Skip to main content

[Backup] Domain Enumeration Methodology

Hey folks, today I start a new series of articles to discuss Active Directory Exploitation. This is the first article, we focus on domain enumeration. We assume you have already had an initial shell on a domain computer, no matter it is Windows domain computer or Linux domain computer, because we will discuss both of them : D

Be aware that it is not an article which focuses on the detailed usage of tool and command, we focus on methodology.

Enumeration on Windows

0: One-Click Vulnerabilities

  • CVE-2021–42278: No PAC Vulnerability
  • CVE-2022–26809: RPC RCE
  • CVE-2022–26923: ADCS Vulnerability
  • CVE-2020–1472: Zerologin Vulnerability
  • MS14–068: Kerberos Vulnerability

1: Domain User

  • Kerberos Pre-Authentication: If some domain users do not have pre-auth enabled, we can ASREPRoast them and get krb5asrep hashes. If we are lucky, we have a chance to crack those hashes offline and get plaintext credential.
  • SPN: If a domain user has SPN, it is a service account. We can Kerberoast them and get krb5tgs hashes. If we are lucky, we have a chance to crack those hashes offline and get plaintext credential.
  • Group Membership: Each domain user at least belongs to “Domain User” group, but if any domain user belongs to more than this group, we must check which groups they belong to.

2: Domain Group

  • Group Type: If a group is custom one, we need to pay more attention to it, what rights does the group have?

3: Foreign Members

4: Domain Computer

  • Windows Computer
  • Linux Computer: Typically linux domain computers allow SSH access for domain users by default.

5: Existing Sessions and Processes

  • Available Token

After getting SYSTEM privilege, we can impersonate any logged domain users. If impersonated user has specific rights, we could move to other machines even domains.

6: Owned Users’ Permission

  • Local Admin Privilege to Other Computers:
  • WinRM Access to Other Computers:
  • DACL: Such as ForceChangePassword, GenericWrite, etc.

7: Service Access

  • FTP: If we have access, check any juicy file inside it.
  • Web: If we can exploit an internal web app, we could move to the other machine.
  • SQL: Abuse xp_cmdshell and SQL Link to execute command on other machines.

8: GPO

9: Delegation

  • Unconstrained Delegation: It is the most powerful for us, we could compromise multiple users and computers.
  • Constrained Delegation: We could be able to move to the computer by abusing S4U.
  • Resource Based Constrained Delegation: If compromised computers or users have GenericWrite permission over a computer, we could finally move to the computer by abusing S4U.

10: ADCS

  • CVE-2022–26923

11: Trust

  • Within Forest: The trust is always bi-directional, we can abuse golden ticket or trust key
  • Between Forest
  • Bi-directional: Abuse trust key or golden ticket, but be aware of SID filter.
  • Inbound: Check if any domain user is a foreign member in target domain
  • Outbound: Can be abused via SQL Link, logged foreign member, etc.

Enumeration on Linux

As A Normal User

As A Privileged User

  • 1: ccache file

ccache files hold the Kerberos credentials for a user authenticated to a linux domain computer. If there is any active domain user session, we can see ccache files in /tmp, the file is in the form of krb5cc_xxxxx. We can pass ccache file directly on Linux machine, or use impacket to convert it to .kirbi form and pass it to current session on a Windows machine.

  • 2: keytab file

keytab file contains mappings between Kerberos Principal names and DES-encrypted keys that are derived from the password used to log into the Kerberos Key Distribution Center (KDC). We can use a script (https://github.com/sosdave/KeyTabExtract)to retrieve credentials from it. Each linux domain computer has its keytab file at /etc/krb5.keytab, it is accessible for root by default.