https://ethicalhackersacademy.com/blogs/ethical-hackers-academy/active-directory
Active Directory is a Microsoft service run in the Server that predominantly used to manage various permission and resources around the network, also it performs an authenticates and authorizes all users and computers in a Windows domain type networks.
Recent cyber-attacks are frequently targeting the vulnerable active directory services used in enterprise networks where the organization handling the 1000’s of computers in the single point of control called “Domain controller” which is one of the main targeted services by the APT Hackers.
Though exploiting Active directory is a challenging task, It is certain to activate directory exploitation Cheat Sheet which contains common enumeration and attack methods which including the several following phases to make it simple.
- Recon
- Domain Enum
- Local Privilege Escalation
- User Hunting
- Domain Admin Privileges
- Database Hunting
- Data Exfiltration
- Active Directory Exploitation Tools
Reconnaissance
Recon Phase contains various modules, including Port scan that performs the following operations.
PORT SCAN
Import-Module Invoke-Portscan.ps1 <# Invoke-Portscan -Hosts "websrv.domain.local,wsus.domain.local,apps.domain.local" -TopPorts 50 echo websrv.domain.local | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" Invoke-Portscan -Hosts 172.16.0.0/24 -T 4 -TopPorts 25 -oA localnet #>
AD MODULE WITHOUT RSAT
The secret to being able to run AD enumeration commands from the AD Powershell module on a system without RSAT installed, is the DLL located in C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management on a system that has the RSAT installed.
Set up your AD VM, install RSAT, extract the dll and drop it to the target system used to enumerate the active directory.
Import-Module .\Microsoft.ActiveDirectory.Management.dll Get-Command get-adcom*
Domain Enumeration
DOMAIN
- Get current domain
Get-NetDomain (PowerView) Get-ADDomain (ActiveDirectory Module)
- Get object of another domain
Get-NetDomain -Domain domain.local Get-ADDomain -Identity domain.local
- Get domain SID for the current domain
Get-DomainSID (Get-ADDomain).DomainSID
- Get domain policy for the current domain
Get-DomainPolicy (Get-DomainPolicy)."system access"
- Get domain policy for another domain
(Get-DomainPolicy -domain domain.local)."system access"
- Get domain controllers for the current domain
Get-NetDomainController Get-ADDomainController
- Get domain controllers for another domain
Get-NetDomainController -Domain domain.local Get-ADDomainController -DomainName domain.local -Discover NETUSER More on: To Get a list of users in the current domain Infosec books | InfoSec tools | InfoSec services