. By creating OUs, administrators can apply different GPOs to specific sets of users or computers, tailoring the policies to the unique needs of those groups. OUs can represent various aspects of an organization's structure, such as departments, geographical locations, or functional units. OUs can also be nested within each other to create a hierarchical organizational structure.
Step 9: Let's enumerate the GPOs and OUs in the domain.
List of GPOs in the current domain:
Get all OUs in the current domain:
Enumerate Domain Trust & Forest Trust
In an Active Directory environment, trust represents a relationship established between two domains or forests. This relationship enables users from one domain or forest to access resources located in the other domain or forest. Domain Trust enables authentication between domains within the same forest or across separate forests, facilitating resource sharing and collaboration. Forest Trust extends trust relationships beyond individual domains and encompasses the entire forest infrastructure, enabling authentication and resource access between domains in different forests.
Step 10: Let's enurmerate the trusts.
List all domain trusts for the current domain:
We can see a bidirectional Parent-child trust that is automatically generated when a child domain is added to a parent domain.
Get details of current forest:
The name of the current forest is SECURITY.local.
Map the trust of the forest:
It can be seen that we have a bidirectional forest trust established between the current forest and a different forest named tech.local.
Get details of other forest:
Get all domains in the current forest:
Get all domains in other forest:
Enumerate all the trusts:
Enumerate ACLs
Access Control Lists (ACLs), are security mechanisms used in computer systems and networks to regulate access to resources. It consist of ACEs (Access Control Entries), which are the individual entries within an ACL that specify permissions for a particular user or group. Each ACE contains information about the security principal (user or group), the specific permissions granted or denied, and whether the ACE is inherited from a parent object or explicit to the current object. ACEs provide granular control over resource access by allowing administrators to define fine-tuned permissions for different entities. Attackers can abuse misconfigured or overly permissive ACLs in Active Directory to escalate privileges, gain unauthorized access, or manipulate permissions.
There are two types of ACLs that can be found within the security descriptor of a securable object. These are the Discretionary ACL (DACL) and the System ACL (SACL).
The DACL (often mentioned as the ACL) specifies the permissions (allowed or denied) granted to trustees (a user or group), on an object.
On the other hand, the SACL logs audit messages that track both successful and failed attempts to access the object.
Step 11: Let's enumerate the ACLs.
List ACLs associated with a specific object:
Search for interesting ACEs:
Search for a specific Active Directory right associated with the specified object:
Note that GenericAll is a highly permissive right that typically provides full control over the object.
Find Kerberoastable accounts
Kerberoasting is a post-exploitation attack technique aimed at acquiring the password hash of an Active Directory user account associated with a Service Principal Name (SPN). An SPN is an attribute that ties a service to a user account within Active Directory. Cracked passwords can then be used for lateral movement, privilege escalation or presistence.
Step 12: Identify user accounts with non-null Service Principal Name (SPN):
Find AS-REP roastable accounts
AS-REP roasting is another offensive technique used to obtain the password hashes of user accounts that have Kerberos preauthentication disabled. This method enables attackers to steal the hashes and subsequently attempt to crack them offline.
Step 13: Identify user accounts that have Pre-Authentication disabled:
Conclusion
In this lab, we performed Active Directory enumeration using PowerView. The enumeration process provides red teamers with valuable insights and information about the target environment. It offers a comprehensive understanding of the Active Directory infrastructure, including users, groups, privileges, trust relationships, and potentially vulnerable configurations. This knowledge may help red teamers to identify potential attack vectors, weaknesses, and misconfigurations that can be leveraged to escalate privileges, move laterally, or achieve persistence within the network.
References
Last updated