In this tutorial, I explained how to enumerate users, groups, and organizational units in active directory on Windows server 2016 using an automated approach with Powershell.

Overview

  • Objective: Understand Active Directory enumeration techniques for penetration testing.
  • Audience:
    • Suitable for individuals familiar with Active Directory basics and seeking to explore cybersecurity.
  • Goal: Enumerate users, groups, and relationships within the Active Directory to gather critical information for potential exploitation.

Key Topics Covered

1. Active Directory Basics

  • Active Directory Components:
    • Domain Controller: Central server managing the Active Directory.
    • Domain Users and Groups: Entities organized within the domain.
  • Importance in Penetration Testing:
    • Assessing Active Directory helps understand an organization’s security posture.

2. Enumeration in Active Directory

  • What is Enumeration?
    • The process of extracting detailed information about users, groups, and system configurations in a domain.
  • Prerequisites:
    • Access to a client connected to the domain.
    • Ability to run PowerShell scripts on the target system.

3. Using a PowerShell Script for Enumeration

  • Script Source:
    • Derived from Offensive Security’s training materials.
  • Capabilities:
    • Automates the process of retrieving users, groups, and domain information.
  • How It Works:
    1. Builds a Provider Path:
      • Gathers details like hostname, domain name, and domain controller.
    2. Constructs a Directory Searcher:
      • Sets the root of the search for Active Directory hierarchy.
    3. Queries Domain Information:
      • Retrieves users, groups, and members through specific filters.

4. Running the Enumeration Script

  • Extracting Basic Domain Info:
    • Example:
net user /domain
  • Displays a list of domain users.

Using the Script:

  • First, identify the domain controller and construct the provider path.
  • Example Script Snippets:
    • Retrieve all users:
$filter = "(objectClass=user)"

Retrieve groups:

$filter = "(objectClass=group)"
  • Output:
    • Lists of users, their organizational units, and group memberships.

5. Filtering and Refining Results

  • Focus on Specific Entities:
    • Modify filters to target users, groups, or specific attributes.
    • Example: Retrieve properties of the Administrator account:
$filter = "(name=Administrator)"
  • Outputs include:
    • Username.
    • Group memberships.
    • Additional attributes (e.g., login times, account status).

Group Membership Enumeration:

  • Identify members of specific groups, such as Administrators:
$filter = "(name=Administrators)"

Outputs the list of members in the targeted group.

6. Practical Use Case

  • Scenario:
    • Compromise a domain-connected system.
    • Use the script to enumerate:
      • Users.
      • Groups.
      • Relationships.
  • Leverage Results:
    • Identify potential targets (e.g., privileged users).
    • Explore group memberships for privilege escalation paths.

Key Takeaways

  1. Why Enumeration Matters:
    • Provides insights into the structure and weaknesses of an Active Directory environment.
  2. Automation with PowerShell:
    • Saves time and ensures comprehensive data collection.
  3. Next Steps:
    • Use the collected information for privilege escalation or lateral movement.

Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles