Active Directory Enumeration

Enumeration without admin rights

Active Directory Information

A lot of objects and their attributes can be viewed by authenticated users. Usually but not always those users are domain users. Administrator believe that since they can manage data through various tools such as Active Directory User and Computers and Active Directory Administrative Center, other users can’t see those data.

Since every attack start with information gathering, being able to collect as much as possible data about domain, forest and services means increase the attack surface and so the possibility of privilege escalation.

The following commands allows to gather data with an authenticated user without admin rights. There’s no mitigation.

Forest Information

PS C:\ [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

Name                  : corp.com
Sites                 : {Default-First-Site-Name}
Domains               : {corp.com}
GlobalCatalogs        : {dc01.corp.com}
ApplicationPartitions : {DC=ForestDnsZones,DC=corp,DC=com, DC=DomainDnsZones,DC=corp,DC=com}
ForestModeLevel       : 6
ForestMode            : Windows2012R2Forest
RootDomain            : corp.com
Schema                : CN=Schema,CN=Configuration,DC=corp,DC=com
SchemaRoleOwner       : dc01.corp.com
NamingRoleOwner       : dc01.corp.com

Domain information

PS C:\ [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Forest                  : corp.com
DomainControllers       : {dc01.corp.com}
Children                : {}
DomainMode              : Windows2012R2Domain
DomainModeLevel         : 6
Parent                  : 
PdcRoleOwner            : dc01.corp.com
RidRoleOwner            : dc01.corp.com
InfrastructureRoleOwner : dc01.corp.com
Name                    : corp.com

Forest Trusts

PS C:\ $ForestRootDomain = 'corp.com'
([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $ForestRootDomain)))).GetAllTrustRelationships()

Domain Trusts

PS C:\ ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

Get Forest Global Catalogs

PS C:\ [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs

Forest                     : corp.com
CurrentTime                : 19/03/2020 15:56:35
HighestCommittedUsn        : 40998
OSVersion                  : Windows Server 2012 R2 Datacenter
Roles                      : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain                     : corp.com
IPAddress                  : fe80::1d56:652c:55cc:8157%12
SiteName                   : Default-First-Site-Name
SyncFromAllServersCallback : 
InboundConnections         : {}
OutboundConnections        : {}
Name                       : dc01.corp.com
Partitions                 : {DC=corp,DC=com, CN=Configuration,DC=corp,DC=com, CN=Schema,CN=Configuration,DC=corp,DC=com, DC=DomainDnsZones,DC=corp,DC=com...}

Enumerate Services without Network Scanning

SPN Scanning is a technique that involves a series of request to Domain Controller for all Service Principal Names (SPNs). Since there's no official list of all SPNs, some lists are being maintained online such as https://adsecurity.org/?page_id=183. There's no mitigation because SPN are required for Kerberos to work.

PS C:\> Get-ADComputer -filter {ServicePrincipalName -like "*TERMSRV*"} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack, PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation

DistinguishedName          : CN=DC01,OU=Domain Controllers,DC=corp,DC=com
DNSHostName                : dc01.corp.com
Enabled                    : True
LastLogonDate              : 19/03/2020 12:01:09
Name                       : DC01
ObjectClass                : computer
ObjectGUID                 : 8e1c7851-daab-4f91-8c3d-042319c8b8e0
OperatingSystem            : Windows Server 2012 R2 Datacenter
OperatingSystemServicePack : 
OperatingSystemVersion     : 6.3 (9600)
PasswordLastSet            : 19/03/2020 12:00:45
SamAccountName             : DC01$
ServicePrincipalName       : {TERMSRV/DC01, TERMSRV/dc01.corp.com, Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/dc01.corp.com, GC/DC01/corp.com...}
SID                        : S-1-5-21-315219955-293611544-204322608-1001
TrustedForDelegation       : True
TrustedToAuthForDelegation : False
UserPrincipalName          : 

A full list of properties can be found here https://social.technet.microsoft.com/wiki/contents/articles/12056.active-directory-get-adcomputer-default-and-extended-properties.aspx

You can also use -filter {ServicePrincipalName -like "*"} to avoid specific filter.

