├── images ├── adPEAS.png ├── adPEAS_large.jpg └── adPEAS_small.jpg └── README.md /images/adPEAS.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/adPEAS/main/images/adPEAS.png -------------------------------------------------------------------------------- /images/adPEAS_large.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/adPEAS/main/images/adPEAS_large.jpg -------------------------------------------------------------------------------- /images/adPEAS_small.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e1abrador/adPEAS/main/images/adPEAS_small.jpg -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # adPEAS 2 | 3 | ![](https://github.com/61106960/adPEAS/raw/main/images/adPEAS_large.jpg) 4 | 5 | adPEAS is a Powershell tool to automate Active Directory enumeration. 6 | In fact, adPEAS is like a wrapper for different other cool projects like 7 | * PowerView 8 | * Empire 9 | * Bloodhound 10 | * and some own written lines of code 11 | 12 | As said, adPEAS is a wrapper for other tools. They are almost all written in pure Powershell but some of them are included as compressed binary blob or C# code. 13 | 14 | adPEAS-Light is a version without Bloodhound and vulnerability checks and it is more likely that it will not blocked by an AV solution. 15 | 16 | # How It Works 17 | 18 | adPEAS can be run simply by starting the script via 'invoke-adPEAS' if it is started on a domain joined computer. 19 | If the system you are running adPEAS from is not domain joined or you want to enumerate another domain, use a certain domain controller to connect to, use different credentials or just to enumerate for credential exposure only, you can do it by using defined parameters. 20 | 21 | ## adPEAS Modules 22 | 23 | adPEAS consists of the following enumeration modules: 24 | * Domain - Searching for basic Active Directory information, like Domain Controllers, Sites und Subnets, Trusts and DCSync rights 25 | * CA - Searching for basic Enterprise Certificate Authority information, like CA Name, CA Server and Templates 26 | * Creds - Searching for different kind of credential exposure, like ASREPRoast, Kerberoasting, GroupPolicies, Netlogon scripts, LAPS, gMSA, certain account attributes, e.g. UnixPassword, etc. 27 | * Delegation - Searching for delegation issues, like 'Constrained Delegation', 'Unconstrained Delegation' and 'Resource Based Unconstrained Delegation', for computer and user accounts 28 | * Accounts - Searching for high privileged user accounts in predefined groups, account issues like e.g. password not expire 29 | * Computer - Enumerating Domain Controllers, CA and Exchange server, with the switch -Vulns it checks the systems for EternalBlue, BlueKeep, ZeroLogon and critical Exchange vulnerabilities 30 | * Bloodhound - Enumerating Active Directory with BloodHound 31 | 32 | # Some How To Use Examples 33 | ## Simple usage with generic program parameters 34 | First you have to load adPEAS in Powershell... 35 | ``` 36 | Import-Module .\adPEAS.ps1 37 | ``` 38 | or 39 | ``` 40 | . .\adPEAS.ps1 41 | ``` 42 | or 43 | ``` 44 | gc -raw .\adPEAS.ps1 | iex 45 | ``` 46 | or 47 | ``` 48 | IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/61106960/adPEAS/main/adPEAS.ps1') 49 | ``` 50 | 51 | Start adPEAS with all enumeration modules and enumerate the domain the logged-on user and computer is connected to. 52 | ``` 53 | Invoke-adPEAS 54 | ``` 55 | 56 | Start adPEAS with all enumeration modules and enumerate the domain 'contoso.com'. 57 | ``` 58 | Invoke-adPEAS -Domain 'contoso.com' 59 | ``` 60 | 61 | Start adPEAS with all enumeration modules, enumerate the domain 'contoso.com' and use the domain controller 'dc1.contoso.com' for almost all enumeration requests. 62 | ``` 63 | Invoke-adPEAS -Domain 'contoso.com' -Server 'dc1.contoso.com' 64 | ``` 65 | 66 | Start adPEAS with all enumeration modules, enumerate the domain 'contoso.com' and use the passed PSCredential object during enumeration. 67 | ``` 68 | $SecPassword = ConvertTo-SecureString 'Passw0rd1!' -AsPlainText -Force 69 | $Cred = New-Object System.Management.Automation.PSCredential('contoso\johndoe', $SecPassword) 70 | Invoke-adPEAS -Domain 'contoso.com' -Cred $Cred 71 | ``` 72 | 73 | Start adPEAS with all enumeration modules, enumerate the domain 'contoso.com' and use the username 'contoso\johndoe' with password 'Passw0rd1!' during enumeration. 74 | ``` 75 | Invoke-adPEAS -Domain contoso.com -Username 'contoso\johndoe' -Password 'Passw0rd1!' 76 | ``` 77 | 78 | ## Usage with a single enumeration module 79 | ### All modules below can be combined with all generic program parameters explained above. 80 | 81 | Enumerates basic Active Directory information, like Domain Controllers, Password Policy, Sites and Subnets, Trusts, DCSync Rights. 82 | ``` 83 | Invoke-adPEAS -Module Domain 84 | ``` 85 | 86 | Enumerates basic Enterprise Certificate Authority information, like CA Name, CA Server and common Template vulnerabilities. 87 | ``` 88 | Invoke-adPEAS -Module CA 89 | ``` 90 | 91 | Enumerates credential exposure issues, like ASREPRoast, Kerberoasting, Linux/Unix password attributes, gMSA, LAPS (if your account has the rights to read it), Group Policies, Netlogon scripts. 92 | ``` 93 | Invoke-adPEAS -Module Creds 94 | ``` 95 | 96 | Enumerates delegation issues, like 'Unconstrained Delegation', 'Constrained Delegation', 'Resource Based Constrained Delegation' for user and computer objects. 