niedziela, 9 grudnia 2018

Pentesting AD - enumeration

Last time we prepared some small "AD environment". This time we'll try to 'enumerate AD' to get some useful information about the target. Here we go...
Let's start from the (nmap) scan again. According to last post - we should be somewhere here:

Let's assume we started our 'pentest without any user' on remote host. We can try to enumerate valid accounts in a few ways. One of them is using Metasploit module called "kerberos_enumusers":

To use this module we will need to prepare a list of accounts we'd like to find. (I created mine in /tmp/users.txt file.)


As you can see on Metasploit's link to nmap's documentation there is also nice script to use during the scan (for port 88/tcp):

One of users I 'found' was called 'tester'. It is a domain account for our 'normal user' from the last part.

For now we have:
- domain name
- domain user account name

What we'll need now is the password. We can get it in a few ways, for example: via RPC. :)

(Sometimes it's enabled for anonymous users too:


Anyway, simple 'oneliner' below:

When password is correct you'll see rpcclient's prompt, like below:

According to help command we can try to enumerate 'few' more resources on the box. For example:
$> querydispinfo:

 $> srvinfo:

 $> dsr_getdcname:

(I will leave the rest of the help for you as an exercise ;))

So... as you remember (from our nmap output presented before) we also have some other ports open. Now we can use our new-grabbed-password to try to access other services as well.

In case of enumeration we will try to access (information available via) LDAP. To do that we can use one small tool available in SysInternals - AD Explorer:

Checking with our new credentials (user:tester) and...

(Of course you can use ldapsearch available on Kali to get some greppable results;))

I think it will be a good place to find some other juicy hints to use it later during our pentest. ;] well as another interesting service found during the scan - SMB. Checking our possibilities with grabbed credentials:

Cool, so now we can see some shares. One of them is SYSVOL. Let's try to take a look in more interactive way:

Checking (ls):

So far, so good. We can go through the whole available dirs/files here (remember that this is my very-simple-and-default-AD so during 'normal pentest' you will find few more files if you'll get here;) ):

To get some more information you can also use net rpc, for example:

There are multiple ways to use it :)

To not spoilt to much - I will leave it for you as en exercise (because sometimes it depends of your access (read/write for found/cracked account)).

Enough for the 'quick notes'. ;)

In case of any questions/comments - you know how to find me.

See you next time.


Brak komentarzy:

Prześlij komentarz