Active Directory Enumeration & Attacks (TBC)

Introduction

Active Directory (AD) is a prime target during internal network penetration tests. In this guide, we cover common enumeration techniques and attacks—such as LLMNR/NBT-NS poisoning and password spraying—and provide remediation steps to secure your environment. Even if you can’t find an obvious remote exploit, being inside an AD network can offer multiple ways to gain a foothold.

Initial Domain Enumeration

Identifying Hosts

Passive Listening: Use tools like Wireshark or TCPDump or Responder (in analyze mode) to monitor network traffic and list active hosts without sending spoofed packets.
Active Scanning: Perform an ICMP sweep of the subnet with tools like fping, which quickly pings multiple hosts. Once you have a list of active hosts, use Nmap for further enumeration.

Identifying Users

After discovering hosts, the next step is to enumerate domain users.
If you’re inside the domain, tools like Kerbrute can make use of Kerberos pre-authentication failures (often unlogged) to identify valid accounts. Precompiled user lists (for example, files from Insidetrust or the Statistically-Likely-Usernames repository) can be used as a wordlist for this type of attack.

Gaining Foothold

LLMNR/NBT-NS Poisoning

LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are fallback name resolution methods when DNS fails. The risk is that any host on the network can respond to these requests.

Attack Flow Example

A user attempts to connect to a host (e.g., \\print01.inlanefreight.local) but mistypes it as \\printer01.inlanefreight.local.
The DNS server fails to resolve the name.
The request is broadcast over the local network.
Responder (or similar tools) replies, spoofing the requested hostname.
The victim sends an authentication request (with username and NTLMv2 hash) to the attacker.
The hash can be cracked offline or relayed in an SMB Relay attack.

Run Responder (or similar tools like Inveigh or Metasploit) in the background during other enumeration tasks to capture as many hashes as possible. You can then pass these hashes to Hashcat (using mode 5600 for NTLMv2) for offline cracking.

Password Spraying

Password spraying involves attempting one commonly used password across a list of usernames. By limiting login attempts per account, you reduce the chance of triggering account lockouts compared to traditional brute-force methods. However, always introduce a delay between attempts to minimize the risk of lockouts.

Enumerating & Retrieving Password Policies

Even without credentials, you might obtain the domain password policy using an SMB NULL session or LDAP anonymous bind
- SMB NULL Sessions: An unauthenticated attacker to retrieve information like user listings, groups, computers, account attributes, and the password policy. Tools such as enum4linux, CrackMapExec, or rpcclient can help. This attack isn't usually conducted on Windows, but you can still test for a NULL session on Windows using: \host\ipc$ "" /u:""
- LDAP Anonymous Binds: Use tools like windapsearch.py, ldapsearch, or ad-ldapdomaindump.py to pull the password policy. While ldapsearch might be a bit cumbersome, it’s effective.
If you have domain credentials, built-in Windows tools (like net.exe) or tools such as PowerView, CrackMapExec for Windows, SharpMapExec, and SharpView can retrieve this information.
Always maintain a detailed log of your activities, including:
- Targeted accounts
- Domain Controller used
- Time and date of attempts
- Password(s) attempted
- This record helps prevent duplicated efforts and assists in correlating your tests with client logs if account lockouts or suspicious activity occur.

Making a Target User List

Using SMB NULL Sessions or LDAP Anonymous Binds: Tools like enum4linux, rpcclient, and CrackMapExec can help compile a complete list of domain users.
If those methods aren’t available, consider using Kerbrute for username enumeration. You can also gather partial user lists from external sources such as email harvesting or LinkedIn.

Conducting The Attack

On Linux, rpcclient is a solid option. Keep in mind that a successful login isn’t always obvious, a response containing "Authority Name" typically indicates success. Filtering for "Authority" in the output can help distinguish valid attempts. Alternatives like Kerbrute and CrackMapExec can also be used for password spraying.
Once you obtain a valid hit, use CrackMapExec to validate the credentials against a Domain Controller.
For domain-joined Windows hosts, the DomainPasswordSpray tool can be used. It automatically generates a user list from Active Directory, queries the domain password policy, and avoids accounts that are close to locking out.