97 | ``` 98 | Invoke-adPEAS -Module Delegation 99 | ``` 100 | 101 | Enumerates users in high privileged groups which are NOT disabled, like Administrators, Domain Admins, Enterprise Admins, Group Policy Creators, DNS Admins, Account Operators, Server Operators, Printer Operators, Backup Operators, Hyper-V Admins, Remote Management Users und CERT Publishers. Enumerates high privileged users (admincount=1), which are NOT disabled and where the password does not expire or which may not require a password. 102 | ``` 103 | Invoke-adPEAS -Module Accounts 104 | ``` 105 | 106 | Enumerates installed Domain Controllers and Exchange Server. 107 | ``` 108 | Invoke-adPEAS -Module Computer 109 | ``` 110 | 111 | Enumerates installed Domain Controllers, CA and Exchange Server and checks them for common critical vulnerabilities, like CVE-2020-1472 (ZeroLogon), CVE-2020-0688 (Exchange), CVE-2019-0708 (BlueKeep), CVE-2018-8581 (Exchange), CVE-2017-0144 (aka MS17-010, EternalBlue) 112 | ``` 113 | Invoke-adPEAS -Module Computer -Vulns 114 | ``` 115 | 116 | Starts Bloodhound enumeration with the scope DCOnly. Output ZIP files are stored in the same directory adPEAS is started from. 117 | ``` 118 | Invoke-adPEAS -Module Bloodhound 119 | ``` 120 | 121 | Starts Bloodhound enumeration with the scope All. With this option Bloodhound will contact each member computer of the domain. Output ZIP files are stored in the same directory adPEAS is started from. 122 | ``` 123 | Invoke-adPEAS -Module Bloodhound -Scope All 124 | ``` 125 | 126 | ## Example program output 127 | ``` 128 | PS > Invoke-adPEAS -Domain sub.pen.local 129 | 130 | [*] +++++ Starting adPEAS Version 0.7.9 +++++ 131 | adPEAS version 0.7.9 132 | [*] +++++ Starting Enumeration +++++ 133 | [*] +++++ Searching for Domain Information +++++ 134 | [*] +++++ Checking Domain +++++ 135 | Checking Domain - Details for Domain 'sub.pen.local': 136 | Domain Name : sub.pen.local 137 | Domain SID : S-1-5-21-575725702-4057784316-641645133 138 | Forest Name : pen.local 139 | Root Domain Name : pen.local 140 | Root Domain SID : S-1-5-21-2219892162-3422002451-1011183393 141 | Forest Children : No Subdomain[s] available 142 | Domain Controller : PEN-SDC01.sub.pen.local 143 | 144 | [*] +++++ Checking Password and Kerberos Policy +++++ 145 | Checking Password Policy - Details for Domain 'sub.pen.local': 146 | [!] Password of accounts are stored with reversible encryption 147 | [+] https://adsecurity.org/?p=2053 148 | Minimum Password Age : Disabled 149 | Maximum Password Age : Disabled 150 | Minimum Password Length : 7 character 151 | Password Complexity : Disabled 152 | Lockout Account : Disabled 153 | Reversible Encryption : Enabled 154 | 155 | Checking Kerberos Policy - Details for Domain 'sub.pen.local': 156 | Maximum Age of TGT : 10 hours 157 | Maximum Age of TGS : 600 minutes 158 | Maximum Clock Time Difference : 5 minutes 159 | Krbtgt Password Last Set : 29.04.2019 10:05:59 160 | 161 | [*] +++++ Checking Domain Controller, Sites and Subnets +++++ 162 | Checking Domain Controller - Details for Domain 'sub.pen.local': 163 | DC Host Name : PEN-SDC01.sub.pen.local 164 | DC IP Address : 192.168.46.10 165 | Site Name : Germany 166 | Domain : sub.pen.local 167 | 168 | Checking Sites and Subnets - Details for Domain 'sub.pen.local': 169 | IP Subnet : 192.168.46.0/25 170 | Site Name : Germany 171 | 172 | [*] +++++ Checking Forest and Domain Trusts +++++ 173 | Checking Domain Trusts - Details for Domain 'sub.pen.local': 174 | Target Domain Name : pen.local 175 | Target Domain SID : S-1-5-21-2219892162-3422002451-1011183393 176 | Flags : IN_FOREST, DIRECT_OUTBOUND, TREE_ROOT, DIRECT_INBOUND 177 | TrustAttributes : WITHIN_FOREST 178 | 179 | [*] +++++ Checking DCSync Rights +++++ 180 | [*] https://book.hacktricks.xyz/windows/active-directory-methodology/dcsync 181 | Checking DCSync Rights - Details for Domain 'sub.pen.local': 182 | ActiveDirectoryRight : DS-Replication-Get-Changes 183 | ActiveDirectoryRight : DS-Replication-Get-Changes-All 184 | Identity : SUB\superadmin 185 | distinguishedName : CN=Superadmin,CN=Users,DC=sub,DC=pen,DC=local 186 | ObjectSID : S-1-5-21-575725702-4057784316-641645133-3954 187 | 188 | ActiveDirectoryRight : DS-Replication-Get-Changes 189 | Identity : SUB\superadmin 190 | distinguishedName : CN=Superadmin,CN=Users,DC=sub,DC=pen,DC=local 191 | ObjectSID : S-1-5-21-575725702-4057784316-641645133-3954 192 | 193 | [*] +++++ Checking GenericAll Rights +++++ 194 | [*] https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces 195 | Checking GenericAll Rights - Details for Domain 'sub.pen.local': 196 | ActiveDirectoryRight : GenericAll 197 | Identity : SUB\Andend 198 | distinguishedName : CN=Alexander Baumgartner,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local 199 | ObjectSID : S-1-5-21-575725702-4057784316-641645133-2273 200 | 201 | ActiveDirectoryRight : GenericAll 202 | Identity : PEN\Exchange Trusted Subsystem 203 | distinguishedName : CN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=pen,DC=local 204 | ObjectSID : S-1-5-21-2219892162-3422002451-1011183393-1118 205 | 206 | ActiveDirectoryRight : GenericAll 207 | Identity : PEN\Exchange Trusted Subsystem 208 | distinguishedName : CN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=pen,DC=local 209 | ObjectSID : S-1-5-21-2219892162-3422002451-1011183393-1118 210 | 211 | ActiveDirectoryRight : GenericAll 212 | Identity : PEN\Organization Management 213 | distinguishedName : CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=pen,DC=local 214 | ObjectSID : S-1-5-21-2219892162-3422002451-1011183393-1105 215 | 216 | ActiveDirectoryRight : GenericAll 217 | Identity : PEN\Exchange Trusted Subsystem 218 | distinguishedName : CN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=pen,DC=local 219 | ObjectSID : S-1-5-21-2219892162-3422002451-1011183393-1118 220 | 221 | [*] +++++ Searching for Certificate Authority Information +++++ 222 | [*] +++++ Searching for Enterprise CA +++++ 223 | [*] https://posts.specterops.io/certified-pre-owned-d95910965cd2 224 | Searching for Certificate Authority - Details for 'PEN-IssuingCA01': 225 | CA Name : PEN-IssuingCA01 226 | CA dnshostname : PEN-SCA.sub.pen.local 227 | CA IP Address : 192.168.46.23 228 | Date of Creation : 29.07.2020 21:05:02 229 | DistinguishedName : CN=PEN-IssuingCA01,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=sub,DC=pen,DC=local 230 | Templates : Wildcard-Smartcard-User 231 | Wildcard-User 232 | Webserver 233 | DirectoryEmailReplication 234 | DomainControllerAuthentication 235 | DomainController 236 | Machine 237 | Administrator 238 | NTAuthCertificates : True 239 | 240 | [*] +++++ Searching for Vulnerable Certificate Templates +++++ 241 | [*] adPEAS does basic enumeration only, consider using https://github.com/GhostPack/PSPKIAudit 242 | [*] For any vulnerabilities present, consider using https://github.com/GhostPack/Certify 243 | [*] +++++ Checking Template 'Wildcard-Smartcard-User' +++++ 244 | [!] 'Authenticated Users' have 'GenericAll' permissions on Template 'Wildcard-Smartcard-User' 245 | Checking Certificate Template - Details for Template 'Wildcard-Smartcard-User': 246 | Template Name : Wildcard-Smartcard-User 247 | Template distinguishedname : CN=Wildcard-Smartcard-User,CN=Certificate Templates,CN=Public Key 248 | Services,CN=Services,CN=Configuration,DC=sub,DC=pen,DC=local 249 | Date of Creation : 15.08.2020 14:15:13 250 | CertificateNameFlag : ENROLLEE_SUPPLIES_SUBJECT 251 | OLD_CERT_SUPPLIES_SUBJECT_AND_ALT_NAME 252 | ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME 253 | SUBJECT_ALT_REQUIRE_DOMAIN_DNS 254 | SUBJECT_ALT_REQUIRE_DIRECTORY_GUID 255 | SUBJECT_ALT_REQUIRE_UPN 256 | SUBJECT_ALT_REQUIRE_EMAIL 257 | SUBJECT_ALT_REQUIRE_DNS 258 | SUBJECT_REQUIRE_DNS_AS_CN 259 | SUBJECT_REQUIRE_EMAIL 260 | SUBJECT_REQUIRE_COMMON_NAME 261 | SUBJECT_REQUIRE_DIRECTORY_PATH 262 | EnrollmentFlag : CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS 263 | CT_FLAG_PUBLISH_TO_DS 264 | CT_FLAG_AUTO_ENROLLMENT 265 | CT_FLAG_USER_INTERACTION_REQUIRED 266 | Private Key Exportable : True 267 | Authenticated Users : GenericAll 268 | 269 | [*] +++++ Checking Template 'Wildcard-User' +++++ 270 | [!] 'Authenticated Users' have 'ReadProperty, WriteProperty, GenericExecute, WriteDacl, WriteOwner' permissions on Template 'Wildcard-User' 271 | Checking Certificate Template - Details for Template 'Wildcard-User': 272 | Template Name : Wildcard-User 273 | Template distinguishedname : CN=Wildcard-User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=sub,DC=pen,DC=local 274 | Date of Creation : 15.08.2020 14:06:08 275 | CertificateNameFlag : ENROLLEE_SUPPLIES_SUBJECT 276 | OLD_CERT_SUPPLIES_SUBJECT_AND_ALT_NAME 277 | ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME 278 | SUBJECT_ALT_REQUIRE_DOMAIN_DNS 279 | SUBJECT_ALT_REQUIRE_DIRECTORY_GUID 280 | SUBJECT_ALT_REQUIRE_UPN 281 | SUBJECT_ALT_REQUIRE_EMAIL 282 | SUBJECT_ALT_REQUIRE_DNS 283 | SUBJECT_REQUIRE_DNS_AS_CN 284 | SUBJECT_REQUIRE_EMAIL 285 | SUBJECT_REQUIRE_COMMON_NAME 286 | SUBJECT_REQUIRE_DIRECTORY_PATH 287 | EnrollmentFlag : CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS 288 | CT_FLAG_AUTO_ENROLLMENT 289 | CT_FLAG_USER_INTERACTION_REQUIRED 290 | Private Key Exportable : True 291 | Authenticated Users : ReadProperty, WriteProperty, GenericExecute, WriteDacl, WriteOwner 292 | 293 | [*] +++++ Checking Template 'Machine' +++++ 294 | [+] 'SUB\Domänencomputer' has Enrollment Rights for Template 'Machine' 295 | Checking Certificate Template - Details for Template 'Machine': 296 | Template Name : Machine 297 | Template distinguishedname : CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=sub,DC=pen,DC=local 298 | Date of Creation : 06.09.2015 07:12:43 299 | CertificateNameFlag : SUBJECT_ALT_REQUIRE_DNS 300 | SUBJECT_REQUIRE_DNS_AS_CN 301 | EnrollmentFlag : CT_FLAG_AUTO_ENROLLMENT 302 | Enrollment allowed for : SUB\Domänencomputer 303 | 304 | [*] +++++ Checking Template 'User' +++++ 305 | [+] 'SUB\Domänen-Benutzer' has Enrollment Rights for Template 'User' 306 | Checking Certificate Template - Details for Template 'User': 307 | Template Name : User 308 | Template distinguishedname : CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=sub,DC=pen,DC=local 309 | Date of Creation : 06.09.2015 07:12:42 310 | CertificateNameFlag : ENROLLEE_SUPPLIES_SUBJECT 311 | OLD_CERT_SUPPLIES_SUBJECT_AND_ALT_NAME 312 | ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME 313 | SUBJECT_ALT_REQUIRE_DOMAIN_DNS 314 | SUBJECT_ALT_REQUIRE_DIRECTORY_GUID 315 | SUBJECT_ALT_REQUIRE_UPN 316 | SUBJECT_ALT_REQUIRE_EMAIL 317 | SUBJECT_ALT_REQUIRE_DNS 318 | SUBJECT_REQUIRE_DNS_AS_CN 319 | SUBJECT_REQUIRE_EMAIL 320 | SUBJECT_REQUIRE_COMMON_NAME 321 | SUBJECT_REQUIRE_DIRECTORY_PATH 322 | EnrollmentFlag : CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS 323 | CT_FLAG_PUBLISH_TO_DS 324 | CT_FLAG_AUTO_ENROLLMENT 325 | Private Key Exportable : True 326 | Enrollment allowed for : SUB\Domänen-Benutzer 327 | 328 | [*] +++++ Checking Template 'IIS_Webserver' +++++ 329 | [+] 'SUB\Domänencomputer' has Enrollment Rights for Template 'IIS_Webserver' 330 | [+] 'Authenticated Users' has Enrollment Rights for Template 'IIS_Webserver' 331 | [!] Template 'IIS_Webserver' has Flag 'ENROLLEE_SUPPLIES_SUBJECT' 332 | Checking Certificate Template - Details for Template 'IIS_Webserver': 333 | Template Name : IIS_Webserver 334 | Template distinguishedname : CN=IIS_Webserver,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=sub,DC=pen,DC=local 335 | Date of Creation : 11.10.2019 19:50:46 336 | CertificateNameFlag : ENROLLEE_SUPPLIES_SUBJECT 337 | EnrollmentFlag : 338 | Private Key Exportable : True 339 | Enrollment allowed for : SUB\Domänencomputer 340 | Authenticated Users 341 | 342 | [*] +++++ Searching for Credentials Exposure +++++ 343 | [*] +++++ Searching for ASREPRoast Users +++++ 344 | [*] https://book.hacktricks.xyz/windows/active-directory-methodology/asreproast 345 | [!] Account Boody1946 does not require kerberos preauthentication to get a TGT 346 | [*] Hashcat usage: hashcat -m 18200 347 | Searching for ASREPRoast Users - Details for User 'Boody1946': 348 | sAMAccountName : Boody1946 349 | userPrincipalName : Kevin.Ehrlichmann@sub.pen.local 350 | distinguishedName : CN=Kevin Ehrlichmann,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local 351 | description : 352 | objectSid : S-1-5-21-575725702-4057784316-641645133-2289 353 | userAccountControl : NORMAL_ACCOUNT, DONT_REQ_PREAUTH 354 | memberOf : 355 | pwdLastSet : 12.06.2019 13:18:36 356 | lastLogonTimestamp : 13.11.2020 13:32:41 357 | 358 | $krb5asrep$23$Boody1946@sub.pen.local:d38e4dcd90019ddda3ec04e535eb81b7$b3943db8194504c13e706358d9600a34c1269570c232f8dd 359 | 039f164ceed1bf15XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXaa084060f8b18db692b79749caf1e3149a 360 | ad42059aeb56d39fc9862596a75f74ff414c476577a4b18f0b3a790ce642ac3f0096f6ab7e9b8ca20e1494a65d9e26b68e2952ed732a9eecea24c21 361 | 1b07314c69d0385ff42cd6180562a36035e9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXff12ce17b66921 362 | c91f35d66bdcf241f8fa821db4cf0db74247b508401fe17639c488f379d43043bfb3c99 363 | 364 | [*] +++++ Searching for Kerberoastable Users +++++ 365 | [*] https://book.hacktricks.xyz/windows/active-directory-methodology/kerberoast#kerberoast 366 | [!] Account svc_web has a SPN and is vulnerable to Kerberoasting 367 | [*] Hashcat usage: hashcat -m 13100 368 | Searching for Kerberoastable Users - Details for User 'svc_web': 369 | sAMAccountName : svc_web 370 | userPrincipalName : svc_web@sub.pen.local 371 | distinguishedName : CN=svc_web,OU=service accounts,OU=corp,DC=sub,DC=pen,DC=local 372 | description : 373 | objectSid : S-1-5-21-575725702-4057784316-641645133-3952 374 | userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD 375 | memberOf : 376 | pwdLastSet : 21.01.2020 17:40:15 377 | lastLogonTimestamp : 378 | 379 | $krb5tgs$23$*svc_web$sub.pen.local$http/web.server*$C2D4F2B64EC91A55A605229DBA5598FB$48B30F628AEE1917D1B401410937A633C2 380 | 4A586F186F6F8E5936EE2A375D21F226DF85AB2E29CE9866BBC985B2D12C57C3ADE298DC67293BDB5A258D092AAFC18415F60D925F69F4AC8832543 381 | 468D4371CB9464B18A1651A028D19273C7480421177ED589E0539265B63A833250964AB572451EE6589DD0041DBF06A3F5A63817594637D6CBA7A6D 382 | D5B62281F6E29BD350F45F674F7C879A374284E95FB5344E100767F7BED97F609F6F2A2AFFE25135757F3119644B4ACFEC293E0709F4D7A139D322F 383 | 10910440302D6FA6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX30E5C0587F4F1A9742B919ED1A9B2 384 | 41D812434FE9BAC01AA3688F885DC4EF58D6D1ADD664D4315636DD0537DDA058F68963DF413829C89A18265F0FF6966C55AFE14C642C46EA9BABFCB 385 | E849F4ADE91E7E86F23E4DA78CC19AE93A676F42BAB1F3C9D34D3EED8CD35FCE43E69A3AF2996370249ACEFA92BB1DE6F3F2D00368FE03E2F39C32B 386 | D8C49BF5B66065EDDFDF0A2436CD45F17557D68823909353F6AE75AA60DAB2752EC21497D79999A1C9FF47ECBE330A86924DCD4A7C97858D573244C 387 | 5D63863CA6D5AD4838CB4F0A1D78D579B063CAD8953FD56F002DC6CB5D2253CB7CAC0300D26ED5FF0379C8F1C409870FD53B3AFFE9FF7773229BC77 388 | 12E6A459F459828D334744AE1AE35A673C47A643FDD315B2414170FD4E9CA07B1C26F055AF42019FC36A68A8501FEB6B1C1424AA50415C2BBBA9E1E 389 | 647A4703096A2CF3563C404CE5E9F55D5A0A010C9140783B6956351ADD6C09B82F6D21B6810F3E08C67C68A547560F3589C18A5D44E26C76F078552 390 | 8EFEC05A13188058362F8800798BDDB21A67CFD79FA244740FEBB1A2736A24EC4C1E5FDEB5765C7E5E8905B4E8AB7B86FFD8A601EEAB0E9FD51E678 391 | 112B82BACCBA64C86XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXB133302F9E3A2D0070BA725E786852A9139ED12CC40B4 392 | 090DCD3579110C17DE189695B5F3D8EFDFC626A7E7713A073F3861CCA6929CFA1DB9CAA2063587870C733A52BE23DD92F048A9DC0049315FA116F73 393 | A9112AE205F53251B1F1BAC51939951C2D96089E8022D3E780F46CB17B8B858CDBE3E8A292ED6E02F175171E10840623F0407ED1E5DB445DA7A6FCA 394 | 40F1BDFD0A310CA89328E98382C7FD1DC600897DDDEC71D65AA8C98AD70C0E223F0372740F36DC1CC1C66F2E61A9FBFCB3705478471DAE696BCE92F 395 | 91309ABAEEDB101B652CC7A8F2C28F5339765BA0E89C86611F5C17E45073AFED15ABF02F6E65DF2A7483BB8E0802E5891F30A9668BDC126F52ED9FA 396 | 169B3BE775BC87EA99521506AD48C93DB025XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXFB1BF977339341 397 | AA40386C102807D5F33656BABEBAB8FE983CB9C2D1E56E28D9488671A56AE205686EF2324F9EBD9DACEFF9C7E8E3D10814444E00DEFB024C3DC856F 398 | C326EC09C657BC09F6502A4058CA88258CCDAEB34E12A652D76C07C0D2547E52A8FFF50CA164E748B34CD6F8119DAB66A1B21043BBCD16C05F6 399 | 400 | [*] +++++ Searching for Users with a set 'Linux/Unix Password' attribute +++++ 401 | [*] https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer/ 402 | [!] User Tiledgets has a legacy cleartext Linux/Unix password set 403 | Searching for Users with a set 'Linux/Unix Password' attribute - Details for User 'Tiledgets': 404 | sAMAccountName : Tiledgets 405 | userPrincipalName : Lucas.Maier@sub.pen.local 406 | distinguishedName : CN=Lucas Maier,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local 407 | description : 408 | objectSid : S-1-5-21-575725702-4057784316-641645133-2115 409 | userAccountControl : NORMAL_ACCOUNT 410 | memberOf : 411 | pwdLastSet : 12.06.2019 13:18:07 412 | lastLogonTimestamp : 413 | UnixUserPassword : ABCD!efgh12345$67890 414 | 415 | [*] +++++ Searching for Computers with enabled and readable LAPS attribute +++++ 416 | [*] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#antivirus-and-detectors 417 | [!] Computer SRVCLOUD$ has enabled LAPS - Found password 'SecretPW0815!' 418 | Searching for Computers with enabled LAPS - Details for Computer 'SRVCLOUD$': 419 | sAMAccountName : SRVCLOUD$ 420 | dNSHostName : srvcloud.sub.pen.local 421 | distinguishedName : CN=SRVCLOUD,OU=corp,DC=sub,DC=pen,DC=local 422 | IPv4Address : 192.168.46.31 423 | operatingSystem : Windows Server 2019 Standard 424 | description : Ask the administrator for the password 425 | objectSid : S-1-5-21-575725702-4057784316-641645133-1715 426 | userAccountControl : ACCOUNTDISABLE, WORKSTATION_TRUST_ACCOUNT 427 | ms-Mcs-AdmPwd [Password] : SecretPW0815! 428 | ms-mcs-AdmPwdExpirationTime [Password Expiration] : 01.12.2020 00:00:00 429 | 430 | [*] +++++ Searching for Group Managed Service Accounts (gMSA) +++++ 431 | [*] https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges 432 | [+] Account gMSA-Service$ is a Group Managed Service Account 433 | Searching for gMSA - Details for Account 'gMSA-Service$': 434 | sAMAccountName : gMSA-Service$ 435 | distinguishedName : CN=gMSA-Service,CN=Managed Service Accounts,DC=sub,DC=pen,DC=local 436 | description : 437 | objectSid : S-1-5-21-575725702-4057784316-641645133-36616 438 | userAccountControl : WORKSTATION_TRUST_ACCOUNT 439 | memberOf : CN=Testgroup,OU=test,OU=corp,DC=sub,DC=pen,DC=local 440 | pwdLastSet : 26.09.2021 12:31:44 441 | lastLogonTimestamp : 26.09.2021 12:38:07 442 | PrincipalsAllowedToRetrieveManagedPassword : SUB\superadmin 443 | SUB\SRV-DB01$ 444 | SUB\test 445 | 446 | [*] +++++ Searching for Crypted Passwords in SYSVOL Group Policy Objects +++++ 447 | [*] https://www.andreafortuna.org/2019/02/13/abusing-group-policy-preference-files-for-password-discovery/ 448 | [!] Password 'P8ssw0rd#! for user local-admin-srv has been found 449 | Searching for Crypted Passwords in SYSVOL Policies Directory - Details for File '\\sub.pen.local\SYSVOL\sub.pen.local\Policies\{6F6C332E-79D5-4C77-BF23-6FB5ED9381D4}\Machine\Preferences\Groups\Groups.xml': 450 | Username : local-admin-srv 451 | Password : 'P8ssw0rd#! 452 | 453 | [*] +++++ Searching for Sensitive Information in NETLOGON Share +++++ 454 | [+] Possible sensitive information have been found 455 | Searching for sensitive information in NETLOGON Share - Details for File '\\sub.pen.local\NETLOGON\login-script.cmd': 456 | LineNumber : 5 457 | LineContent : rem password: SuperS3cr3t! 458 | 459 | [+] Possible sensitive information have been found 460 | Searching for sensitive information in NETLOGON Share - Details for File '\\sub.pen.local\NETLOGON\login-script_test.cmd': 461 | LineNumber : {5, 7} 462 | LineContent : {rem password: TestPW0815!, net use l: \\srv-rfile.pen.local\Deparmentshare$ Passw0rd1! 463 | /user:sub\%username%} 464 | 465 | [*] +++++ Searching for Delegation Issues +++++ 466 | [*] +++++ Searching for Computers with Unconstrained Delegation Rights +++++ 467 | [*] https://book.hacktricks.xyz/windows/active-directory-methodology/unconstrained-delegation 468 | [!] Computer PEN-SEXCH$ has unconstrained delegation rights 469 | Searching for Computers with Unconstrained Delegation Rights - Details for Computer 'PEN-SEXCH$': 470 | sAMAccountName : PEN-SEXCH$ 471 | dNSHostName : PEN-SEXCH.sub.pen.local 472 | distinguishedName : CN=PEN-SEXCH,OU=servers,OU=corp,DC=sub,DC=pen,DC=local 473 | IPv4Address : 192.168.46.22 474 | operatingSystem : Windows Server 2016 Datacenter 475 | description : 476 | objectSid : S-1-5-21-575725702-4057784316-641645133-1106 477 | userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION 478 | 479 | [*] +++++ Searching for Computers with Constrained Delegation Rights +++++ 480 | [*] https://book.hacktricks.xyz/windows/active-directory-methodology/constrained-delegation 481 | [!] Computer PEN-SCA$ has constrained delegation rights 482 | Searching for Computers with Constrained Delegation Rights - Details for Computer 'PEN-SCA$': 483 | sAMAccountName : PEN-SCA$ 484 | dNSHostName : PEN-SCA.sub.pen.local 485 | distinguishedName : CN=PEN-SCA,OU=servers,OU=corp,DC=sub,DC=pen,DC=local 486 | IPv4Address : 192.168.46.23 487 | operatingSystem : Windows Server 2016 Datacenter 488 | description : 489 | objectSid : S-1-5-21-575725702-4057784316-641645133-1104 490 | userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTH_FOR_DELEGATION 491 | msDS-AllowedToDelegateTo : HOST/PEN-SDC01.sub.pen.local/sub.pen.local 492 | HOST/PEN-SDC01.sub.pen.local 493 | HOST/PEN-SDC01 494 | HOST/PEN-SDC01.sub.pen.local/SUB 495 | HOST/PEN-SDC01/SUB 