https://github.com/61106960/adPEAS
adPEAS is a Powershell tool to automate Active Directory enumeration. In fact, adPEAS is like a wrapper for different other cool projects like:
As said, adPEAS is a wrapper for other tools. They are almost all written in pure Powershell but some of them are included as compressed binary blob or C# code.
adPEAS-Light is a version without Bloodhound and vulnerability checks and it is more likely that it will not blocked by an AV solution.
[*] +++++ Starting adPEAS Version 0.7.9 +++++
adPEAS version 0.7.9
[*] +++++ Starting Enumeration +++++
[*] +++++ Searching for Domain Information +++++
[*] +++++ Checking Domain +++++
Checking Domain - Details for Domain 'sub.pen.local':
Domain Name : sub.pen.local
Domain SID : S-1-5-21-575725702-4057784316-641645133
Forest Name : pen.local
Root Domain Name : pen.local
Root Domain SID : S-1-5-21-2219892162-3422002451-1011183393
Forest Children : No Subdomain[s] available
Domain Controller : PEN-SDC01.sub.pen.local
[*] +++++ Checking Password and Kerberos Policy +++++
Checking Password Policy - Details for Domain 'sub.pen.local':
[!] Password of accounts are stored with reversible encryption
[+] https://adsecurity.org/?p=2053
Minimum Password Age : Disabled
Maximum Password Age : Disabled
Minimum Password Length : 7 character
Password Complexity : Disabled
Lockout Account : Disabled
Reversible Encryption : Enabled
Checking Kerberos Policy - Details for Domain 'sub.pen.local':
Maximum Age of TGT : 10 hours
Maximum Age of TGS : 600 minutes
Maximum Clock Time Difference : 5 minutes
Krbtgt Password Last Set : 29.04.2019 10:05:59
[*] +++++ Checking Domain Controller, Sites and Subnets +++++
Checking Domain Controller - Details for Domain 'sub.pen.local':
DC Host Name : PEN-SDC01.sub.pen.local
DC IP Address : 192.168.46.10
Site Name : Germany
Domain : sub.pen.local
Checking Sites and Subnets - Details for Domain 'sub.pen.local':
IP Subnet : 192.168.46.0/25
Site Name : Germany
[*] +++++ Checking Forest and Domain Trusts +++++
Checking Domain Trusts - Details for Domain 'sub.pen.local':
Target Domain Name : pen.local
Target Domain SID : S-1-5-21-2219892162-3422002451-1011183393
Flags : IN_FOREST, DIRECT_OUTBOUND, TREE_ROOT, DIRECT_INBOUND
TrustAttributes : WITHIN_FOREST
[*] +++++ Checking DCSync Rights +++++
[*] https://book.hacktricks.xyz/windows/active-directory-methodology/dcsync
Checking DCSync Rights - Details for Domain 'sub.pen.local':
ActiveDirectoryRight : DS-Replication-Get-Changes
ActiveDirectoryRight : DS-Replication-Get-Changes-All
Identity : SUB\superadmin
distinguishedName : CN=Superadmin,CN=Users,DC=sub,DC=pen,DC=local
ObjectSID : S-1-5-21-575725702-4057784316-641645133-3954
ActiveDirectoryRight : DS-Replication-Get-Changes
Identity : SUB\superadmin
distinguishedName : CN=Superadmin,CN=Users,DC=sub,DC=pen,DC=local
ObjectSID : S-1-5-21-575725702-4057784316-641645133-3954
[*] +++++ Checking GenericAll Rights +++++
[*] https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces
Checking GenericAll Rights - Details for Domain 'sub.pen.local':
ActiveDirectoryRight : GenericAll
Identity : SUB\Andend
distinguishedName : CN=Alexander Baumgartner,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local
ObjectSID : S-1-5-21-575725702-4057784316-641645133-2273
ActiveDirectoryRight : GenericAll
Identity : PEN\Exchange Trusted Subsystem
distinguishedName : CN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=pen,DC=local
ObjectSID : S-1-5-21-2219892162-3422002451-1011183393-1118
ActiveDirectoryRight : GenericAll
Identity : PEN\Exchange Trusted Subsystem
distinguishedName : CN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=pen,DC=local
ObjectSID : S-1-5-21-2219892162-3422002451-1011183393-1118
ActiveDirectoryRight : GenericAll
Identity : PEN\Organization Management
distinguishedName : CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=pen,DC=local
ObjectSID : S-1-5-21-2219892162-3422002451-1011183393-1105
ActiveDirectoryRight : GenericAll
Identity : PEN\Exchange Trusted Subsystem
distinguishedName : CN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=pen,DC=local
ObjectSID : S-1-5-21-2219892162-3422002451-1011183393-1118
[*] +++++ Searching for Certificate Authority Information +++++
[*] +++++ Searching for Enterprise CA +++++
[*] https://posts.specterops.io/certified-pre-owned-d95910965cd2
Searching for Certificate Authority - Details for 'PEN-IssuingCA01':
CA Name : PEN-IssuingCA01
CA dnshostname : PEN-SCA.sub.pen.local
CA IP Address : 192.168.46.23
Date of Creation : 29.07.2020 21:05:02
DistinguishedName : CN=PEN-IssuingCA01,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=sub,DC=pen,DC=local
