Conquering Active Directory for OSCP+: Essential Techniques and Strategies — Part 3
This is the third of a series of short articles written to assist with the Active Directory (AD) portion of the new OSCP+ exam format. The steps and suggestions here are just the tip of the iceberg. Please expand beyond these articles and utilize the PEN-200 material for a more comprehensive review. Practice in a secure lab environment. “Hands-on” is the only way to truly learn all of this.
Let’s review what we’ve covered so far. In the first article of this series, we discussed how to enumerate Active Directory (AD) users — a crucial first step for obtaining valid credentials. Before gathering passwords, we need a list of valid users. In the second article, we explored password spraying techniques. In this article I will show more ways to gather domain information, now with valid credentials.
Let’s get more users, shall we?
It’s great that we already have some valid credentials, but the more we collect, the better. It’s possible that the credentials we found lack special permissions or are not part of any administrative groups. Expanding our list of users increases our chances of “hitting the jackpot” and discovering users who allow us to move laterally within the domain.
My preferred tool for this task is nxc. We need to specify the smb protocol, the username and password, and the users flag at the end. The IP address should be that of the domain controller (DC). Here’s the command:
sudo nxc smb [ip] -u mary -p Password123 --usersAnother tool we can use to enumerate Active Directory (AD) users is rpcclient. This tool does much more than just user enumeration. If the current security context allows, we can even reset someone else’s password!
https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword .
Here is how we can use this tool to list more AD users :
rpcclient -U mary%Password123@dc01Raj Chandel has an excellent blog about
rpcclient, covering a range of techniques and tricks we can use with this tool.
Another tool we can use to list AD users is called windapsearch. This tool uses the LDAP protocol and is written in Python, making it a great alternative if SMB isn’t working or isn’t returning results. Here’s how we can list users with elevated privileges, for example, using the PU flag:
python3 .\windapsearch.py --dc-ip [ip] -u mary@contoso.com -p Password123 -PUThe final tool we can use to obtain a complete list of AD users is BloodHound. It works simply by connecting to Active Directory and pulling all AD objects (users, groups, etc.), which can then be imported into BloodHound's GUI to identify any AD misconfiguration or interesting AD groups.
sudo bloodhound-python -u 'mary' -p 'Password123' -ns [ip usually same as DC] -d contoso.com -c allShares are a gold mine
Windows Shares are one of the great features of Windows, allowing collaboration, file exchange, and enabling remote tools to dump or extract data. It’s so simple and convenient that it often becomes an AD attack vector.
The most common share misconfiguration include excessive permissions and the accidental upload of sensitive files or information. Tools like nxc allow us to check access to these shares and identify any interesting files. Here’s the basic syntax:
sudo nxc smb [ip] -u mary -p Password123 --sharesIt’s crucial to examine the output closely and identify any uncommon shares. Any non-default share should be investigated further. For instance, if we find a share named “finance,” we can use nxc to search for sensitive information, such as additional passwords or misplaced credentials:
sudo nxc smb [ip] -u mary -p Password123 -M spider_plus --share 'Finance'Take a look on SMBMap for checking AD shares. It is a great alternative to nxc. It has a recursive feature, making it highly useful when exploring numerous shares and files.
We’ve covered key techniques for enumerating AD users and uncovering valuable information within AD shares. Starting with user enumeration to establish valid credentials, we explored tools like nxc, rpcclient, windapsearch, and BloodHound for gathering AD details. We also examined Windows Shares, highlighting common misconfigurations that expose sensitive data.
In the next article of our series, let’s talk about how we can accomplish the same (listing more AD users and inspecting shares) but within a Windows box.