496 | 497 | [*] +++++ Searching for Computers with Resource-Based Constrained Delegation Rights +++++ 498 | [*] https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html 499 | [!] Computer SRVVM$ has resource-based constrained delegation rights 500 | Searching for Computers with Resource-Based Constrained Delegation Rights - Details for Computer 'SRVVM$': 501 | sAMAccountName : SRVVM$ 502 | dNSHostName : srvvm.sub.pen.local 503 | distinguishedName : CN=SRVVM,OU=corp,DC=sub,DC=pen,DC=local 504 | IPv4Address : 192.168.46.56 505 | operatingSystem : Windows Server 2016 Datacenter 506 | description : vCenter 507 | objectSid : S-1-5-21-575725702-4057784316-641645133-1187 508 | userAccountControl : ACCOUNTDISABLE, WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION 509 | AllowedToActOnBehalfOfOtherIdentity : SUB\SRV-TEST$ 510 | 511 | [*] +++++ Searching for Users with Constrained Delegation Rights +++++ 512 | [*] https://book.hacktricks.xyz/windows/active-directory-methodology/constrained-delegation 513 | [!] User test has constrained delegation rights 514 | [+] The account test is or was member of a high privileged protected group 515 | [+] https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges#adminsdholder-group 516 | Searching for Users with Constrained Delegation Rights - Details for User 'test': 517 | sAMAccountName : test 518 | userPrincipalName : test@sub.pen.local 519 | distinguishedName : CN=test,OU=test,OU=corp,DC=sub,DC=pen,DC=local 520 | description : 521 | objectSid : S-1-5-21-575725702-4057784316-641645133-2613 522 | userAccountControl : PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_REQ_PREAUTH 523 | memberOf : CN=Testgroup,OU=test,OU=corp,DC=sub,DC=pen,DC=local 524 | pwdLastSet : 20.10.2020 13:48:35 525 | lastLogonTimestamp : 19.11.2020 16:43:36 526 | msDS-AllowedToDelegateTo : HOST/PEN-SDC01.sub.pen.local/sub.pen.local 527 | HOST/PEN-SDC01.sub.pen.local 528 | HOST/PEN-SDC01 529 | HOST/PEN-SDC01.sub.pen.local/SUB 530 | HOST/PEN-SDC01/SUB 531 | 532 | [*] +++++ Searching for Users with Resource-Based Constrained Delegation Rights +++++ 533 | [*] https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html 534 | [!] User test1 has resource-based constrained delegation rights 535 | Searching for Users with Resource-Based Constrained Delegation Rights - Details for User 'test1': 536 | sAMAccountName : test1 537 | userPrincipalName : test1@sub.pen.local 538 | distinguishedName : CN=test1,OU=test,OU=corp,DC=sub,DC=pen,DC=local 539 | description : 540 | objectSid : S-1-5-21-575725702-4057784316-641645133-5165 541 | userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH 542 | memberOf : 543 | pwdLastSet : 18.10.2020 17:45:20 544 | lastLogonTimestamp : 02.12.2020 14:39:26 545 | AllowedToActOnBehalfOfOtherIdentity : SUB\SRV-DB01$ 546 | 547 | [*] +++++ Starting Account Enumeration +++++ 548 | [*] +++++ Starting Domain User Enumeration +++++ 549 | [*] +++++ Searching for Searching for Azure AD Connect +++++ 550 | [*] https://www.synacktiv.com/en/publications/azure-ad-introduction-for-red-teamers.html 551 | [+] Found Azure AD Connect user MSOL_31B43A257955 552 | [*] https://www.hub.trimarcsecurity.com/post/securing-microsoft-azure-ad-connect 553 | Searching for Azure AD Connect user - Details for User 'MSOL_31B43A257955': 554 | sAMAccountName : MSOL_31B43A257955 555 | userPrincipalName : MSOL_31B43A257955@sub.pen.local 556 | distinguishedName : CN=MSOL_31B43A257955,CN=Users,DC=sub,DC=pen,DC=local 557 | description : Account created by Microsoft Azure Active Directory Connect with installation 558 | identifier 31B43A2579554f8affe815e99a07ab685 running on computer SRV-Azure 559 | configured to synchronize to tenant penlab-test.onmicrosoft.com. This account must have 560 | directory replication permissions in the local Active Directory and write permission 561 | on certain attributes to enable Hybrid Deployment. 562 | objectSid : S-1-5-21-575725702-4057784316-641645133-36622 563 | pwdLastSet : 17.10.2021 13:25:01 564 | lastLogonTimestamp : 17.10.2021 13:25:01 565 | Running on Server : SRV-Azure 566 | Used for AzureAD : penlab-test.onmicrosoft.com. 567 | 568 | [*] +++++ Searching for Users in High Privileged Groups +++++ 569 | [*] https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges 570 | Searching for Users in High Privileged Groups - Members of Group 'BUILTIN\Administrators': 571 | GroupName : Domain Admins 572 | distinguishedName : CN=Domain Admins,CN=Users,DC=sub,DC=pen,DC=local 573 | description : 574 | objectSid : S-1-5-21-575725702-4057784316-641645133-512 575 | MemberDomain : sub.pen.local 576 | 577 | GroupName : Enterprise Admins 578 | distinguishedName : CN=Enterprise Admins,CN=Users,DC=pen,DC=local 579 | description : 580 | objectSid : S-1-5-21-2219892162-3422002451-1011183393-519 581 | MemberDomain : pen.local 582 | 583 | sAMAccountName : superadmin 584 | userPrincipalName : superadmin@sub.pen.local 585 | distinguishedName : CN=Superadmin,CN=Users,DC=sub,DC=pen,DC=local 586 | description : 587 | objectSid : S-1-5-21-575725702-4057784316-641645133-3954 588 | MemberDomain : sub.pen.local 589 | pwdLastSet : 16.04.2020 11:28:31 590 | lastLogonTimestamp : 16.04.2020 11:29:54 591 | UserAccountControl : NORMAL_ACCOUNT 592 | 593 | sAMAccountName : Andend 594 | userPrincipalName : Alexander.Baumgartner@sub.pen.local 595 | distinguishedName : CN=Alexander Baumgartner,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local 