Enumeration Techniques

PRACTICE ! PRACTICE ! PRACTICE !

Two popular methods to gain an Initial foothold on an AD set is OSINT and Phishing

Credential Injection into Memory

Ever found AD credentials but nowhere to log in with them? - runas.exe

A legitimate Windows binary, to inject the credentials into memory

runas.exe /netonly /user:<domain>\<username> cmd.exe

  • /netonly => Since we are not domain-joined, we want to load the credentials for network authentication but not authenticate against a domain controller. So commands executed locally on the computer will run in the context of your standard Windows account, but any network connections will occur using the account specified here

  • /user =>Here, we provide the details of the domain and the username. It is always a safe bet to use the Fully Qualified Domain Name (FQDN) instead of just the NetBIOS name of the domain since this will help with resolution

Once you run this command, you will be prompted to supply a password. Note that since we added the /netonly parameter, the credentials will not be verified directly by a domain controller so that it will accept any password. We still need to confirm that the network credentials are loaded successfully and correctly

Now that we have injected our AD credentials into memory, this is where the fun begins. With the /netonly option, all network communication will use these injected credentials for authentication

This includes all network communications of applications executed from that command prompt window

LDAP Enumeration

Any valid AD credential pair should be able to bind to a Domain Controller's LDAP interface. This will allow you to write LDAP search queries to enumerate information regarding the AD objects in the domain

Logo389, 636, 3268, 3269 - Pentesting LDAPHackTricks

PowerView

PowerView is a recon script part of the PowerSploit project. Although this project is no longer receiving support, scripts such as PowerView can be incredibly useful to perform semi-manual enumeration of AD objects in a pinch

LogoPowerSploit/PowerView.ps1 at master · PowerShellMafia/PowerSploitGitHub

WMI

WMI can be used to enumerate information from Windows hosts. It has a provider called "root\directory\ldap" that can be used to interact with AD. We can use this provider and WMI in PowerShell to perform AD enumeration

LogoWmicExecHackTricks
LogoTop Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)Medium
PreviousTrees, Forests and TrustsNextInitial Attack Vectors

Last updated