A Glimpse to AD Enumeration

One of the main steps to start on your red team attack path is to make a footprint of the domain you are about to target. Here I show you a couple of commands that you can use in power shell to start the enumeration on Active Directory and that helps me to know better the environment I am working with.

At this point I am assuming that you know what is Microsoft Active Directory and that you have at least a grasp on Power Shell so let's start.

A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

Active Directory Components

Active directory stores information of everything as objects.

Schema - Defines objects and their attributes

Query and index mechanism - Provides searching and publication of objects and their properties

Global Catalog - Contains information about every object in the directory

Replication Service - Distributes information across domain controllers

Active Directory Structure

Forests, domains and organization units (OUs) are the basic building blocks of any active directory structure.

Forest - Is a security boundary and may contain multiple domains and each domain may contain multiple OUs.

Domain - Defines a partition of the directory that contains sufficient data to provide domain services and then replicates it between the domain controllers.

OU - Is a construct used to represent an organization whose resources are logically separate from those resources of other, similar organizations.

Network Enumeration

List all network interfaces, IP, and DNS.

ipconfig /all : All information about Windows IP configuration, Wireless LAN, Ethernet adapter

Get-NetIPConfiguration : Display InterfaceAlias, the InterfaceDescription and IPv4Address details

Get-DnsClientServerAddress : Specifies the AddressFamily

List current routing table

route print : Prints the Interface List, the IPv4 Route Table and the IPv6 Route Table

Get-NetRoute -AddressFamily IPv4 : Shows the DestinationPrefix, NextHop, RouteMetric, ifMetric and Policy Store

List the ARP table

arp -A : Prints the ARP (Address Resolution Protocol) and shows the IP addresses matching their corresponding MAC address

Get-NetNeighbor -AddressFamily IPv4 : Shows the ifIndex, IPAddress, LinkLayerAddress, the State and the PolicyStore

List all current connections

netstat -ano : Lists all open ports and active connections numerically, including process ID

List firewall state and current configuration

netsh firewall show state : shows the current state and details of the firewall

netsh firewall show config : shows current configuration of firewall

List firewall's blocked ports

$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports

when not filtered ports it won't give back any results

showing blocked applications

Disable firewall

netsh firewall export "c:\advfirewallpolicy.wfw" : Exports the firewall policy to an specific path

netsh advfirewall set allprofiles state off : turns off the firewall (requires Run as administrator mode)

netsh advfirewall show all : to verify that Windows Fireall for all network is off

List all network shares

net share : enumerates network shares

SNMP Configuration

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SNMP /s : Simple Network Management Protocol (SNMP) service settings and you will have to create a separate key with the community name under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\TrapConfiguration for each SNMP trap

Users Enumeration

Get current username

echo %USERNAME% | whoami

$env:username

List user privilege

whoami /priv : shows privileges of current user

whoami /groups : what groups my user is part of

List all users

net user : shows all users in domain

whoami /all : Displays user, group and privileges information for the user who is currently logged on to the local system

Get-LocalUser : Gets local user accounts

Get-ChildItem C:\Users -Force | select Name : Gets the child items from a file system directory

List logon requirements; usable for brute-forcing

net accounts : policy settings on local computer, such as account policies and password policies

Get details about a user

net user administrator : Shows the details of the user administrator

net user krbtgt : Gets details about the account used for Microsoft's implementation of Kerberos, the default Microsoft Windows authentication protocol.