Discover Service Accounts

Finding Service Accounts and their servers is as simple as do a SPN scan for user accounts with SPN.

PS C:\> Get-ADComputer -filter {PrimaryGroupID -eq "515"} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation

Enumerate Computers without Network Scanning

Every computer that is being joined to Active Directory has its “computer account” with a bunch of attributes.

Get-ADComputer -filter {PrimaryGroupID -eq "515"} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation

The same research can be done for Domain Controller by changing PrimaryGroupID value to “516”:

PS C:\> Get-ADComputer -filter {PrimaryGroupID -eq "516"} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation

DistinguishedName          : CN=DC01,OU=Domain Controllers,DC=corp,DC=com
DNSHostName                : dc01.corp.com
Enabled                    : True
LastLogonDate              : 19/03/2020 12:01:09
Name                       : DC01
ObjectClass                : computer
ObjectGUID                 : 8e1c7851-daab-4f91-8c3d-042319c8b8e0
OperatingSystem            : Windows Server 2012 R2 Datacenter
OperatingSystemServicePack : 
OperatingSystemVersion     : 6.3 (9600)
PasswordLastSet            : 19/03/2020 12:00:45
SamAccountName             : DC01$
ServicePrincipalName       : {TERMSRV/DC01, TERMSRV/dc01.corp.com, Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/dc01.corp.com, GC/DC01/corp.com...}
SID                        : S-1-5-21-315219955-293611544-204322608-1001
TrustedForDelegation       : True
TrustedToAuthForDelegation : False
UserPrincipalName          : 

A full list of well known SIDs can be found here https://adsecurity.org/?p=1001. A further filter on OperatingSystem can be used to find non-Windows computer. Some examples are OperatingSystem -Like “*Samba*” or OperatingSystem -Like “*OnTap*” or OperatingSystem -Like “*Windows NT*”.

Enumerate Admin Accounts

This method filters the Get-ADuser cmdlet using the AdminCount value. Since this parameter isn't automatically reset when a user is removed from the Admin Groups, some false positive can show up in results. Also pay attention because no admin account with custom delegation are returned.


PS C:\> Get-ADuser -filter {AdminCount -eq 1} -Properties Name,AdminCount,ServicePrincipalName,PasswordLastSet,LastLogonDate,MemberOf

AdminCount        : 1
DistinguishedName : CN=Administrator,CN=Users,DC=corp,DC=com
Enabled           : True
GivenName         : 
LastLogonDate     : 19/03/2020 15:01:44
MemberOf          : {CN=Proprietari autori criteri di gruppo,CN=Users,DC=corp,DC=com, CN=Domain Admins,CN=Users,DC=corp,DC=com, CN=Enterprise Admins,CN=Users,DC=corp,DC=com, CN=Schema 
                    Admins,CN=Users,DC=corp,DC=com...}
Name              : Administrator
ObjectClass       : user
ObjectGUID        : 3072b7e3-be5c-4474-84da-57fa5588b988
PasswordLastSet   : 19/03/2020 15:03:31
SamAccountName    : Administrator
SID               : S-1-5-21-315219955-293611544-204322608-500
Surname           : 
UserPrincipalName : 

AdminCount           : 1
DistinguishedName    : CN=krbtgt,CN=Users,DC=corp,DC=com
Enabled              : False
GivenName            : 
LastLogonDate        : 
MemberOf             : {CN=Ogg. non autoriz. a replica passw. in controller sola lettura,CN=Users,DC=corp,DC=com}
Name                 : krbtgt
ObjectClass          : user
ObjectGUID           : 4527fccb-cf4d-42a9-8409-a6eb9a5795bf
PasswordLastSet      : 04/02/2020 22:07:36
SamAccountName       : krbtgt
ServicePrincipalName : {kadmin/changepw}
SID                  : S-1-5-21-315219955-293611544-204322608-502
Surname              : 
UserPrincipalName    : 

Enumerate Admin Groups

This method is based on the fact that companies usually include the admin string in the names of administrator groups. In addition, the first filter GroupCategory is set to Security to exclude the other type of Active Directory groups, the AD Distribution Groups.

