Automating AD Enumeration

mohit panwar
Dec 14, 2018 · 5 min read

Doing everything manually is cool, but how do we save time and money? A lot of times most of the enumeration stuff can be automated. But know this, it takes knowledge about a lot of stuff to automate any task. Most of us believe that the automation result/reports have to be reviewed/analyzed manually for accurate, precise and controlled pentesting. Controlled? Yes, remember Armitage, cobalt and similar tools? We don’t want to end up being caught up by IDS/IPS/WAF early in the game.

So, here begins the automation of Enumeration of Active Directory specific information. These tools are classified to be used in certain circumstances as local and remote enumeration tools.

Local AD enumeration tools

With the help of various techniques, if aggressor has a hold of Remote Command Execution or has got a User/Admin shell, the aggressor may choose Bloodhound and Powerup tools for local enumeration of account/resources/network/printer/misconfiguration/etc.

a) Bloodhound

Bloodhound is an extremely useful tool, based on PowerView, that will help map out active directory relationships throughout the network. In a pentest, this is critical because after the initial access(either User or Admin), it gives you insight on what to attack next. In a big infrastructure, having information about the domain/forest/trust relationships and infrastructure is critical for targeted exploitation. Common usage of Bloodhound and included steps:

1. Once you have initial foothold, download Bloodhound and extract it somewhere. Click on the .exe in the root directory of Bloodhound to run it. Open bolt://localhost:7687 in attacker machine browser and login with username and password.

2. Browse to somewhere\BloodHound\Ingestors and copy Sharphound.exe. Assuming you have Meterpreter or any other shell for the means of uploading Sharphound.exe on a target, you can then upload the .exe.

3. Execute Sharphound.exe on the target.

4. This will create few CSV file. Majorly user/group memberships, local user/group memberships and session are enumerated.

5. Download the CSV files from target machine onto the attacker machine.

6. Upload these CSV files to bloodhound and explore.

7. This can give a lot of juicy information about various infrastructure, trusts and memberships of the target system.

Figure 1: A very example of Bloodhoud Domain enum report. Referenced from for showing the capability of Bloodhound over big infrastructure.

Figure 2: User mapping enumerated by Bloodhound. Referenced from for showing the capability of Bloodhound over big infrastructure.

b) Powersploit PowerUp

PowerUp is to Windows which linenum is to linux and probably better at it as per my observations and experiences. PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations. Clearly, PowerUp is something useful in privilege escalation but it achieves this by checking for misconfigurations and missing security controls/patches.

Once you have a local remote execution, load up Powershell and execute below:

powershell.exe -nop -exec bypass

Then import the powerup module

Import-Module PowerUp.ps1

Now, you have access to all PowerUp cmdlets. To execute all the checks run

Invoke-AllChecks | Out-File -Encoding ASCII checks.txt

Fetch the file on the attacker machine and analyze for juicy information. Here is an example report:

Running Invoke-AllChecks
Checking for unquoted service paths…
[+] Unquoted service path: CustomSVC — C:\Users\adam\Documents\Visual Studio 2008\Projects\Service\Service\bin\Release\service.exe
Checking service executable permissions…
[+] Vulnerable service executable: CustomSVC — C:\Users\adam\Documents\Visual Studio 2008\Projects\Service\Service\bin\Release\service.exe
Checking service permissions…
[+] Vulnerable service: CustomAPP — C:\Custom\deploy.exe
Checking for unattended install files…
[+] Unattended install file: C:\Windows\Panther\Unattended.xml
Checking %PATH% for potentially hijackable service .dll locations…
Checking for AlwaysInstallElevated registry key…
[+] AlwaysInstallElevated is enabled for this machine!
Checking for Autologon credentials in registry…

Remote AD enumeration tools

1. Responder

Responder is a powerful tool to every Windows or Active Directory environment Pentester should have. If a Domain/Windows system cannot resolve a name via DNS it will fall back to name resolution via LLMNR (introduced in Windows Vista) and NetBIOS. With Responder running we can spoof attacker’s machine as the intended machine for all the LLMNR and NetBIOS requests. To execute responder, run

Responder -i <your IP> -wrf

2. Enum4linux

Enum4linux is a tool for enumerating information from Windows and Samba systems. Key features:

· RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)

· User listing (When RestrictAnonymous is set to 0 on Windows 2000)

· Listing of group membership information

· Share enumeration

· Detecting if host is in a workgroup or a domain

· Identifying the remote operating system

· Password policy retrieval (using polenum) Source: https://labs.

To execute enum4linux from the attacker machine, use below command:

Use below commands to execute enum4linux and analyze the result:

enum4linux -A target-ip # used for Null Sessions

enum4linux -u administrator -p password -A target-ip #used with known credentials

3. Smbmap

Smbmap is a very useful tool which is a subset of crackmapexec, which is going to be discussed shortly. With the right credentials, things which can be done with SMBmap like SMB share enumeration, recursive directory listing of all the smb shares, command execution, upload/download/delete, reverse shell. Most of the options for smbmap are compiled into below table:

SMBmap module and command reference.

4. CrackMapExec

CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME abuses built-in Active Directory features/protocols to achieve it’s functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.

There are a lot of things that can be done in various pentest phases with CME and are mentioned below:

Cme <target(s)> #network enumeration

Cme smb <target(s)> -u username -p password –local-auth -x whoami #command execution

Cme <target(s)> -u username -p password — lusers #list logged-in users

Cme <target(s)> -u username -p password — local-auth –sam #dumping local sam hashes

cme smb <target(s)> -u username -H ‘ LMHASH:NTHASH’ — local-auth #passing-the-hash

cme <protocol> <target(s)> -u usernames.file -p passwords.file #password brutefoce

CME has support for Empire, Metasploit and Mimikatz integration which makes it a swiss army knife for active directory pentesting.

Shout Outs:

Bloodhound contributors: @_wald0, @CptJesus, @harmj0y

CME contributor:@byt3bl33d3r

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

mohit panwar

Written by

Cyber Security professional, CEH, OSCP. AppSec. Secure SDLC. NIST 800-53. Infra Hardening. Threat Model. Secure Code Review.Partime CTF player. VAPT. Blue Team.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade