Discovering Active Directory Controllers in your Client Network
Linux commands to add to your methodology to discover AD DCs.
After initially accessing an internal network during a penetration test, you need to find out what the Active Directory (AD) infrastructure looks like. Here, we’re going to examine methods for this process from both Windows and Linux, so you have an approach in your back pocket that fits your needs.
It’s easiest to take a look at AD infrastructure via Linux. The first step is to find your internal domain names. If you want to remain stealthy, this can be completed using packet capture analysis.
tcpdump -i $IFACE -w $DATE-capture.pcap port not 22 and host $YOURIP
Issue the command above, then analyze the resulting pcap for any FQDN. Look out for:
- Computer host names
- LDAP/LDAPS communication
- DHCP broadcasts
For demonstration purposes, let's assume you discovered the domain name: [acme.local].
Once you’ve discovered a domain name, you can use the following methods to enumerate information about AD infrastructure. In most cases, we recommend using [nmap] to complete this task.
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='acme.local'"
The command output should look similar – if not identical – to the following:
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-07 18:45 CST Pre-scan script results: | dns-srv-enum: | Kerberos KDC Service | service prio weight host | 88/tcp 0 100 acdc1.acme.local | 88/tcp 0 100 acsc2.acme.local | Kerberos Password Change Service | service prio weight host | 464/tcp 0 100 acdc1.acme.local | 464/tcp 0 100 acsc2.acme.local | LDAP | service prio weight host | 389/tcp 0 100 acdc1.acme.local | 389/tcp 0 100 acsc2.acme.local
There we go; it’s that simple. You now know where your domain controllers are. Now, you can follow up with further enumeration for more intrusive attacks.
Let's say you landed on a Windows host because your phishing email finally got through. Discovering information about your domain is incredibly simple:
set L or echo %logonserver% ``` bash <br /><br /> ##TL;DR Linux AD Controller Discovery: ```bash tcpdump -i $IFACE -w $DATE-capture.pcap port not 22 and host $YOURIP # identify local/internal domain from pcaps then use in the following command: nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='acme.local'"
Windows AD Controller Discovery:
set L or echo %logonserver%
Continuous Human & Automated Security
The Expert-Driven Offensive
Continuously monitor your attack surface with advanced change detection. Upon change, testers and systems perform security testing. You are alerted and assisted in remediation efforts all contained in a single security application, the Sprocket Platform.
Expert-Driven Offensive Security Platform
- Attack Surface Management
- Continuous Penetration Testing
- Adversary Simulations