PS C:\> Get-ADGroup -filter {GroupCategory -eq 'Security' -AND Name -like "*admin*"}

DistinguishedName : CN=Domain Admins,CN=Users,DC=corp,DC=com
GroupCategory     : Security
GroupScope        : Global
Name              : Domain Admins
ObjectClass       : group
ObjectGUID        : 9bec696c-f812-493e-b6ec-292bf00f280c
SamAccountName    : Domain Admins
SID               : S-1-5-21-315219955-293611544-204322608-512

DistinguishedName : CN=DnsAdmins,CN=Users,DC=corp,DC=com
GroupCategory     : Security
GroupScope        : DomainLocal
Name              : DnsAdmins
ObjectClass       : group
ObjectGUID        : 5a2f43c3-c337-4833-be0f-419dd3585756
SamAccountName    : DnsAdmins
SID               : S-1-5-21-315219955-293611544-204322608-1102

DistinguishedName : CN=Administrators,CN=Builtin,DC=corp,DC=com
GroupCategory     : Security
GroupScope        : DomainLocal
Name              : Administrators
ObjectClass       : group
ObjectGUID        : 124e70ea-1ea3-4981-8889-3855a027a012
SamAccountName    : Administrators
SID               : S-1-5-32-544

DistinguishedName : CN=Schema Admins,CN=Users,DC=corp,DC=com
GroupCategory     : Security
GroupScope        : Universal
Name              : Schema Admins
ObjectClass       : group
ObjectGUID        : 184e5711-ea90-47c3-9512-83307e99f7b6
SamAccountName    : Schema Admins
SID               : S-1-5-21-315219955-293611544-204322608-518

DistinguishedName : CN=Enterprise Admins,CN=Users,DC=corp,DC=com
GroupCategory     : Security
GroupScope        : Universal
Name              : Enterprise Admins
ObjectClass       : group
ObjectGUID        : 90cda9cd-7c22-4fc9-95f5-233a6173ac0c
SamAccountName    : Enterprise Admins
SID               : S-1-5-21-315219955-293611544-204322608-519

Enumerate Partner Organizations

External e-mail addresses are added to AD in the GAL (Global Address List) as AD Objects, so they are enumerable.

Get-ADObject -filter {ObjectClass -eq "Contact"} -Prop *

The mitigation is to not place those contact in AD, if possible.

Domain Password Policy

You can retrieve Domain Password Policy using the classic net accounts:

PS C:\> net accounts
Min. tra tempo limite e disconnessione imposta:              Mai
Durata minima della password (giorni):                       1
Durata massima della password (giorni):                      42
Lunghezza minima della password:                             7
Lunghezza cronologia della password:                         24
Soglia di blocchi:                                           Mai
Durata dei blocchi (minuti):                                 30
Finestra di osservazione dei blocchi (minuti):               30
Ruolo del computer:                                          PRIMARIO
Esecuzione comando riuscita.

Or using Powershell:

PS C:\> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled           : True
DistinguishedName           : DC=corp,DC=com
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 0
MaxPasswordAge              : 42.00:00:00
MinPasswordAge              : 1.00:00:00
MinPasswordLength           : 7
objectClass                 : {domainDNS}
objectGuid                  : 884d2918-e3a5-4884-8975-95c079f36ecf
PasswordHistoryCount        : 24
ReversibleEncryptionEnabled : False

Fine-Grained Password Policy

Fine-Grained Password Policy (FGPP) allow to provide a more in-depth password policy than usual on AD Domain. This is supported from Windows 2008 but Active Directory support it only from Windows 2012. The example is taken from Microsoft site https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adfinegrainedpasswordpolicy?view=winserver2012-ps.

