Try Hack Me — Enumerating Active Directory
My write-up on THM’s Enumerating Active Directory.
Disclaimer
This site contains materials that can be potentially damaging or dangerous. Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Persons accessing this information assume full responsibility for the use and agree not to use this content for any illegal purpose.
Task 1 — Why AD Enumeration
Follow the instructions on how to resolve DNS and hosts within the network. Most importantly, ensure that you can resolve and access the distributor.za.tryhackme.com host as this is your first step in getting the credentials you need for initial access.
Task 2 — Credential Injection
I found it a lot easier using my Windows host and accessing the host THMJMP1via RDP. Follow the PowerShell script that was provided and ensure you have the correct DC IP and the name of the Ethernet adapter you use to connect to THM.
$dnsip = "<DC IP>"
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsipTask 3 — Enumeration through Microsoft Management Console
RDP to THMJMP1 and access MMC.exe. You should not have to configure anything as all AD snap-ins are set to za.tryhackme.com.
Task 4 — Enumeration through Command Prompt
net user /domain
Microsoft Windows [Version 10.0.17763.1098]
(c) 2018 Microsoft Corporation. All rights reserved.C:\Users\arthur.campbell>net user /domain
The request will be processed at a domain controller for domain za.tryhackme.com.User accounts for \\THMDC.za.tryhackme.com-------------------------------------------------------------------------------
aaron.conway aaron.hancock aaron.harris
aaron.johnson aaron.lewis aaron.moore
aaron.patel aaron.smith abbie.joyce
abbie.robertson abbie.taylor abbie.walker
abdul.akhtar abdul.bates abdul.holt
abdul.jones abdul.wall abdul.west
Gathering user account information.
C:\Users\arthur.campbell>net user zoe.marshall /domain
The request will be processed at a domain controller for domain za.tryhackme.com.User name zoe.marshall
Full Name Zoe Marshall
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires NeverPassword last set 2/24/2022 11:06:06 PM
Password expires Never
Password changeable 2/24/2022 11:06:06 PM
Password required Yes
User may change password YesWorkstations allowed All
Logon script
User profile
Home directory
Last logon NeverLogon hours allowed All
Using net groups to enumerate Groups in the Domain
Group Accounts for \\THMDC.za.tryhackme.com-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*HR Share RW
*Internet Access
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
*Server Admins
*Tier 0 Admins
*Tier 1 Admins
*Tier 2 Admins
The command completed successfully.
Using net accounts to determine Password Policy
C:\Users\arthur.campbell>net accounts /domain
The request will be processed at a domain controller for domain za.tryhackme.com.Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): Unlimited
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.
Task 5 — Enumeration through PowerShell
Using Get-ADUser cmdlet to enumerate AD accounts
PS C:\> Get-ADUser -Identity gordon.stevens -Server za.tryhackme.com -Properties *AccountExpirationDate :
accountExpires : 9223372036854775807
AccountLockoutTime :
[...]
Deleted :
Department : Consulting
Description :
DisplayName : Gordon Stevens
DistinguishedName : CN=gordon.stevens,OU=Consulting,OU=People,DC=za,DC=tryhackme,DC=com
[...]
Using filters ‘Select-object’ when querying for additional information
PS C:\Users\arthur.campbell> get-aduser -Identity beth.nolan -Properties * |Select-object 'Title'Title
-----
Senior
Task 6 — Enumeration through Bloodhound
As for this task, you will use sharphound.exe to gather all the information you need and then import that zip file to Bloodhound. Sharphound.exe will be executed in the Window jump host with the following commands:
PS C:\Users\gordon.stevens\Documents\>SharpHound.exe --CollectionMethods All --Domain za.tryhackme.com --ExcludeDCsOnce you have imported the .zip file into Bloodhound, you should be able to answer all the questions from this task.
Kerberoastable accounts
Enumerating users and machine access
Conclusion
Bloodhound is very useful to enumerate domain access and account privileges. Moreover, this tool can save you time determining the fastest attack paths.
To install Bloodhound in Kali follow the steps below:
- apt-get install bloodhound
- run ‘neo4j console’
- navigate to http://localhost:7474/
- the default username and password is neo4j:neo4j
- then on a separate shell, run bloodhound
