In this tutorial, I explained how to enumerate users, groups, and organizational units in active directory on Windows server 2016 using an automated approach with Powershell.

Overview

  • Objective: Understand Active Directory enumeration techniques for penetration testing.
  • Audience:
    • Suitable for individuals familiar with Active Directory basics and seeking to explore cybersecurity.
  • Goal: Enumerate users, groups, and relationships within the Active Directory to gather critical information for potential exploitation.

OSCP Certificate Notes

Windows Active Directory Penetration Testing Study Notes

Key Topics Covered

1. Active Directory Basics

  • Active Directory Components:
    • Domain Controller: Central server managing the Active Directory.
    • Domain Users and Groups: Entities organized within the domain.
  • Importance in Penetration Testing:
    • Assessing Active Directory helps understand an organization’s security posture.

2. Enumeration in Active Directory

  • What is Enumeration?
    • The process of extracting detailed information about users, groups, and system configurations in a domain.
  • Prerequisites:
    • Access to a client connected to the domain.
    • Ability to run PowerShell scripts on the target system.

3. Using a PowerShell Script for Enumeration

  • Script Source:
    • Derived from Offensive Security’s training materials.
  • Capabilities:
    • Automates the process of retrieving users, groups, and domain information.
  • How It Works:
    1. Builds a Provider Path:
      • Gathers details like hostname, domain name, and domain controller.
    2. Constructs a Directory Searcher:
      • Sets the root of the search for Active Directory hierarchy.
    3. Queries Domain Information:
      • Retrieves users, groups, and members through specific filters.

4. Running the Enumeration Script

  • Extracting Basic Domain Info:
    • Example:
net user /domain
  • Displays a list of domain users.

Using the Script:

  • First, identify the domain controller and construct the provider path.
  • Example Script Snippets:
    • Retrieve all users:
$filter = "(objectClass=user)"

Retrieve groups:

$filter = "(objectClass=group)"
  • Output:
    • Lists of users, their organizational units, and group memberships.

5. Filtering and Refining Results

  • Focus on Specific Entities:
    • Modify filters to target users, groups, or specific attributes.
    • Example: Retrieve properties of the Administrator account:
$filter = "(name=Administrator)"
  • Outputs include:
    • Username.
    • Group memberships.
    • Additional attributes (e.g., login times, account status).

Group Membership Enumeration:

  • Identify members of specific groups, such as Administrators:
$filter = "(name=Administrators)"

Outputs the list of members in the targeted group.

6. Practical Use Case

  • Scenario:
    • Compromise a domain-connected system.
    • Use the script to enumerate:
      • Users.
      • Groups.
      • Relationships.
  • Leverage Results:
    • Identify potential targets (e.g., privileged users).
    • Explore group memberships for privilege escalation paths.

Key Takeaways

  1. Why Enumeration Matters:
    • Provides insights into the structure and weaknesses of an Active Directory environment.
  2. Automation with PowerShell:
    • Saves time and ensures comprehensive data collection.
  3. Next Steps:
    • Use the collected information for privilege escalation or lateral movement.

Video Walk-through

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles