Not Authenticated
Compare outputs from different commands! Some commands might miss some users…
Domain name & SID
Usernames & Groups
Most reliable: rpcclient, enum4linux, less reliable: ldapsearch filtered on object-class=Users (sometimes miss service accounts)
rpcclient -N -U "" $IP
enumdomusers
enumdomgroups
lookupname john.smith # Gives the user SIDrpcclient -W '' -c querydispinfo -U''%'' $IPenum4linux -U $IPenum4linux -U $IP | grep user: | cut -d "[" -f2 | cut -d "]" -f1 > users.txtAuthenticated
BEST OPTION: Use BloodHound, Impacket, PowerView & ldapsearch.
- ldapsearch *** GOOD ***
- Bloodhound – Relationship between AD users
enum4linux -a -u $USER -p $PASS $IPUsing PowerShell
Only works on Windows, the ActiveDirectory module is not available in Kali.
Domain controllers
powershell -c "Get-ADDomainController -Filter *|select hostname, site"Organizational Units (OU)
powershell -c "Get-ADOrganizationalUnit -Filter 'ObjectGUID -eq \"REPLACEME\"' -Properties *"Users
powershell -c "Get-ADUser -Filter 'ObjectGUID -eq \"REPLACEME\"' -Properties *"Objects
powershell -c "Get-ADObject -Filter {name -eq 'REPLACEME'} -SearchBase 'DC=yourdomain,DC=com' -Properties *"Group Policy Object (GPO)
Documentation for Get-GPO, Get-GPPermission (Microsoft)
powershell -c "Get-GPO -Name \"REPLACEME\""powershell -c "Get-GPPermission -Name \"REPLACEME\" -All"GPO Settings:
# Get the GPO report in XML format
$GPOReport = Get-GPOReport -Name "GPO Name" -ReportType xml
# Convert the XML report to a readable format
$GPOSettings = [xml]$GPOReport
# Display the GPO settings
$GPOSettings.GPO.Computer.ExtensionData.Extension | Select-Object DisplayName, SettingGPO Report:
powershell -c "Get-GPOReport -Name \"REPLACEME\" -ReportType xml"powershell -c "Get-GPOReport -Name \"REPLACEME\" -ReportType html"ACL
Checks what permissions GroupB has on GroupA.
powershell -c "([ADSI]\"LDAP://CN=GroupA,DC=example,DC=com\").ObjectSecurity.Access | Where-Object { $_.IdentityReference.Value -eq 'EXAMPLE\GroupB' }"Manually using “net” commands
net usernet user /domainnet user "<username>" /domainnet group /domainnet group "<group name>" /domainDomain’s account policy
net accountsEnumerate SPNs
- Service Principal Names
- SPN Discovery (pentestlab)
A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.
Obtain IP/port of applications running on servers in the domain. Use Get-SPN.ps1.
Using setspn – already installed natively on Windows
All SPNs : DO NOT USE IN REAL AD PROD ENVIRONMENT
setspn -T <domain> -Q */*SPNs for specific account
setspn -L account
setspn -L domain\accountSPNs of a specific server
setspn -l servernameLDAP Ping Enumeration
- LDAP Ping (Microsoft)
Use LDAP Nom Nom to anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP).
MITRE ATT&CK: T1087.002 – Account Discovery: Domain Account
Certipy-AD
See Certipy for Active Directory Certificate Services (ADCS) enumeration that can be imported into BloodHound.