Active Directory Enumeration from Non-Joined Domain Workstation

During a Red Teaming Assume Breach engagement, there is a possibility that the client provides you with access to a workstation as a “starting point.” They may also provide you with domain user credentials, but the workstation itself is not joined to the domain.

So, how do we start to enumerate all domain users and enumerate ACL/ACE on the Active Directory domain? Obviously, tools like PowerView will not work since we are unable to perform LDAP query.

PowerView Error

The solution is that we can establish a PowerShell session on our non-domain-joined Windows host using ‘runas’ and ‘/netonly’. But before that, change the DNS to the Domain Controller IP so we can access the domain.

In this article, for example, our target domain is “evangelion.lab” with the DC IP being 172.16.8.139.

Change WIndows DNS

Cool, we are able to access the domain.

We also have credentials for the user ‘asuka’, who is a Domain User at evangelion.lab. With runas, start new powershell session as asuka.

runas /netonly /user:evangelion\asuka powershell

run as domain user

Now, using the new PowerShell session, we are able to run Active Directory enumeration tools such as PowerView, SharpHound, adPEAS, etc.

Enumeration with PowerView

If Active Directory Users and Computers (ADUC) is installed, you can also enumerate the Domain Users and Computers inside Active Directory using Remote Server Administration Tools (RSAT).

runas /netonly /user:evangelion\asuka mmc

Open RSAT

Change the domain to our target.

Change Domain

Now we are able to explore the Domain Users from a GUI perspective.