Generating my own set of credentials.
Credential Injection – AD enumeration –
$dnsip = "10.200.49.101"
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip
It didn’t work for runas.exe command. It was due to OpenVPN Network Adapter was still using IPv6 DNS Servers assigned by DHCP.
Enumeration through Microsoft Management Console
Further enumeration based on TryHackMe tasks:
Task 4: Enumeration through Command Prompt
Now I will be using AD joined computer. net user command does not work from runas.exe
net user /domain
net user <username> /domain
net group /domain
Password policy:
net accounts /domain
Commands used to retrieve anserws for THM task
Task 5 – Enumeration through PowerShell
Powershell cmdlets regarding Active Directory: https://docs.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps
Get-ADGroupMember -Identity Administrators -Server za.tryhackme.com
If we want to search for accounts which are applicable for password spraying, we can use “badPwdCount”. Thanks to this and password policy we won’t lockout accounts.
Get-ADObject -Filter 'badPwdCount -gt 0' -Server za.tryhackme.com
Task 5 solutions:
What is the value of the Title attribute of Beth Nolan (beth.nolan)?
Get-ADUser -Identity beth.nolan -Server za.tryhackme.com -Properties Title
What is the value of the DistinguishedName attribute of Annette Manning (annette.manning)?
Get-ADUser -Identity annette.manning -Server za.tryhackme.com -Properties DistinguishedName
When was the Tier 2 Admins group created?
Get-ADGroup -Identity “Tier 2 Admins” -Properties whencreated
What is the value of the SID attribute of the Enterprise Admins group?
Get-ADGroup -Identity “Enterprise Admins”
Which container is used to store deleted AD objects?
Task 6 – Enumeration through Bloodhound
.\SharpHound.exe –CollectionMethods All –Domain za.tryhackme.com –ExcludeDCs
Domain – Here, we specify the domain we want to enumerate. In some instances, you may want to enumerate a parent or other domain that has trust with your existing domain. You can tell Sharphound which domain should be enumerated by altering this parameter.
ExcludeDCs -This will instruct Sharphound not to touch domain controllers, which reduces the likelihood that the Sharphound run will raise an alert.
I will use attackbox to speed up my work:
neo4j console startand in another terminal:
bloodhound --no-sandbox
Further learning:
- LDAP enumeration – Any valid AD credential pair should be able to bind to a Domain Controller’s LDAP interface. This will allow you to write LDAP search queries to enumerate information regarding the AD objects in the domain.
- PowerView – PowerView is a recon script part of the PowerSploit project. Although this project is no longer receiving support, scripts such as PowerView can be incredibly useful to perform semi-manual enumeration of AD objects in a pinch.
- Windows Management Instrumentation (WMI) – WMI can be used to enumerate information from Windows hosts. It has a provider called “root\directory\ldap” that can be used to interact with AD. We can use this provider and WMI in PowerShell to perform AD enumeration