Active Directory Lab Setup [ AD Enumeration ] - 103
A step-by-step guide for building your very own Cybersecurity Home Lab using VMware Workstation
Last updated
A step-by-step guide for building your very own Cybersecurity Home Lab using VMware Workstation
Last updated
BRUTEFORCING DOMAIN PASSWORDSFor BRUTEFORCING DOMAIN PASSWORDS we need our own kali linux.
Please install Kali Linux for VMware by watching some Youtube Videos. or Some other Documentations. my suggesstions:
We need our Users for bruteforce . Lets Copy all the users from DC01 to our Kali
Kali TIPS : Ihave my own kali repository in my github. so you can build zsh shell verry fastasticlly, and setup your tmux very nicely. i always use TMUX . I love TMUX 😘
Preinstallations: Sublime Text
After Copy the usernames from DC01 then make a file in our Kali linux
Open the file in Vim:
Enter Normal Mode: Press Esc to ensure you are in Normal mode.
Remove spaces and put each word on a new line: You can use the following Vim command in Normal mode:
By following these steps, all spaces between words will be removed, and each word will be placed on a new line.
Then just remove 'Administrator , Guest , Krbtgt' user from the list. We only are going to work with normal users now.
Customize Rockyou.txtLets first Unzip the the Rockyou.txt.gz file from our /usr/share/wordlists directory :
rockyou.txt file are too big . its almost 14M lines wc-l commands show the how many lines are in rockyou.txt file . So i just cut first 1000 passwords by typing the head commnad .
Lets confirm that we can ping our DC01 or not (so we can)
EnumerationAfter running the nmap scan we can see Some of the Ports are running . These are the default ports are AD are running in a Windows Hosts. [try to be Remember please]
Next Lets try to login with a user in Our WS01 then remember the IP address. Do nmap scan:
We can see that there are no smb running up. Lets use another tools for this enumeration . Use multple tools is best practice for Enumeration.
DC01 is valid but lets try with fake login credentials.
STATUS_LOGON_FAILURE is the credentials is not valid for DC01. Lets make some changes.
After run this command we got a valid hit.
If You run it i think you got the same user all the time. But the question is how can we bruteforce the other users here.
Its gonna take some time so Seat Back relax and ENJOY 😁
We can do a lot of things with CrackmapExec. For enumeration:
CrackMapExec Enumeration Keywords and CommandsEnumerate Users
Enumerate Groups
Enumerate Shares
Enumerate Sessions
Enumerate Logged On Users
Enumerate Domain Info
Enumerate Password Policy
Enumerate LAPS Passwords
Enumerate Active Directory Information
Enumerate Domain Controllers
Enumerate Domain Trusts
Enumerate ACLs
Enumerate Group Policy Objects (GPOs)
Enumerate Delegations
Enumerate Computers
BLOODHOUND Domain EnumerationAnother Greate tool for Enumerate AD is BLOODHOUND. There is no other alternative of BLOODHOUND 😁
Lets download Bloodhound
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.
Bloodhound have its own Documentation . (Feel free to read)
Lets download the bloodhound form their docs.
I setup bloodhound in my opt directory.
Setup a password for Bloodhound : After opening the Bloodhound we are gonna give neo4j deafult credentials 'neo4j:neo4j' and its gonna request us for to setup a new passwords.
visit localhost:7474 then give the default credentials neo4j:neo4j then new password request promt are gonna open and set this up.
Reset Bloodhound Credentials
You can reset the password via :
after going to the bloohound its gonna ask us to give some data . So we have to give some data here.
in The bruteforce passwords sections we got some smb credentials hits right?
i just copied everything into creds.txt . lets extract our credentials
Open the file in Vim:
Enter Normal Mode: Press Esc to ensure you are in Normal mode.
Run the substitution command: Use the following command to transform each line:
By following these steps, you will transform each line from the format "SMB 10.10.0.100 445 DC1 [+] xyz.com\abutler:softball" to the desired username:password format like abutler:softball.
we have the credentials. now we have to do upload some in bloohound gui application.
Bloodhound have python version of it .
we can simply install by ruuning pip install bloodhound
Lets do some changes. Lets add 10.10.0.100 dc1.xyz.com to our /etc/hosts
and then change our nameserver from /etc/resolve.conf file to this nameserver 10.10.0.100
Lets run Bloodhound-python
bloodhound-python: Tool for collecting AD data.
-u abutler: Username for authentication.
-p softball: Password for the specified user.
-dc dc1.xyz.com: Domain controller to connect to.
--disable-autogc: Disables automatic garbage collection.
-d xyz.com: Specifies the AD domain
By run ls we found some file
Lets Start our Bruteforcings
