1.1 Enum the AD
Introduction
An active directory allows network administrators to manage domains, users, and objects in a respective network. Now, as the network grows, the AD provides a way to organize large number of users into those logical groups and subgroup offering access control to each level.
Active Directory enumeration, on the other hand, is a process that helps extracting information from the AD.
TLDR; In this blog, you will gain some knowledge about the active directory and the services control. You will also learn about active directory enumeration using ADModule.
Overview
Active Directory (AD) is Microsoft’s proprietary directory service that runs on Windows Server. AD allows administrators to manage permissions and access to network resources.
In this, the data is stored as objects, where an object is a single element (such as an application or a user group) or a device (such as a printer). The main role of the AD is Domain Service, which keeps direct information and helps in handling the interaction of the user and domain.
Goal
The main purpose of active directory security assessments is to identify the misconfiguration in the domain that could help the attacker to maintain improper privileges and harm internal assets.
Important Active directory components
Domain : The domain is foundational for Active Directory. In all versions of Windows, the domain is the key administrative component that most administrators deal with day in and day out.
Object : An object is a single element, such as a user, group, application or device such as a printer, As mentioned before
Tree : Group of domains with the same root DC.
Forest : Forest is the highest level of the organization hierarchy, Its composed by a group of trees, these trees contain domains.
SOURCE : https://www.pcwdld.com/active-directory-guide
Containers
Domain container : which serves as the root container to the hierarchy
Built-in container : which holds the default service administrator accounts
Users container : which is the default location for new user accounts and groups created in the domain
Active directory services
Domain Services : Stores centralized data and manages communication between users and domains.
Certificate Services : Manage secure certifications
Lightweight Directory Services : Support directory-enabled application using (LDAP)
Directory Federation Services : Provides Single sign on (SSO)
Rights Management : Protects copyrighted information
DNS service : Used to resolve domain name for internal users
Why is the most important phase in the AD security assessment is enumeration ?
There is a quote says “More enumeration = More impact“, Our goal is to get much information we can to reach the highest impact to simulate adversaries attacks.
Gathering Domain information
Before starting we need to setup ADmodule, This repo is describing everything https://github.com/samratashok/ADModule
In this blog we will use ADmodule because it’s signed by Microsoft and won’t be flagged as a malicious module.
Get Current Domain : Get-ADDomain
Get Other Domain : Get-ADDomain -Identity foo.local
Screenshot show the current domain objects that we will need in some attacks.
What if I don’t want all that information and I want to filter it ?
for example let’s use it on SID : Get-ADDomain | Select DomainSID
Groups Enumeration
Get all groups names : Get-ADGroup -Filter * | select Name [ Using select her to focus on the group name because the output of the command will get a lot of information and we just need group names ]
Get Groups properties : Get-ADGroup -Filter -Properties *
Get a specific group : Get-ADGroup -Filter 'Name -like "Administrators"'
To Get members of specific group : Get-ADGroupMember -Identity "Domain Admins" -Recursive
To get groups membership for a user : Get-ADPrincipalGroupMembership -Identity m19o
Group policy
For group policy enumeration we will use built-in module called GroupPolicy.
Listing all GPOs : Get-GPO -All
Generating report of GPOs policies : Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Magdy\Desktop\report.html
This is how the report look like :
Users
To get all users in the domain : Get-ADUser -Filter -Properties *
To get a specific user : Get-ADUser -Identity <NAME> -Properties *
To get specific property like pwdlastset for password changing : Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
Computers
To get the computer account : Get-ADComputer -Filter *
OUs
Organizational units (OUs) : Active Directory Domain Services (AD DS) managed domain let you logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific OUs, and apply group policy to enforce targeted configuration settings.
List OUs for current domain : Get-ADOrganizationalUnit -Filter * -Properties *
ACLs
ACL : An access control list (ACL) is a list of access control entries (ACE), not all users or computers would require access to all the objects and files in the network. This limitation of access is for security reasons, and critical resources could be misused in case a user in the environment turns rogue, or a computer is breached. This is where an access control list (ACL) comes into play.
types of ACLs : DACL : A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object’s DACL to determine whether to grant access to it. If the object does not have a DACL, the system grants full access to everyone.
1
SACL : A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both.
To get all ACLs for a user : (Get-ACL "AD:$((Get-ADUser Twon.of.An).distinguishedname)").access
References
Conclusion
Today you won’t find any company that doesn’t use Active Directory and day to day environment gets more complex, Through this blog as a system administrator or as security consultant you will be able to perform Active Directory enumeration.