Domain Enumeration

BloodHound

BloodHound is an Active Directory reconaisssance tool that can reveal a significant amount of information such as hidden relationships, trusts, and attack paths.

Running a Collector

SharpHound is what we define as a 'collector'. Essentially, we need to run SharpHound and then import the data/files generated into BloodHound to view and analyze.

# Running the precompiled binary on a domain joined Windows system
SharpHound.exe 

# Specify domain within SharpHound
SharpHound.exe -d $domain

# Collection method all
SharpHound.exe --CollectionMethod All --ZipFileName output.zip

# Python collector
## https://github.com/fox-it/BloodHound.py
bloodhound.py -d $domain -v --zip -c All -dc $dcfqdn -ns $dcip

Queries

# Identify Users with an SPN Set:
MATCH (u:User {hasspn:true}) RETURN u

# Identify computers with unconstrained delegation enabled:
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

# Identify computers with constrained delegation configured:
MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p

# Identify computers with LAPS enabled:
MATCH (c:Computer {haslaps: true}) RETURN c

PowerView

PowerView, while a little dated now is still a reliable tool to perform domain reconaissance with. It should be noted that high privileges are not required to run PowerView and that performing domain reconaissance with a standard authenticated user account is sufficient.

# Import PowerView.ps1 
. .\PowerView.ps1

# Return basic information about the domain and domain controllers
Get-Domain

# Return all domain users
Get-DomainUser -Properties DisplayName, MemberOf | fl

# Return all domain computers
Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName

# Return all domain trusts
Get-DomainTrust