Doing everything manually is cool, but how do we save time and money? A lot of times most of the enumeration stuff can be automated. But know this, it takes knowledge about a lot of stuff to automate any task. Most of us believe that the automation result/reports have to be reviewed/analyzed manually for accurate, precise and controlled pentesting. Controlled? Yes, remember Armitage, cobalt and similar tools? We don’t want to end up being caught up by IDS/IPS/WAF early in the game.
So, here begins the automation of Enumeration of Active Directory specific information. These tools are classified to be used in certain circumstances as local and remote enumeration tools.
Local AD enumeration tools
With the help of various techniques, if aggressor has a hold of Remote Command Execution or has got a User/Admin shell, the aggressor may choose Bloodhound and Powerup tools for local enumeration of account/resources/network/printer/misconfiguration/etc.
Bloodhound is an extremely useful tool, based on PowerView, that will help map out active directory relationships throughout the network. In a pentest, this is critical because after the initial access(either User or Admin), it gives you insight on what to attack next. In a big infrastructure, having information about the domain/forest/trust relationships and infrastructure is critical for targeted exploitation. Common usage of Bloodhound and included steps:
1. Once you have initial foothold, download Bloodhound and extract it somewhere. Click on the .exe in the root directory of Bloodhound to run it. Open bolt://localhost:7687 in attacker machine browser and login with username and password.
2. Browse to somewhere\BloodHound\Ingestors and copy Sharphound.exe. Assuming you have Meterpreter or any other shell for the means of uploading Sharphound.exe on a target, you can then upload the .exe.
3. Execute Sharphound.exe on the target.
4. This will create few CSV file. Majorly user/group memberships, local user/group memberships and session are enumerated.
5. Download the CSV files from target machine onto the attacker machine.
6. Upload these CSV files to bloodhound and explore.
7. This can give a lot of juicy information about various infrastructure, trusts and memberships of the target system.
Figure 1: A very example of Bloodhoud Domain enum report. Referenced from https://wald0.com/?p=68 for showing the capability of Bloodhound over big infrastructure.
Figure 2: User mapping enumerated by Bloodhound. Referenced from https://wald0.com/?p=68 for showing the capability of Bloodhound over big infrastructure.
b) Powersploit PowerUp
PowerUp is to Windows which linenum is to linux and probably better at it as per my observations and experiences. PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations. Clearly, PowerUp is something useful in privilege escalation but it achieves this by checking for misconfigurations and missing security controls/patches.
Once you have a local remote execution, load up Powershell and execute below:
powershell.exe -nop -exec bypass
Then import the powerup module
Now, you have access to all PowerUp cmdlets. To execute all the checks run
Invoke-AllChecks | Out-File -Encoding ASCII checks.txt
Fetch the file on the attacker machine and analyze for juicy information. Here is an example report:
Checking for unquoted service paths…
[+] Unquoted service path: CustomSVC — C:\Users\adam\Documents\Visual Studio 2008\Projects\Service\Service\bin\Release\service.exe
Checking service executable permissions…
[+] Vulnerable service executable: CustomSVC — C:\Users\adam\Documents\Visual Studio 2008\Projects\Service\Service\bin\Release\service.exe
Checking service permissions…
[+] Vulnerable service: CustomAPP — C:\Custom\deploy.exe
Checking for unattended install files…
[+] Unattended install file: C:\Windows\Panther\Unattended.xml
Checking %PATH% for potentially hijackable service .dll locations…
Checking for AlwaysInstallElevated registry key…
[+] AlwaysInstallElevated is enabled for this machine!
Checking for Autologon credentials in registry…
Remote AD enumeration tools
Responder is a powerful tool to every Windows or Active Directory environment Pentester should have. If a Domain/Windows system cannot resolve a name via DNS it will fall back to name resolution via LLMNR (introduced in Windows Vista) and NetBIOS. With Responder running we can spoof attacker’s machine as the intended machine for all the LLMNR and NetBIOS requests. To execute responder, run
Responder -i <your IP> -wrf
Enum4linux is a tool for enumerating information from Windows and Samba systems. Key features:
· RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)
· User listing (When RestrictAnonymous is set to 0 on Windows 2000)
· Listing of group membership information
· Share enumeration
· Detecting if host is in a workgroup or a domain
· Identifying the remote operating system
· Password policy retrieval (using polenum) Source: https://labs. portcullis.co.uk/tools/enum4linux
To execute enum4linux from the attacker machine, use below command:
Use below commands to execute enum4linux and analyze the result:
enum4linux -A target-ip # used for Null Sessions
enum4linux -u administrator -p password -A target-ip #used with known credentials
Smbmap is a very useful tool which is a subset of crackmapexec, which is going to be discussed shortly. With the right credentials, things which can be done with SMBmap like SMB share enumeration, recursive directory listing of all the smb shares, command execution, upload/download/delete, reverse shell. Most of the options for smbmap are compiled into below table:
CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME abuses built-in Active Directory features/protocols to achieve it’s functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
There are a lot of things that can be done in various pentest phases with CME and are mentioned below:
Cme <target(s)> #network enumeration
Cme smb <target(s)> -u username -p password –local-auth -x whoami #command execution
Cme <target(s)> -u username -p password — lusers #list logged-in users
Cme <target(s)> -u username -p password — local-auth –sam #dumping local sam hashes
cme smb <target(s)> -u username -H ‘ LMHASH:NTHASH’ — local-auth #passing-the-hash
cme <protocol> <target(s)> -u usernames.file -p passwords.file #password brutefoce
CME has support for Empire, Metasploit and Mimikatz integration which makes it a swiss army knife for active directory pentesting.