C:\PS>Get-ADFineGrainedPasswordPolicy 'CN=DlgtdAdminsPSO,CN=Password Settings Container,CN=System,DC=FABRIKAM,DC=COM' -Properties *

msDS-LockoutDuration                     : -18000000000
msDS-PasswordSettingsPrecedence          : 300
ObjectCategory                           : CN=ms-DS-Password-Settings,CN=Schema,CN=Configuration,DC=FABRIKAM,DC=COM
DistinguishedName                        : CN=DlgtdAdminsPSO,CN=Password Settings Container,CN=System,DC=FABRIKAM,DC=COM
ExpireOn                                 :
msDS-MinimumPasswordAge                  : -864000000000
dSCorePropagationData                    : {12/31/1600 4:00:00 PM}
msDS-LockoutThreshold                    : 0
Description                              : The Delegated Administrators Password Policy
LockoutThreshold                         : 0
instanceType                             : 4
msDS-PasswordComplexityEnabled           : True
MaxPasswordAge                           : 20.00:00:00
whenCreated                              : 8/15/2008 12:47:43 AM
Name                                     : DlgtdAdminsPSO
ObjectClass                              : msDS-PasswordSettings
ReversibleEncryptionEnabled              : True
msDS-PasswordReversibleEncryptionEnabled : True
Dynamic                                  : False
LockoutDuration                          : 00:30:00
msDS-PSOAppliesTo                        : {CN=Kim Abercrombie,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM, CN=Bob Kelly,OU=AsiaPacific,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM}
DisplayName                              : Delegated Administrators PSO
uSNCreated                               : 16395
Modified                                 : 8/20/2008 12:21:15 AM
MinPasswordAge                           : 1.00:00:00
ProtectedFromAccidentalDeletion          : False
Created                                  : 8/15/2008 12:47:43 AM
sDRightsEffective                        : 15
ComplexityEnabled                        : True
PasswordHistoryCount                     : 24
msDS-MaximumPasswordAge                  : -17280000000000
MinPasswordLength                        : 10
Precedence                               : 300
ObjectGUID                               : 75cf8c7a-9c93-4e81-b611-851803372cb2
msDS-MinimumPasswordLength               : 10
Deleted                                  :
Orphaned                                 : False
CN                                       : DlgtdAdminsPSO
LastKnownParent                          :
CanonicalName                            : FABRIKAM.COM/System/Password Settings Container/DlgtdAdminsPSO
modifyTimeStamp                          : 8/20/2008 12:21:15 AM
msDS-LockoutObservationWindow            : -18000000000
LockoutObservationWindow                 : 00:30:00
whenChanged                              : 8/20/2008 12:21:15 AM
createTimeStamp                          : 8/15/2008 12:47:43 AM
msDS-PasswordHistoryLength               : 24
nTSecurityDescriptor                     : System.DirectoryServices.ActiveDirectorySecurity
AppliesTo                                : {CN=JeffPrice,OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM, CN=GlenJohn,OU=AsiaPacific,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM}
uSNChanged                               : 72719

Enumerate Managed Service Accounts and Group Managed Service Accounts

From Windows 2008 Managed Service Accounts (MSA) automatically manages and update the MSA password for only a single computer. From Windows 2012 Group Managed Service Accounts (gMSA) can be linked to multiple computers.

Managed Service Accounts:

PS C:\> Get-ADServiceAccount -Identity service1
Enabled           : True
Name              : service1
UserPrincipalName :
SamAccountName    : service1$
ObjectClass       : msDS-ManagedServiceAccount
SID               : S-1-5-21-159507390-2980359153-3438059098-29770
ObjectGUID        : eaa435ee-6ebc-44dd-b4b6-dc1bb5bcd23a
HostComputers     :
DistinguishedName : CN=service1,CN=Managed Service Accounts,DC=contoso,DC=com
PS C:\> Get-ADServiceAccount -Identity S-1-5-21-159507390-2980359153-3438059098-29770
Enabled           : True
Name              : service1
UserPrincipalName :
SamAccountName    : service1$
ObjectClass       : msDS-ManagedServiceAccount
SID               : S-1-5-21-159507390-2980359153-3438059098-29770
ObjectGUID        : eaa435ee-6ebc-44dd-b4b6-dc1bb5bcd23a
HostComputers     :
DistinguishedName : CN=service1,CN=Managed Service Accounts,DC=contoso,DC=com

Sources