Local Administrator Password Reuse

If you gain administrative access and obtain the NTLM hash or cleartext password for the local administrator (or another privileged account), you can attempt to reuse that credential across multiple hosts, a common scenario due to widespread local administrator password reuse.
CrackMapExec is very effective for this purpose. It’s especially useful when targeting high-value hosts (such as SQL or Microsoft Exchange servers) where privileged users might be logged in or their credentials are stored in memory.
In cases where you only retrieve the NTLM hash from the local SAM database, you can spray the hash across entire subnets to find other hosts with the same password.

Credentialed Enumeration

Once you’ve gained a foothold in the domain with low-privilege credentials, you can use those credentials to dig deeper into the environment.
The goal is to map out the domain, identifying users, groups, hosts, shares, and other critical assets, to later determine potential paths for privilege escalation.
Below, are lists of methods and tools for both Linux and Windows attack hosts.

Linux Tools

CrackMapExec (CME): CrackMapExec is a Swiss-army knife for interacting with Windows environments from Linux. You can use it to perform a variety of enumeration tasks, such as scanning a subnet for live hosts, retrieving a list of users, or checking share permissions.
SMBMap: SMBMap is ideal when you need a quick overview of available shares and their permissions. This tool helps identify shares that may hold sensitive data or be ripe for further exploitation.
Impacket Suite (psexec.py & wmiexec.py): Impacket suite is another versatile toolkit that offers a variety of tools.
- psexec.py:
  - Remotely execute commands by creating a service on the target system
  - Provide an interactive shell with SYSTEM privileges on the remote host
- wmiexec.py:
  - Execute commands via Windows Management Instrumentation (WMI)
  - Operate with fewer logs and no dropped files, making it a more stealthy option
rpcclient: While rpcclient is more specialized, it offers extended functionality beyond simple enumeration. It is useful when you need to manipulate objects or verify permissions that aren’t accessible via SMBMap or CrackMapExec.
Windapsearch: Windapsearch is a Python script located on your attack host (commonly in /opt/windapsearch/) and is especially useful when you need to gather data quickly using LDAP without running a full-fledged AD tool.

Windows Tools

ActiveDirectory PowerShell Module: This module can be used to query and manage Active Directory objects, retrieve lists of users, groups, computers, and organizational units (OUs), and Perform administrative tasks remotely.
- Before running any AD cmdlets, ensure the module is imported. It provides a native way to query AD without needing third-party tools.
  - Check for installed modules: Get-Module
  - Install the module if not installed: Import-Module ActiveDirectory
Powerview: PowerView is a PowerShell tool that requires some manual analysis but offers insight into the AD environment. Although it’s part of the deprecated PowerSploit toolkit, its maintained versions (such as those updated by BC-Security) continue to be valuable.
Sharpview: SharpView is used in much the same way as PowerView but may be preferable in environments where .NET is more native or if PowerView’s execution is being blocked.
Snaffler: Snaffler is a tool that scans hosts within the domain for readable shares and directories and then search for credentials, SSH keys, configuration files, or other sensitive data. It requires that it be run from a domain-joined host or in a domain-user context.

BloodHound (BloodHound.py)

BloodHound is one of, if not the most impactful tools ever released for auditing Active Directory security.
It consists of two parts: the collector (SharpHound on Windows or BloodHound.py for Linux) and the BloodHound GUI tool.
After collecting data, upload JSON files to the GUI to run queries or visualize the AD relationships.

Stay organized, document every file transfer and command execution, and always clean up your artifacts after the engagement.

Living Off The Land

In scenarios where you cannot deploy additional tools, you can rely on built-in Windows commands to perform enumeration. Tools like powershell and net.exe can be used to enumerate the system.

Dsquery & LDAP Filtering Explained

Dsquery is a command-line tool that finds Active Directory objects. It uses LDAP filters to search for users, groups, computers, etc.
LDAP filters can include Object Identifier (OID) rules to match specific attributes using bitmasks. For example, the string:: userAccountControl:1.2.840.113556.1.4.803:=64
- userAccountControl: Refers to the UAC attribute of a user account.
- 1.2.840.113556.1.4.803: Specifies the matching rule, indicating an exact bitmask match.
- =64: Represents the decimal bitmask that, for instance, might denote the "Password Can't Change" flag.
Logical Operators:
- Use & (AND), | (OR), and ! (NOT) to build complex queries.
- Example: (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=64))
- This filter finds user objects that have the "Password Can't Change" flag set.

PreviousPassword Attacks (TBC)NextWeb Exploitation

Last updated 2 days ago

Active Directory Enumeration & Attacks (TBC)

Introduction

Active Directory (AD) is a prime target during internal network penetration tests. In this guide, we cover common enumeration techniques and attacks—such as LLMNR/NBT-NS poisoning and password spraying—and provide remediation steps to secure your environment. Even if you can’t find an obvious remote exploit, being inside an AD network can offer multiple ways to gain a foothold.

Initial Domain Enumeration

Identifying Hosts

Passive Listening: Use tools like Wireshark or TCPDump or Responder (in analyze mode) to monitor network traffic and list active hosts without sending spoofed packets.
Active Scanning: Perform an ICMP sweep of the subnet with tools like fping, which quickly pings multiple hosts. Once you have a list of active hosts, use Nmap for further enumeration.

Identifying Users

After discovering hosts, the next step is to enumerate domain users.
If you’re inside the domain, tools like Kerbrute can make use of Kerberos pre-authentication failures (often unlogged) to identify valid accounts. Precompiled user lists (for example, files from Insidetrust or the Statistically-Likely-Usernames repository) can be used as a wordlist for this type of attack.

Gaining Foothold

LLMNR/NBT-NS Poisoning

LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are fallback name resolution methods when DNS fails. The risk is that any host on the network can respond to these requests.

Attack Flow Example

A user attempts to connect to a host (e.g., \\print01.inlanefreight.local) but mistypes it as \\printer01.inlanefreight.local.
The DNS server fails to resolve the name.
The request is broadcast over the local network.
Responder (or similar tools) replies, spoofing the requested hostname.
The victim sends an authentication request (with username and NTLMv2 hash) to the attacker.
The hash can be cracked offline or relayed in an SMB Relay attack.

Password Spraying

Password spraying involves attempting one commonly used password across a list of usernames. By limiting login attempts per account, you reduce the chance of triggering account lockouts compared to traditional brute-force methods. However, always introduce a delay between attempts to minimize the risk of lockouts.

Enumerating & Retrieving Password Policies

Even without credentials, you might obtain the domain password policy using an SMB NULL session or LDAP anonymous bind
- SMB NULL Sessions: An unauthenticated attacker to retrieve information like user listings, groups, computers, account attributes, and the password policy. Tools such as enum4linux, CrackMapExec, or rpcclient can help. This attack isn't usually conducted on Windows, but you can still test for a NULL session on Windows using: \host\ipc$ "" /u:""
- LDAP Anonymous Binds: Use tools like windapsearch.py, ldapsearch, or ad-ldapdomaindump.py to pull the password policy. While ldapsearch might be a bit cumbersome, it’s effective.
If you have domain credentials, built-in Windows tools (like net.exe) or tools such as PowerView, CrackMapExec for Windows, SharpMapExec, and SharpView can retrieve this information.
Always maintain a detailed log of your activities, including:
- Targeted accounts
- Domain Controller used
- Time and date of attempts
- Password(s) attempted
- This record helps prevent duplicated efforts and assists in correlating your tests with client logs if account lockouts or suspicious activity occur.

Making a Target User List

Using SMB NULL Sessions or LDAP Anonymous Binds: Tools like enum4linux, rpcclient, and CrackMapExec can help compile a complete list of domain users.
If those methods aren’t available, consider using Kerbrute for username enumeration. You can also gather partial user lists from external sources such as email harvesting or LinkedIn.

Conducting The Attack

On Linux, rpcclient is a solid option. Keep in mind that a successful login isn’t always obvious, a response containing "Authority Name" typically indicates success. Filtering for "Authority" in the output can help distinguish valid attempts. Alternatives like Kerbrute and CrackMapExec can also be used for password spraying.
Once you obtain a valid hit, use CrackMapExec to validate the credentials against a Domain Controller.
For domain-joined Windows hosts, the DomainPasswordSpray tool can be used. It automatically generates a user list from Active Directory, queries the domain password policy, and avoids accounts that are close to locking out.

