Active Directory Introduction & Enumeration

Introduction

Active Directory Domain Services, often referred to as Active Directory (AD), is a service that allows system administrators to update and manage operating systems, applications, users, and data access on a large scale.
From a penetration tester's perspective, Active Directory is very interesting as it typically contain a wealth of information.

Active Directory Introduction

While Active Directory itself is a service, it also acts as a management layer.
AD contains critical information about the environment, storing information about users, groups, and computers, each referred to as objects.
The first step in configuring an instance of AD is to create a domain name such as corp.com in which corp is often the name of the organization itself. Within this domain, administrators can add various types of objects that are associated with the organization such as computers, users, and group objects.
An AD environment has a critical dependency on the Domain Name System (DNS) service. As such, a typical domain controller will also host a DNS server that is authoritative for a given domain.
To ease the management of various objects and assist with management, system administrators often organize these objects into Organizational Units (OUs).
OUs are comparable to file system folders in that they are containers used to store objects within the domain.
Computer objects represent actual servers and workstations that are domain-joined (part of the domain), and user objects represent accounts that can be used to log in to the domain-joined computers.
All AD objects contain attributes, which will vary depending on the type of object. For example, a user object may include attributes such as first name, last name, username, phone number, etc.
AD relies on several components and communication services. For example, when a user attempts to log in to the domain, a request is sent to a Domain Controller (DC), which checks whether or not the user is allowed to log in to the domain.
One or more DCs act as the hub and core of the domain, storing all OUs, objects, and their attributes.
Objects can be assigned to AD groups so that administrators can manage those object as a single unit. For example, users in a group could be given access to a file server share or given administrative access to various clients in the domain.
Members of Domain Admins are among the most privileged objects in the domain. If an attacker compromises a member of this group (often referred to as domain administrators), they essentially gain complete control over the domain.
This attack vector could extend beyond a single domain since an AD instance can host more than one domain in a domain tree or multiple domain trees in a domain forest.
While there is a Domain Admins group for each domain in the forest, members of the Enterprise Admins group are granted full control over all the domains in the forest and have Administrator privilege on all DCs. This is obviously a high-value target for an attacker.

Active Directory Enumeration

once we start performing attacks and we are able to gain access to additional users and computers, we may have to repeat parts of the enumeration process from the new standpoint. This perspective shift (or pivot) is critical during the enumeration process considering the complexity of permissions across the domain. Each pivot may give us an opportunity to advance our attack.
For example, if we gain access to another low-privileged user account that seems to have the same access as the user we already have, we shouldn't simply dismiss it. Instead, we should always repeat our enumeration with that new account since administrators often grant individual users increased permissions based on their unique role in the organization. This persistent "rinse and repeat" process is the key to successful enumeration and works extremely well, especially in large organizations.

Manual Enumeration

AD contains so much information that it can be hard to determine where to start enumerating. But since every AD installation fundamentally contains users and groups, we'll start there.
To start gathering user information, we will use net.exe, which is installed by default on all Windows operating systems. While we can use this tool to enumerate local accounts on the machine, we'll instead use /domain to print out the users in the domain. (net user /domain)
The output from this command will vary depending on the size of the organization. Armed with a list of users, we can now query information about individual users. (Administrators often have a tendency to add prefixes or suffixes to usernames that identify accounts by their function, i.e. ADM/IT/SALES/etc..) We can take this into consideration when enumerating (net user <User Name> /domain)
Take note of the Global Group Memberships (If for example, the user is in the Domain Admins group)
We can also enumerate the groups of a domain using net group /domain
We can enumerate the groups further using net group "<Group Name>" /domain

PreviousThe Metasploit Framework NextAttacking Active Directory Authentication

Last updated 3 months ago

Introduction

Active Directory Domain Services, often referred to as Active Directory (AD), is a service that allows system administrators to update and manage operating systems, applications, users, and data access on a large scale.

From a penetration tester's perspective, Active Directory is very interesting as it typically contain a wealth of information.

Active Directory Introduction

While Active Directory itself is a service, it also acts as a management layer.

AD contains critical information about the environment, storing information about users, groups, and computers, each referred to as objects.

The first step in configuring an instance of AD is to create a domain name such as corp.com in which corp is often the name of the organization itself. Within this domain, administrators can add various types of objects that are associated with the organization such as computers, users, and group objects.

An AD environment has a critical dependency on the Domain Name System (DNS) service. As such, a typical domain controller will also host a DNS server that is authoritative for a given domain.

To ease the management of various objects and assist with management, system administrators often organize these objects into Organizational Units (OUs).

OUs are comparable to file system folders in that they are containers used to store objects within the domain.

Computer objects represent actual servers and workstations that are domain-joined (part of the domain), and user objects represent accounts that can be used to log in to the domain-joined computers.

All AD objects contain attributes, which will vary depending on the type of object. For example, a user object may include attributes such as first name, last name, username, phone number, etc.

AD relies on several components and communication services. For example, when a user attempts to log in to the domain, a request is sent to a Domain Controller (DC), which checks whether or not the user is allowed to log in to the domain.

One or more DCs act as the hub and core of the domain, storing all OUs, objects, and their attributes.

Objects can be assigned to AD groups so that administrators can manage those object as a single unit. For example, users in a group could be given access to a file server share or given administrative access to various clients in the domain.

Members of Domain Admins are among the most privileged objects in the domain. If an attacker compromises a member of this group (often referred to as domain administrators), they essentially gain complete control over the domain.

This attack vector could extend beyond a single domain since an AD instance can host more than one domain in a domain tree or multiple domain trees in a domain forest.

While there is a Domain Admins group for each domain in the forest, members of the Enterprise Admins group are granted full control over all the domains in the forest and have Administrator privilege on all DCs. This is obviously a high-value target for an attacker.

Active Directory Enumeration

once we start performing attacks and we are able to gain access to additional users and computers, we may have to repeat parts of the enumeration process from the new standpoint. This perspective shift (or pivot) is critical during the enumeration process considering the complexity of permissions across the domain. Each pivot may give us an opportunity to advance our attack.

For example, if we gain access to another low-privileged user account that seems to have the same access as the user we already have, we shouldn't simply dismiss it. Instead, we should always repeat our enumeration with that new account since administrators often grant individual users increased permissions based on their unique role in the organization. This persistent "rinse and repeat" process is the key to successful enumeration and works extremely well, especially in large organizations.

Manual Enumeration

AD contains so much information that it can be hard to determine where to start enumerating. But since every AD installation fundamentally contains users and groups, we'll start there.

To start gathering user information, we will use net.exe, which is installed by default on all Windows operating systems. While we can use this tool to enumerate local accounts on the machine, we'll instead use /domain to print out the users in the domain. (net user /domain)

The output from this command will vary depending on the size of the organization. Armed with a list of users, we can now query information about individual users. (Administrators often have a tendency to add prefixes or suffixes to usernames that identify accounts by their function, i.e. ADM/IT/SALES/etc..) We can take this into consideration when enumerating (net user <User Name> /domain)

Take note of the Global Group Memberships (If for example, the user is in the Domain Admins group)

We can also enumerate the groups of a domain using net group /domain

We can enumerate the groups further using net group "<Group Name>" /domain