OffSec Live | PEN-200 (2023): Active Directory Enumeration

Introduction

This tutorial provides a comprehensive guide on Active Directory (AD) enumeration, based on the OffSec Live session focused on the PEN-200 (2023) course. Active Directory enumeration is a crucial skill for penetration testers and cybersecurity professionals, as it helps identify potential vulnerabilities within an organization's AD environment. By following this step-by-step guide, you'll gain practical knowledge and techniques for effective AD enumeration.

Step 1: Understanding Active Directory Basics

Before diving into enumeration, familiarize yourself with the fundamental concepts of Active Directory.

• What is Active Directory: A directory service developed by Microsoft for Windows domain networks, providing authentication and authorization.
• Components to Know:
  • Domain Controllers: Servers that respond to security authentication requests.
  • Users and Groups: Entities within AD that have specific permissions and roles.
  • Organizational Units (OUs): Containers that hold users, groups, and computers for easier management.

Step 2: Gathering Information

The first phase of enumeration involves collecting information about the target AD environment.

• Tools to Use:

  • Nmap: For network scanning to identify live hosts and services.
  • BloodHound: A tool for understanding AD relationships and permissions.

• Key Commands:

  • Use Nmap to scan for domain controllers:

    nmap -p 389,636,3268,3269 <target-ip>
    

• What to Look For:

  • Active Directory domain names.
  • Open ports related to AD services, such as LDAP (port 389).

Step 3: Performing LDAP Enumeration

Once you have gathered basic information, perform LDAP enumeration to extract more detailed AD data.

• Using LDAPsearch:

  • This tool allows you to query the AD for information.

• Example Command:

  ldapsearch -x -h <domain-controller> -b "dc=example,dc=com"
  

• Common Attributes to Query:

  • Users: (&(objectClass=user)(objectCategory=person))
  • Groups: (&(objectClass=group)(objectCategory=group))

Step 4: Exploring Domain Users and Groups

After gathering data, analyze the users and groups to identify potential targets.

• Key Areas to Investigate:

  • Admin Accounts: Look for accounts with elevated privileges.
  • Service Accounts: Often have permissions that can be exploited.

• Practical Tip:

  • Create a list of all users and their attributes to better understand their roles and permissions.

Step 5: Identifying Relationships and Trusts

Understanding the relationships between users and groups can reveal attack paths.

• BloodHound Usage:

  • Import the data collected and visualize user relationships and permissions.

• Focus on:

  • Group memberships.
  • Inherited permissions.
  • Trust relationships between domains, if applicable.

Step 6: Common Pitfalls to Avoid

While performing Active Directory enumeration, be aware of common mistakes.

• Overlooking Service Accounts: These accounts often have extensive permissions.
• Not Testing Queries: Validate your LDAP queries to ensure they return the expected results.
• Ignoring Security Misconfigurations: Pay attention to any misconfigured permissions that could lead to privilege escalation.

Conclusion

Active Directory enumeration is a vital skill in penetration testing. By understanding the basics, gathering information, performing LDAP enumeration, and analyzing relationships, you can identify and exploit vulnerabilities within an AD environment. As you continue to develop your skills, consider exploring further into Active Directory attacks and lateral movement techniques for a more comprehensive understanding of penetration testing.