In part three of the AD attack lab series, we will learn how to use BloodHound and PowerView to enumerate the domain once you gain a foothold on the network. If you haven’t gotten the lab environment setup yet, go to Part One and Part Two to get the AD lab setup.

PowerView

Note, I used the old version of the PowerView because some flags not work properly in the newer version of the PowerView.

powershell -ep bypass

Load the PowerView module into the current PowerShell session:

. .\PowerView.ps1

Now, let’s examine some basic flags and see how we can leverage them to enumerate the entire domain.

Get-NetDomain

The “Get-NetDomain” will show the basic information about the domain which includes Forest name, Domain Controller, and the Domain Owner.

Get-NetDomainController

The “Get-NetDomainController” shows the properties of the Domain Controller, which includes its IP address, OS version, Host Name, and other properties.

Get-NetDomainController

The “Get-DomainPolicy” lists all the domain policies, from here, we can see some interesting property includes “SystemAccess”. You can see the minimal password length is only 7 which made the password cracking relevant easy.

(Get-DomainPolicy)."SystemAccess"

We can also narrow down and look for each property individually.

Get-NetUser

The “Get-NetUser” command will list all the users on the domain with their properties. One interesting user we can find here is the “SQL Service” with its description field. The password is in the description field with plaintext.

Get-NetUser | select cn Get-NetUser | select samaccountname Get-NetUser | select description

We can use “select” to grab the specific property that we are interested in. The “select” is similar to “grep” in Linux.

Get-UserProperty Get-UserProperty -Properties pwdlastset Get-UserProperty -Properties badpwdcount

The “Get-UserProperty” command can list all the user’s properties. We can use the “Properties” flag to show one property at a time.

Get-NetComputer Get-NetComputer -Fulldata | select operatingsystem

Show all the workstations on the domain with their properties.

Get-NetGroup -GroupName "Domain Admins" Get-NetGroupMember -GroupName "Domain Admins"

Show the Group names and Group members.

Invoke-ShareFinder

Find all the shares on the domain. We can see the “Documents” and “Share” folder we created early are presented here.

Get-NetGPO Get-NetGPO | select displayname, whenchanged

Show the domain policy and use “select” to narrow down the property we are interested in. We can see the “Disable Windows Defender” Policy we set early presented here.

You can find more useful commands for PowerView here.

BloodHound

The BloodHound installation process is pretty straight forward.

Update your Kali APT repo:

sudo apt-get update

Install the BloodHound via the “apt-get”:

sudo apt-get install bloodhound

Setup the Neo4j once the installation process finished:

sudo neo4j console

Now run the BloodHound:

sudo bloodhound

Now head over to one of your Windows 10 clients, download the “SharpHound Data Ingestor” here. Import the Powershell module then generate the zip file contains the data in the domain.

. .\SharpHound.ps1 Invoke-BloodHound -CollectionMethod All -Domain kudos.local -ZipFilename file.zip

Move the zip file to the kali, and upload it to the BloodHound application.

We can see the data have already uploaded successfully.

Examine through the various queries, we see it can show us the shortest path to the domain admins, the shortest path to the high-value targets, the shortest path to the Kerberoastable Users, etc. I highly recommend you to check out all the queries listed here to get a feel of what they could do for you :)

In this post, we learned how to use PowerView and BloodHound to do some basic enumeration of the domain. In the following posts, I will continue to discuss other ways to enumerate and attack the AD environment. Thank you for reading :)