This is part two in our series that takes a look at Active Director reconnoissance with a free tool called AD Explorer, and is interesting because we can do so having only obtained basic user credentials for any user account on the AD domain we’re targeting. If you missed part one, go back and have a read through that to get up to speed before diving in to this second part.
Exfiltrating a Backup for Offline Analysis
If we don’t want to stay connected to the network when we’re digging through the entirety of Active Directory, which can get very large in corporate environments, we can easily export a copy of everything so we can open it up offline in AD Explorer later. It’s as easy as highlighting the domain, choosing File > Create Snapshot, specifying a location to place the snapshot file, and clicking Ok.
Once we have the backup file, we can easily load it in to another instance of AD Explorer by clicking on File > Connect and then instead of choosing an actual domain controller to log in to, we would instead click the radio button that says “Enter the path of a previous snapshot to load.”
I ran Task Manager on the server as I performed a snapshot, and although AD in this test environment is very small, there was only a small blip on the CPU. In larger environments we may consider lowering the maximum server utilization option to 50% or even 25% to avoid drawing unwanted attention to our actions.
Searching the Description Field
In Part 1 of this series we were able to find a couple of user accounts with interesting notes placed in the Description field. We also learned that the Description field is a common place for network admins to write notes to themselves or others about specific accounts. I’ve seen this in every Active Directory I’ve ever looked at. Typically the network administrators assume that since they need an administrative tool like Active Directory Users and Computers to access AD, users wouldn’t be able to read their notes. We learned that with AD Explorer and any domain user account, this isn’t the case.
Last time we stumbled upon some interesting notes, but what if we’re in a time crunch to find information quickly and the AD is very large. AD Explorer provides a Search function that lets us search any field attribute for any object in AD. This is a nice way to search quickly through the Description field of all object for key words like password or expire. We could also search for phrases like CEO, CIO, president, administrator, service, vendor, etc. You get the idea.
Searching is simple. Just highlight the domain in the tree, then go to Search > Search Container. Here we’re searching the Description field, so we’ll type description in the Attribute option box (this box will auto-fill for us and present a list of all options available, feel free to play around). We’ll then change Relation from the default of is to contains, and we’ll type password in the Value field. We’ll then click the Add button to add it to the list of search criteria and click Search.
Here we can see that our Backup Service account and Amy Kim CEO account show up, and their notes are displayed – both of which reference password information. Searches like this can be very helpful in lieu of manually digging through thousands of AD objects manually.
Identifying Groups or Users with Administrative Access
In the previous article we looked at how to check the membership of a group, namely Domain Admins, to see which user accounts were members of that group. What if we wanted to take it a step higher? At the top of the hierarchy in Active Directory permissions is the built-in Administrators group. Domain Admins and Enterprise Admins groups, as well as the default Administrator account are part of this group by default, however, it’s typical for other groups to be created and placed in to this Administrators group – namely for backup or service accounts.
By default, this group is located under the root of the AD domain, and under the Builtin OU. The member attribute for this object lists the entire contents of its members. Double-clicking on that object brings up an easier to read list of accounts and groups, and provides their location within the AD hierarchy. This makes it easy to know where to find those objects so that they can be highlighted and their own attributes analyzed further for potentially compromising information.
Searching for Passwords (Outside the Description Field)
As we saw earlier, the Description field is a good place to find information about passwords, and sometimes even passwords themselves.
There are, however, some other locations where passwords reside. There are some key attributes that should be searched whenever hunting for passwords, and they are:
- userPassword
- unicodePwd
- unixUserPassword
From within the Search Container dialog, set any of these as the attribute, change the Relation option from the default of is to not empty, click Add to add them to the search criteria, and click Search.
These fields could possibly contain plain text passwords, password hashes, or even passwords whose characters are obfuscated to octal, hexadecimal, or decimal equivalents of ASCII. On a Linux or macOS machine, typing man ascii in a terminal should allow us to decipher the obfuscated passwords fairly quickly. For password hashes, a tool like hashcat and a powerful GPU are our best friends.
Conclusion
I hope you found this second part (along with part one) in this series helpful. AD Explorer is a fairly powerful tool that can be very helpful in finding a vector for privilege escalation, identification of machines that may be running services that are open to attack (Exchange servers, SQL servers, etc. which are usually named fairly obvious things like exch01 or sql01 respectively), identification of machines that are owned by privileged users, identification of user accounts with high levels of access, etc. I’m sure there’s a lot more than can be done with AD Explorer that I haven’t listed, so if you know of an interesting trick, please comment below.