Enumerating and Attacking Active Directory and more

Check out the following links:

Credential Injection:

runas

runas.exe /netonly /user:<domain>\<username> cmd.exe

/netonly = loads creds for network auth only and not auth against a DC

 configuring own DNS - incase it has not been done

$dnsip = "<DC IP>"

$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'

Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

- 'Ethernet' will be whatever interface is connect

sysvol

- shared folder storing Group Policy Objects (GPOs)

is there difference between using hostname vs IP

YES! all comes down to auth method used. When hostname used the network auth will attempt first to perform kerberos auth

Since kerberos auth uses hostnames embedded in tickets

But when using IP we force th auth type to NTLM

It is all about sleath during assessments - using NTML can avoid detection

so remember \\za.tryhackme.com\SYSVOL = kerberos authentication

            \\ip address\SYSVOL = NTLM auth

Enumerating through MS management console

- using GUI

- the steps

Click File -> Add/Remove Snap-in

Select and Add all three Active Directory Snap-ins

Click through any errors and warnings

Right-click on Active Directory Domains and Trusts and select Change Forest

Enter za.tryhackme.com as the Root domain and Click OK

Right-click on Active Directory Sites and Services and select Change Forest

Enter za.tryhackme.com as the Root domain and Click OK

Right-click on Active Directory Users and Computers and select Change Domain

Enter za.tryhackme.com as the Domain and Click OK

Right-click on Active Directory Users and Computers in the left-hand pane

Click on View -> Advanced Features

Enumerating through command prompt

users:

net user /domain - lists all users

-specific user

net user batman.robin /domain

Groups:

net group /domain

specific group

net group "Tier 1 Admins" /domain

Password policy

net accounts /domain

Enumerating through powershell

Users:

Get-ADUser -Identity gordon.stevens -Server za.tryhackme.com -Properties *

filter parameter:

Get-ADUser -Filter 'Name -like "*stevens"' -Server za.tryhackme.com | Format-Table Name,SamAccountName -A

Groups:

Get-ADGroup -Identity Administrators -Server za.tryhackme.com

Group membership:

Get-ADGroupMember -Identity Administrators -Server za.tryhackme.com

AD objects: listing all changes after a specific date

$ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)

Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server za.tryhackme.com

badpwdcount gt0: - for password spraying

Get-ADObject -Filter 'badPwdCount -gt 0' -Server za.tryhackme.com

Info on Domains

Get-ADDomain -Server za.tryhackme.com

Altering AD objects:

Set-ADAccountPassword -Identity gordon.stevens -Server za.tryhackme.com -OldPassword (ConvertTo-SecureString -AsPlaintext "old" -force) -NewPassword (ConvertTo-SecureString -AsPlainText "new" -Force)

Bloodhound

Sharphound is the enumeration tool of Bloodhound

 It is used to enumerate the AD information that can then be visually displayed in Bloodhound. Bloodhound is the actual GUI used to display the AD attack graphs