Initial Enumeration of AD Network
Last updated
Last updated
Here are some main tasks we need to accomplish when initially enumerating a network:
Enumerate the internal network, identifying hosts, critical services, and potential avenues for a foothold.
This can include active and passive measures to identify users, hosts, and vulnerabilities we may be able to take advantage of to further our access.
Document any findings we come across for later use. Extremely important!
Key Data Points
Data Point
Description
AD Users
We are trying to enumerate valid user accounts we can target for password spraying.
AD Joined Computers
Key Computers include Domain Controllers, file servers, SQL servers, web servers, Exchange mail servers, database servers, etc.
Key Services
Kerberos, NetBIOS, LDAP, DNS
Vulnerable Hosts and Services
Anything that can be a quick win. ( a.k.a an easy host to exploit and gain a foothold)
We will start with passive identification of any hosts in the network, followed by active validation of the results to find out more about each host (what services are running, names, potential vulnerabilities, etc.)
IMPORTANT: After we have accomplished these enumerating a new host, we should stop and regroup and look at what info we have.
We can use Wireshark and TCPDump to "put our ear to the wire" and see what hosts and types of network traffic we can capture.
Wireshark Output
ARP packets make us aware of the hosts: 172.16.5.5, 172.16.5.25 172.16.5.50, 172.16.5.100, and 172.16.5.125.
MDNS makes us aware of the ACADEMY-EA-WEB01 host.
Tcpdump Output
Depending on the host you are on, you may already have a network monitoring tool built-in, such as pktmon.exe,which was added to all editions of Windows 10.
NOTE: for testing, it's always a good idea to save the PCAP traffic you capture.
Starting Responder
FPing Active Checks
We will perform a ping sweep of the subnet using Fping. FPing allows us to issue ICMP packets against multiple hosts at once. NOTE: Windows Defender blocks ICMP by default so this may not work.
Nmap Scanning
From the nmap output we can Identify what operating systems these hosts are running as well as their versions. Strangely enough, it is still common to see legacy software or end-of-life operating systems being used in enterprise environments.
We need to find our way to a domain user account or SYSTEM level access on a domain-joined host so we can gain a foothold and start the real fun. The best way is by finding credentials, either plaintext or a NTLM password hash.
Obtaining a valid user with credentials is critical in the early stages of an internal penetration test.
Cloning Kerbrute GitHub Repo
Compiling for Multiple Platforms and Architectures
Testing the kerbrute_linux_amd64 Binary
Enumerating Users with Kerbrute
It is also very common for third-party services to run in the context of this account by default. Having SYSTEM-level access within a domain environment is nearly equivalent to having a domain user account.
There are several ways to gain SYSTEM-level access on a host, including but not limited to:
Remote Windows exploits such as MS08-067, EternalBlue, or BlueKeep.
Local privilege escalation flaws in Windows operating systems such as the Windows 10 Task Scheduler 0-day.
Gaining admin access on a domain-joined host with a local account and using Psexec to launch a SYSTEM cmd window
By gaining SYSTEM-level access on a domain-joined host, you will be able to perform actions such as, but not limited to:
Enumerate the domain using built-in tools or offensive tools such as BloodHound and PowerView.
Perform Kerberoasting / ASREPRoasting attacks within the same domain.
Run tools such as Inveigh to gather Net-NTLMv2 hashes or perform SMB relay attacks.
Perform token impersonation to hijack a privileged domain user account.
Carry out ACL attacks.
BE QUITE IMPORTANT:
stealth is of concern. Throwing Nmap at an entire network is not exactly quiet, and many of the tools we commonly use on a penetration test will trigger alarms for an educated and prepared SOC or Blue Teamer. Always be sure to clarify the goal of your assessment with the client in writing before it begins.
If we are on a host without a GUI (which is typical), we can use , , and , etc., to perform the same functions. We can also use tcpdump to save a capture to a .pcap file, transfer it to another host, and open it in Wireshark.
is a tool built to listen, analyze, and poison LLMNR, NBT-NS, and MDNS requests and responses.
The scan will perform several functions. One of the most important is a quick enumeration of well-known ports to include web services, domain services, etc.
can be a stealthier option for domain account enumeration. It takes advantage of the fact that Kerberos pre-authentication failures often will not trigger logs or alerts.
We will use Kerbrute in conjunction with the jsmith.txt or jsmith2.txt user lists from .
The account NT AUTHORITY\SYSTEM is a built-in account in Windows operating systems. It has the highest level of access in the OS and is used to run most Windows services.
Abusing a service running in the context of the SYSTEM account, or abusing the service account SeImpersonate privileges using . This type of attack is possible on older Windows OS' but not always possible with Windows Server 2019.
MDNS and ARP