Local Administrator Password Reuse

If you gain administrative access and obtain the NTLM hash or cleartext password for the local administrator (or another privileged account), you can attempt to reuse that credential across multiple hosts, a common scenario due to widespread local administrator password reuse.
CrackMapExec is very effective for this purpose. It’s especially useful when targeting high-value hosts (such as SQL or Microsoft Exchange servers) where privileged users might be logged in or their credentials are stored in memory.
In cases where you only retrieve the NTLM hash from the local SAM database, you can spray the hash across entire subnets to find other hosts with the same password.

Credentialed Enumeration

Once you’ve gained a foothold in the domain with low-privilege credentials, you can use those credentials to dig deeper into the environment.
The goal is to map out the domain, identifying users, groups, hosts, shares, and other critical assets, to later determine potential paths for privilege escalation.
Below, are lists of methods and tools for both Linux and Windows attack hosts.

Linux Tools

CrackMapExec (CME): CrackMapExec is a Swiss-army knife for interacting with Windows environments from Linux. You can use it to perform a variety of enumeration tasks, such as scanning a subnet for live hosts, retrieving a list of users, or checking share permissions.
SMBMap: SMBMap is ideal when you need a quick overview of available shares and their permissions. This tool helps identify shares that may hold sensitive data or be ripe for further exploitation.
Impacket Suite (psexec.py & wmiexec.py): Impacket suite is another versatile toolkit that offers a variety of tools.
- psexec.py:
  - Remotely execute commands by creating a service on the target system
  - Provide an interactive shell with SYSTEM privileges on the remote host
- wmiexec.py:
  - Execute commands via Windows Management Instrumentation (WMI)
  - Operate with fewer logs and no dropped files, making it a more stealthy option
rpcclient: While rpcclient is more specialized, it offers extended functionality beyond simple enumeration. It is useful when you need to manipulate objects or verify permissions that aren’t accessible via SMBMap or CrackMapExec.
Windapsearch: Windapsearch is a Python script located on your attack host (commonly in /opt/windapsearch/) and is especially useful when you need to gather data quickly using LDAP without running a full-fledged AD tool.

Windows Tools

ActiveDirectory PowerShell Module: This module can be used to query and manage Active Directory objects, retrieve lists of users, groups, computers, and organizational units (OUs), and Perform administrative tasks remotely.
- Before running any AD cmdlets, ensure the module is imported. It provides a native way to query AD without needing third-party tools.
  - Check for installed modules: Get-Module
  - Install the module if not installed: Import-Module ActiveDirectory
Powerview: PowerView is a PowerShell tool that requires some manual analysis but offers insight into the AD environment. Although it’s part of the deprecated PowerSploit toolkit, its maintained versions (such as those updated by BC-Security) continue to be valuable.
Sharpview: SharpView is used in much the same way as PowerView but may be preferable in environments where .NET is more native or if PowerView’s execution is being blocked.
Snaffler: Snaffler is a tool that scans hosts within the domain for readable shares and directories and then search for credentials, SSH keys, configuration files, or other sensitive data. It requires that it be run from a domain-joined host or in a domain-user context.

BloodHound (BloodHound.py)

BloodHound is one of, if not the most impactful tools ever released for auditing Active Directory security.
It consists of two parts: the collector (SharpHound on Windows or BloodHound.py for Linux) and the BloodHound GUI tool.
After collecting data, upload JSON files to the GUI to run queries or visualize the AD relationships.

Stay organized, document every file transfer and command execution, and always clean up your artifacts after the engagement.

Living Off The Land

In scenarios where you cannot deploy additional tools, you can rely on built-in Windows commands to perform enumeration. Tools like powershell and net.exe can be used to enumerate the system.

Dsquery & LDAP Filtering Explained

Dsquery is a command-line tool that finds Active Directory objects. It uses LDAP filters to search for users, groups, computers, etc.
LDAP filters can include Object Identifier (OID) rules to match specific attributes using bitmasks. For example, the string:: userAccountControl:1.2.840.113556.1.4.803:=64
- userAccountControl: Refers to the UAC attribute of a user account.
- 1.2.840.113556.1.4.803: Specifies the matching rule, indicating an exact bitmask match.
- =64: Represents the decimal bitmask that, for instance, might denote the "Password Can't Change" flag.
Logical Operators:
- Use & (AND), | (OR), and ! (NOT) to build complex queries.
- Example: (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=64))
- This filter finds user objects that have the "Password Can't Change" flag set.

PreviousPassword Attacks (TBC)NextWeb Exploitation

Last updated 2 days ago