You’re now familiar with the machines in your IT environment, the services they offer, and any potential vulnerabilities you can exploit to start the compromise phase. To complete your reconnaissance, it’s essential to explore the Active Directory environment.
Identify the Active Directory Domain
Active Directory is a Microsoft solution for managing information systems. It’s important to analyze how this solution has been implemented and configured so that you can prepare your attack plan. Active Directory is constantly being updated, so determining the version in use allows you to know which features and security measures are in your company’s version.
The ldapsearch utility (ldapsearch manual) allows you to make requests to an LDAP server, and in this situation, it allows domain information to be requested anonymously from a domain controller.
$ ldapsearch -x -H ldap://dc01.medic.ex -s base -LLL
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=medic,DC=ex
[...]
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=medic,DC=ex
dnsHostName: DC01.medic.ex
[...]You can provide a domain controller’s IP address rather than the machine name on the command line.
Lots of information is provided by the domain controller, including the functional level of the domain (domainFunctionality), the forest (forestFunctionality), and the domain controller (domainControllerFunctionality). Here you can see the reference table to find out which Active Directory version you’re running.
The dnsHostName entry also provides the name of the domain controller that you queried. In this example, the domain controller is named DC01.
Finally, the rootDomainNamingContext entry provides the forest’s root domain name. It may be similar to the domain you’re auditing, which means that you’re in the root domain. It’s highly likely that this is the forest’s only domain.
Identify the Key Servers
Since we’re still in the information discovery phase, enumerating the key servers will be very useful in planning your attacks. These servers make ideal targets because they contain sensitive or confidential data, and compromising them will enable you to make good progress with your attack.
You’ll be trying to identify the domain controllers, the root certification authority servers, and even the DNS servers.
The nslookup utility is extremely helpful when enumerating all the domain controllers. You’ll be looking for DNS records with the subdomain _kerberos._tcp , which is unique to domain controllers.
$ nslookup -type=SRV _kerberos._tcp.medic.ex
Server: 10.10.10.2
Address: 10.10.10.2#53
_kerberos._tcp.medic.ex service = 0 100 88 dc01.medic.ex.There is a domain controller called DC01 in your environment.
If you don’t know the domain name, you can run an nmap scan to find servers with an open port 88. This port is only used by Kerberos and is therefore specific to domain controllers.
nmap -p 88 10.10.10.0/24You can list the root certification authorities with the Certipy tool using the following command:
$ certipy find 'medic.ex/pixis:P4ssw0rd@dc01.medic.ex'Finally, the nslookup utility can again be used for DNS servers. You can pass the domain name as a parameter, and the tool will return the names of authoritative DNS servers:
$ nslookup medic.ex
Server: 10.10.10.2
Address: 10.10.10.2#53
Name: medic.ex
Address: 10.10.10.2These commands allow you to list the structural servers in an Active Directory. Having this list will make the exfiltration phases easier. Remember to keep a record of them in your notes! Trust me, it really saves time, because searching for the domain controllers’ names or IP addresses every time you need to submit a request is very time consuming!
Identify the Target Servers
The key servers are the servers that enable an Active Directory environment to function correctly. In this environment, there may be many other services used by companies. Some of these services are particularly interesting to you.
I’m going to highlight the ones that I look for in penetration testing during my inventory phase. Compromising these services makes it possible to collect sensitive information or pivot onto other networks or servers in the domain.
Print Servers
The first servers to target are the print servers. First, anything that has been printed can be useful, so if the printer contains a print history, it will be a prime target. Second, a printer is often registered in Active Directory, so it has information on all employees. If you can compromise it, you’ll likely find the printer’s authentication information.
Nmap can be used to search for printers on the network by scanning the standard ports used by printers.
nmap -p 9100,515,631 10.10.10.0/24SCCM Servers
SCCM (System Center Configuration Manager) is a Microsoft solution for managing applications and updates across an IT environment. Among its many features, SCCM allows you to deploy applications and updates, configure applications or services, and also view an inventory of your IT environment. To achieve this, SCCM must also have a clear overview of the network and often has privileges on administered machines. If you can take control of an SCCM server, you’ll be able to detect new subnets and potentially compromise new workstations.
WSUS Servers
WSUS (Windows Server Update Services) servers enable administrators to deploy Microsoft updates to all machines in the environment. Because of their role, these servers often have full visibility of the entire network. Compromising a WSUS server will allow you to easily pick up on the rest of the network.
SCOM Servers
Finally, SCOM (System Center Operations Manager) servers allow you to monitor the performance and events of Windows systems. It is particularly useful for supervising Active Directory, MSSQL databases, and Exchange servers. As with the previous solutions we discussed, a SCOM server needs to have a clear view of the supervised servers in order to achieve its purpose. It may also have privileges over some of them. When you see a SCOM server in a company network, it can be added to your list of preferred targets.
Map the Network Shares
Another element you should map is the network shares. They often contain extremely sensitive information for the company. Employees often use a network share to exchange documents.
You can find company secrets, personal information, precise data on company projects, and even user login credentials. This information will be very useful for the later phases of your attack plan.
Windows network shares use the SMB protocol for exchanging files. This service listens on port 445. So, to find network shares, you can scan port 445 on the machines you’ve already discovered. CrackMapExec is an open-source tool that allows you to interact with your targets in a number of ways, including using the SMB protocol. It allows you to search for network shares. It can be used in the following way:
$ cme smb 10.10.10.0/24 -u pixis -p P4ssw0rd -d medic.ex --sharesThis returns a list of open network shares, and the “Permissions” column indicates whether you have read and/or write access to them.
Let’s Recap!
Domain information can be collected without any prior authentication.
The company’s key servers can be identified to gain a better control of the environment:
Domain controllers
DNS servers
Root certification authorities
Targeted servers may have useful entry or rebound points:
Print servers
SCCM servers
WSUS servers
SCOM servers
Mapping network shares allows you to search for sensitive or confidential information.
This initial information will give you clearer visibility of the machines in your environment and the potential points of entry. Now you can go a step further and discover the Active Directory environment.
