Enumeration π
This section covers several methods that can be used to Enumerate Active Directory.
These are the tools, methods, and techniques I've learnt and used from THM, HTB, TCM etc.
Note
Mapping out the Network πΊοΈ
fping
With fping we can specify number of targets including a subnet. It will send packet to one target then move to the other and so on:
fping -agq 10.211.11.0/24- -a: shows alive systems
- -g: generates target list
- -q: quiet mode; no error messages
nmap (same technique as fping)
nmap with -sn (ping scan mode) probes the entire subnet
nmap -sn 10.211.11.0/24Port Scanning
Once we have our live hosts, these are the most common ports to scan:
| Port | Protocol | Possibly |
|---|---|---|
| 88 | Kerberos | Kerberos-based enumeration |
| 135 | MS-RPC | RPC enumeration (null sessions) |
| 139 | SMB/NetBIOS | Older/Legacy SMB Access |
| 389 | LDAP | LDAP queries to AD |
| 445 | SMB | Modern SMB access |
| 464 | Kerberos (kpasswd) | Password-related Kerberos Service |
To scan all these:
nmap -sS -p- -T3 -iL hosts.txt -oN full_port_scan.txtFor a more exhaustive/stealthier scan, we can use:
nmap -sS -p- -T3 -iL hosts.txt -oN full_port_scan.txtSMB Enumeration
SMB protocol allows clients to communicate with server's file shares
smbclient
smbclient -N -L \\\\10.10.10.10\\- -N: dont ask for password
- -L: see running services
For enumerating shares:
smbclient -N \\\\10.10.10.10\\backupsSome useful commands:
| Command | Function |
|---|---|
| ls/dir | List files and dirs |
| cd | Change directory |
| get file flag.txt | Download a file |
| mget | Download multiple files |
| quit/exit | Quit |
nmap
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.44.131smbmap
smbmap -H 10.10.10.10enum4linux
Enumerate info from Windows and Samba machines.
enum4linux -A 10.10.10.10Username/Domain Enumeration
ldapsearch
Test if anonymous LDAP bind is available
ldapsearch -x -H ldap://10.10.10.10 -s base- -x: anonymous authentication
- -s: search only base object, not children
Explanation:
Query user info
ldapsearch -x -H ldap://10.211.11.10 -b "dc=tryhackme,dc=loc" "(objectClass=person)" enum4linux-ng
Tool that automates techniques against windows. Like user lists, group memberships etc
enum4linux-ng -A 10.211.11.10 -oA results.txtrpcclient
MSRPC enables a program running on one computer to request services from a program on another computer.
To verify null session:
rpcclient -U "" 10.211.11.10 -N- -U: specify username, empty so anon login
- -N: do not prompt for password
Then type "enumdomusers":
If enumdomusers is restricted:
for i in $(seq 500 2000); do echo "queryuser $i" |rpcclient -U "" -N 10.211.11.10 2>/dev/null | grep -i "User Name"; doneKerbrute
Search valid users / weed out false positives (my kerbrute binary is in /home/kali/attacktive)
./kerbrute userenum --dc 10.211.11.10 -d tryhackme.loc users.txt -o logs.txt- users.txt is the file of our usernames
Useful wordlist for user enumeration
Password Spraying
A small set of common passwords is tested across many accounts (to prevent account lockouts)
Tools to check password policy
rpcclient -U "" 10.211.11.10 -NThen "getdompwinfo":
crackmapexec or netexec is a network service exploitation tool that allows us to perform enumeration, command execution, and post exploitation attacks etc.
To check password policy:
crackmapexec smb 10.211.11.10 --pass-polPassword Spray attack
crackmapexec smb 10.211.11.20 -u users.txt -p passwords.txt