596 | description : 597 | objectSid : S-1-5-21-575725702-4057784316-641645133-2273 598 | MemberDomain : sub.pen.local 599 | pwdLastSet : 12.06.2019 13:18:33 600 | lastLogonTimestamp : 14.04.2020 15:12:20 601 | UserAccountControl : NORMAL_ACCOUNT 602 | 603 | sAMAccountName : Administrator 604 | userPrincipalName : Administrator@sub.pen.local 605 | distinguishedName : CN=Administrator,CN=Users,DC=sub,DC=pen,DC=local 606 | description : Built-in account for administering the computer/domain 607 | objectSid : S-1-5-21-575725702-4057784316-641645133-500 608 | MemberDomain : sub.pen.local 609 | pwdLastSet : 28.10.2019 10:37:49 610 | lastLogonTimestamp : 30.12.2020 14:10:15 611 | UserAccountControl : NORMAL_ACCOUNT 612 | 613 | Searching for Users in High Privileged Groups - Members of Group 'SUB\Domain Admins': 614 | sAMAccountName : superadmin 615 | userPrincipalName : superadmin@sub.pen.local 616 | distinguishedName : CN=Superadmin,CN=Users,DC=sub,DC=pen,DC=local 617 | description : 618 | objectSid : S-1-5-21-575725702-4057784316-641645133-3954 619 | MemberDomain : sub.pen.local 620 | pwdLastSet : 16.04.2020 11:28:31 621 | lastLogonTimestamp : 16.04.2020 11:29:54 622 | UserAccountControl : NORMAL_ACCOUNT 623 | 624 | sAMAccountName : Administrator 625 | userPrincipalName : Administrator@sub.pen.local 626 | distinguishedName : CN=Administrator,CN=Users,DC=sub,DC=pen,DC=local 627 | description : Built-in account for administering the computer/domain 628 | objectSid : S-1-5-21-575725702-4057784316-641645133-500 629 | MemberDomain : sub.pen.local 630 | pwdLastSet : 28.10.2019 10:37:49 631 | lastLogonTimestamp : 30.12.2020 14:10:15 632 | UserAccountControl : NORMAL_ACCOUNT 633 | 634 | sAMAccountName : Andend 635 | userPrincipalName : Alexander.Baumgartner@sub.pen.local 636 | distinguishedName : CN=Alexander Baumgartner,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local 637 | description : 638 | objectSid : S-1-5-21-575725702-4057784316-641645133-2273 639 | MemberDomain : sub.pen.local 640 | pwdLastSet : 12.06.2019 13:18:33 641 | lastLogonTimestamp : 14.04.2020 15:12:20 642 | UserAccountControl : NORMAL_ACCOUNT 643 | 644 | Searching for Users in High Privileged Groups - Members of Group 'PEN\Enterprise Admins': 645 | GroupName : Domain Admins 646 | distinguishedName : CN=Domain Admins,CN=Users,DC=sub,DC=pen,DC=local 647 | description : 648 | objectSid : S-1-5-21-575725702-4057784316-641645133-512 649 | MemberDomain : sub.pen.local 650 | 651 | sAMAccountName : Administrator 652 | userPrincipalName : 653 | distinguishedName : CN=Administrator,CN=Users,DC=pen,DC=local 654 | description : Built-in account for administering the computer/domain 655 | objectSid : S-1-5-21-2219892162-3422002451-1011183393-500 656 | MemberDomain : pen.local 657 | pwdLastSet : 12.06.2019 11:04:17 658 | lastLogonTimestamp : 30.12.2020 14:06:11 659 | UserAccountControl : NORMAL_ACCOUNT 660 | 661 | Searching for Users in High Privileged Groups - Members of Group 'SUB\Group Policy Creator Owners': 662 | sAMAccountName : Administrator 663 | userPrincipalName : Administrator@sub.pen.local 664 | distinguishedName : CN=Administrator,CN=Users,DC=sub,DC=pen,DC=local 665 | description : Built-in account for administering the computer/domain 666 | objectSid : S-1-5-21-575725702-4057784316-641645133-500 667 | MemberDomain : sub.pen.local 668 | pwdLastSet : 28.10.2019 10:37:49 669 | lastLogonTimestamp : 30.12.2020 14:10:15 670 | UserAccountControl : NORMAL_ACCOUNT 671 | 672 | Searching for Users in High Privileged Groups - Members of Group 'SUB\DnsAdmins': 673 | sAMAccountName : Andend 674 | userPrincipalName : Alexander.Baumgartner@sub.pen.local 675 | distinguishedName : CN=Alexander Baumgartner,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local 676 | description : 677 | objectSid : S-1-5-21-575725702-4057784316-641645133-2273 678 | MemberDomain : sub.pen.local 679 | pwdLastSet : 12.06.2019 13:18:33 680 | lastLogonTimestamp : 14.04.2020 15:12:20 681 | UserAccountControl : NORMAL_ACCOUNT 682 | 683 | Searching for Users in High Privileged Groups - Members of Group 'BUILTIN\Account Operators': 684 | Searching for Users in High Privileged Groups - Members of Group 'BUILTIN\Server Operators': 685 | Searching for Users in High Privileged Groups - Members of Group 'BUILTIN\Print Operators': 686 | Searching for Users in High Privileged Groups - Members of Group 'BUILTIN\Backup Operators': 687 | sAMAccountName : Andend 688 | userPrincipalName : Alexander.Baumgartner@sub.pen.local 689 | distinguishedName : CN=Alexander Baumgartner,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local 690 | description : 691 | objectSid : S-1-5-21-575725702-4057784316-641645133-2273 692 | MemberDomain : sub.pen.local 693 | pwdLastSet : 12.06.2019 13:18:33 694 | lastLogonTimestamp : 14.04.2020 15:12:20 695 | UserAccountControl : NORMAL_ACCOUNT 696 | 697 | Searching for Users in High Privileged Groups - Members of Group 'BUILTIN\Hyper-V Administrators': 698 | Searching for Users in High Privileged Groups - Members of Group 'BUILTIN\Access Control Assistance Operators': 699 | Searching for Users in High Privileged Groups - Members of Group 'SUB\Cert Publishers': 700 | sAMAccountName : Andend 701 | userPrincipalName : Alexander.Baumgartner@sub.pen.local 702 | distinguishedName : CN=Alexander Baumgartner,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local 703 | description : 704 | objectSid : S-1-5-21-575725702-4057784316-641645133-2273 705 | MemberDomain : sub.pen.local 706 | pwdLastSet : 12.06.2019 13:18:33 707 | lastLogonTimestamp : 14.04.2020 15:12:20 708 | UserAccountControl : NORMAL_ACCOUNT 709 | 710 | [*] +++++ Searching for High Privileged Users where the Password does not expire +++++ 711 | [*] https://ldapwiki.com/wiki/DONT_EXPIRE_PASSWORD 712 | [!] The password of account Andend does not expire 713 | [+] The account Andend is or was member of a high privileged protected group 714 | [*] https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges#adminsdholder-group 715 | Searching for High Privileged Users where the Password does not expire - Details for User 'Andend': 716 | sAMAccountName : Andend 717 | userPrincipalName : Alexander.Baumgartner@sub.pen.local 718 | distinguishedName : CN=Alexander Baumgartner,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local 719 | description : 720 | objectSid : S-1-5-21-575725702-4057784316-641645133-2273 721 | userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD 722 | memberOf : CN=Domain Admins,CN=Users,DC=sub,DC=pen,DC=local 723 | pwdLastSet : 12.06.2019 13:18:33 724 | lastLogonTimestamp : 14.04.2020 15:12:20 725 | 726 | [*] +++++ Searching for High Privileged Users which may not require a Password +++++ 727 | [*] https://ldapwiki.com/wiki/PASSWD_NOTREQD 728 | [!] The user test does not require to have a password 729 | [+] The account test is or was member of a high privileged protected group 730 | [*] https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges#adminsdholder-group 731 | Searching for High Privileged Users which may not require a Password - Details for User 'test': 732 | sAMAccountName : test 733 | userPrincipalName : test@sub.pen.local 734 | distinguishedName : CN=test,OU=test,OU=corp,DC=sub,DC=pen,DC=local 735 | description : 736 | objectSid : S-1-5-21-2861873120-3432765274-1178769123-2613 737 | userAccountControl : PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_REQ_PREAUTH 738 | memberOf : S-1-5-21-575725702-4057784316-641645133-2613 739 | pwdLastSet : 20.10.2020 13:48:35 740 | lastLogonTimestamp : 19.11.2020 16:43:36 741 | 742 | [*] +++++ Starting Computer Enumeration +++++ 743 | [*] +++++ Searching Domain Controllers +++++ 744 | Searching for Domain Controllers - Details for Computer 'PEN-SDC01$': 745 | sAMAccountName : PEN-SDC01$ 746 | dNSHostName : PEN-SDC01.sub.pen.local 747 | distinguishedName : CN=PEN-SDC01,OU=Domain Controllers,DC=sub,DC=pen,DC=local 748 | IPv4Address : 192.168.46.20 749 | operatingSystem : Windows Server 2012 R2 Datacenter 750 | description : 751 | objectSid : S-1-5-21-575725702-4057784316-641645133-1001 752 | userAccountControl : SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION 753 | 754 | [*] +++++ Searching for Exchange Servers +++++ 755 | Searching for Exchange Servers - Details for Exchange Server PEN-SEXCH$: 756 | sAMAccountName : PEN-SEXCH$ 757 | dNSHostName : PEN-SEXCH.sub.pen.local 758 | distinguishedName : CN=PEN-SEXCH,OU=servers,OU=corp,DC=sub,DC=pen,DC=local 759 | IPv4Address : 192.168.46.22 760 | operatingSystem : Windows Server 2016 Datacenter 761 | description : 762 | objectSid : S-1-5-21-575725702-4057784316-641645133-1106 763 | userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION 764 | 765 | [*] +++++ Searching for Enterprise CA Servers +++++ 766 | Searching for Computers with Constrained Delegation Rights - Details for Computer 'PEN-SCA$': 767 | sAMAccountName : PEN-SCA$ 768 | dNSHostName : PEN-SCA.sub.pen.local 769 | distinguishedName : CN=PEN-SCA,OU=servers,OU=corp,DC=sub,DC=pen,DC=local 770 | IPv4Address : 192.168.46.23 771 | operatingSystem : Windows Server 2019 Datacenter 772 | description : 773 | objectSid : S-1-5-21-575725702-4057784316-641645133-1104 774 | userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTH_FOR_DELEGATION 775 | 776 | [*] +++++ Starting BloodHound Enumeration +++++ 777 | ---------------------------------------------- 778 | Initializing SharpHound at 14:16 on 30.07.2021 779 | ---------------------------------------------- 780 | 781 | Resolved Collection Methods: Group, Trusts, ACL, ObjectProps, Container, GPOLocalGroup, DCOnly 782 | 783 | [+] Creating Schema map for domain SUB.PEN.LOCAL using path CN=Schema,CN=Configuration,DC=SUB,DC=PEN,DC=LOCAL 784 | 785 | 786 | PS > [+] Cache File Found! Loaded 143 Objects in cache 787 | 788 | [+] Pre-populating Domain Controller SIDS 789 | Status: 0 objects finished (+0) -- Using 146 MB RAM 790 | Status: 2906 objects finished (+2906 484,3333)/s -- Using 164 MB RAM 791 | Enumeration finished in 00:00:06.0289570 792 | Compressing data to 20210730141650_sub.pen.local_Bloodhound.zip 793 | You can upload this file directly to the UI 794 | 795 | SharpHound Enumeration Completed at 14:16 on 30.07.2021! Happy Graphing! 796 | ``` 797 | 798 | ## Special thanks go to... 799 | * Will Schroeder @harmjoy, for his great PowerView 800 | * Dirk-jan @_dirkjan, for his great AD and Windows research 801 | * SpecterOps, for their fantastic BloodHound 802 | * BC-Security, for their great ongoing work with Empire 803 | * Vincent LE TOUX @vletoux, for his vulnerability detection PoC's 804 | * Joaquim Nogueira @lkys37en, for his idea to build a simple AD enumeration tool 805 | * Christoph Falta @cfalta, for his inspiring work on PoshADCS 806 | * and all the people who inspired me on my journey... --------------------------------------------------------------------------------