AD_Post-Compromise_Enumeration

• We have compromised a user account as we get FrankCastle user and it’s hash ( with Responder) and crack it and get on Machines using SMB relay without getting the hash and we able to dump SAM file and collect hashes in that way after we have compromise the next it to enumerate the network using compromises .

• PowerView tool (Power shell tool) : allows us to look at the network and to enumerate basically the domain controller , domain policy and etc.

• Bloodhound tool : visualize what is going in the network and where we can find sensitive user that might be log in and where we can find shortest path to get the domain admin.

PowerView

• Download the tool :

  PowerView-3.0 tips and tricks

• Useful Resource for powerview :

  Active Directory Enumeration With PowerView

• Running powerview from directly any windows machine we have , for attacker situation if he has access to a shell then we ‘ll use that shell and we ‘re going to load powershell.

• Bypass execution policy using powershell - Ready for executing scripts :

  

  198.jpg
• Up powerview to enumerating the domain :

  

  199.jpg
• Get information about the domain ( where are domain controllers and much more) :

  

  200.jpg
• Get information about domain controllers ( Name , ip and much more) :

  

  201.jpg
• Get the domain policy :

  

  202.jpg
• Get detailed information about system access of the policy ( Note the Minimum password length and how to use this information or password complexity all these information open ways for hacker) :

  

  203.jpg
• Get net users ( Get data about users in domains , you can find interesting description with passwords sometimes ) :

  

  204.jpg

  

  205.jpg

  • Filtering outputs to do it more easily.

• Get the property the user might have :

  

  206.jpg

  

  207.jpg

  • Get a specific property of item we want ( like password last list).

  

  208.jpg

  • logoncount property which can identify honeybot accounts.

  

  209.jpg

  • Get how many bad password to see if any of these accounts is under attack ( many trials on it ).

• List all computers on the domain :

  

  210.jpg

  

  211.jpg

  • for more information and as before you select specific property like OperatingSysetm ( Greb feature).

• Get information about groups :

  

  212.jpg

  

  213.jpg

  

  214.jpg

                                        **Get all admin groups using wild card.**

  

  215.jpg

  • Get information about specific member in the group.

• Get all SMB sharing in the network :

  

  217.jpg
• Get all group policy :

  

  218.jpg

  

  219.jpg

Bloodhound

• Download Invoke-Bloodhound :

  powershell/SharpHound.ps1 at master · puckiestyle/powershell

• Download a data of AD ( when we are on a machine or network ) and visualize data on the graph.

• Run a tool called neo4j and we should to set it up - change default credentials- Go to local host to change default password for more security :

  

  220.jpg
• Invoke-Bloodhound : power shell tool using for grabbing data - Downloading this file on Windows 10 machines ( which you get access from previous stage).

  • To be able to use scripts :

    

    221.jpg
  • Running sharphound :

    

    22.jpg
  • Running the script to get data collection from specific domain - Get this file copied to kali machine :

    

    222.jpg
• Now we have our data transferred from our windows machine ( we get in the last phase) to Bloodhound - Processing all json file :

  

  223.jpg

  • Here we find out the shortest path to Domain admins . Here , we should have session on the punisher machine which has it local admin and this will lead us to DOMAIN ADMINS @MARVEL.LOCAL ( our domain admin) + Have session now unlike spiderman machine. [ Token impersenation ] .

• We always do enumeration after each step and ask what information is here for us after we got access we enumerate and still in this cycle as every step you do , you have more information to know about.

• After compromising one account what can we do with that account?