Templates : Wildcard-Smartcard-User
Wildcard-User
Webserver
DirectoryEmailReplication
DomainControllerAuthentication
DomainController
Machine
Administrator
NTAuthCertificates : True
[*] +++++ Searching for Vulnerable Certificate Templates +++++
[*] adPEAS does basic enumeration only, consider using https://github.com/GhostPack/PSPKIAudit
[*] For any vulnerabilities present, consider using https://github.com/GhostPack/Certify
[*] +++++ Checking Template 'Wildcard-Smartcard-User' +++++
[!] 'Authenticated Users' have 'GenericAll' permissions on Template 'Wildcard-Smartcard-User'
Checking Certificate Template - Details for Template 'Wildcard-Smartcard-User':
Template Name : Wildcard-Smartcard-User
Template distinguishedname : CN=Wildcard-Smartcard-User,CN=Certificate Templates,CN=Public Key
Services,CN=Services,CN=Configuration,DC=sub,DC=pen,DC=local
Date of Creation : 15.08.2020 14:15:13
CertificateNameFlag : ENROLLEE_SUPPLIES_SUBJECT
OLD_CERT_SUPPLIES_SUBJECT_AND_ALT_NAME
ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME
SUBJECT_ALT_REQUIRE_DOMAIN_DNS
SUBJECT_ALT_REQUIRE_DIRECTORY_GUID
SUBJECT_ALT_REQUIRE_UPN
SUBJECT_ALT_REQUIRE_EMAIL
SUBJECT_ALT_REQUIRE_DNS
SUBJECT_REQUIRE_DNS_AS_CN
SUBJECT_REQUIRE_EMAIL
SUBJECT_REQUIRE_COMMON_NAME
SUBJECT_REQUIRE_DIRECTORY_PATH
EnrollmentFlag : CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS
CT_FLAG_PUBLISH_TO_DS
CT_FLAG_AUTO_ENROLLMENT
CT_FLAG_USER_INTERACTION_REQUIRED
Private Key Exportable : True
Authenticated Users : GenericAll
[*] +++++ Checking Template 'Wildcard-User' +++++
[!] 'Authenticated Users' have 'ReadProperty, WriteProperty, GenericExecute, WriteDacl, WriteOwner' permissions on Template 'Wildcard-User'
Checking Certificate Template - Details for Template 'Wildcard-User':
Template Name : Wildcard-User
Template distinguishedname : CN=Wildcard-User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=sub,DC=pen,DC=local
Date of Creation : 15.08.2020 14:06:08
CertificateNameFlag : ENROLLEE_SUPPLIES_SUBJECT
OLD_CERT_SUPPLIES_SUBJECT_AND_ALT_NAME
ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME
SUBJECT_ALT_REQUIRE_DOMAIN_DNS
SUBJECT_ALT_REQUIRE_DIRECTORY_GUID
SUBJECT_ALT_REQUIRE_UPN
SUBJECT_ALT_REQUIRE_EMAIL
SUBJECT_ALT_REQUIRE_DNS
SUBJECT_REQUIRE_DNS_AS_CN
SUBJECT_REQUIRE_EMAIL
SUBJECT_REQUIRE_COMMON_NAME
SUBJECT_REQUIRE_DIRECTORY_PATH
EnrollmentFlag : CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS
CT_FLAG_AUTO_ENROLLMENT
CT_FLAG_USER_INTERACTION_REQUIRED
Private Key Exportable : True
Authenticated Users : ReadProperty, WriteProperty, GenericExecute, WriteDacl, WriteOwner
[*] +++++ Checking Template 'Machine' +++++
[+] 'SUB\Domänencomputer' has Enrollment Rights for Template 'Machine'
Checking Certificate Template - Details for Template 'Machine':
Template Name : Machine
Template distinguishedname : CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=sub,DC=pen,DC=local
Date of Creation : 06.09.2015 07:12:43
CertificateNameFlag : SUBJECT_ALT_REQUIRE_DNS
SUBJECT_REQUIRE_DNS_AS_CN
EnrollmentFlag : CT_FLAG_AUTO_ENROLLMENT
Enrollment allowed for : SUB\Domänencomputer
[*] +++++ Checking Template 'User' +++++
[+] 'SUB\Domänen-Benutzer' has Enrollment Rights for Template 'User'
Checking Certificate Template - Details for Template 'User':
Template Name : User
Template distinguishedname : CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=sub,DC=pen,DC=local
Date of Creation : 06.09.2015 07:12:42
CertificateNameFlag : ENROLLEE_SUPPLIES_SUBJECT
OLD_CERT_SUPPLIES_SUBJECT_AND_ALT_NAME
ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME
SUBJECT_ALT_REQUIRE_DOMAIN_DNS
SUBJECT_ALT_REQUIRE_DIRECTORY_GUID
SUBJECT_ALT_REQUIRE_UPN
SUBJECT_ALT_REQUIRE_EMAIL
SUBJECT_ALT_REQUIRE_DNS
SUBJECT_REQUIRE_DNS_AS_CN
SUBJECT_REQUIRE_EMAIL
SUBJECT_REQUIRE_COMMON_NAME
SUBJECT_REQUIRE_DIRECTORY_PATH
EnrollmentFlag : CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS
CT_FLAG_PUBLISH_TO_DS
CT_FLAG_AUTO_ENROLLMENT
Private Key Exportable : True
Enrollment allowed for : SUB\Domänen-Benutzer
[*] +++++ Checking Template 'IIS_Webserver' +++++
[+] 'SUB\Domänencomputer' has Enrollment Rights for Template 'IIS_Webserver'
[+] 'Authenticated Users' has Enrollment Rights for Template 'IIS_Webserver'
[!] Template 'IIS_Webserver' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
Checking Certificate Template - Details for Template 'IIS_Webserver':
Template Name : IIS_Webserver
Template distinguishedname : CN=IIS_Webserver,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=sub,DC=pen,DC=local
Date of Creation : 11.10.2019 19:50:46
CertificateNameFlag : ENROLLEE_SUPPLIES_SUBJECT
EnrollmentFlag :
Private Key Exportable : True
Enrollment allowed for : SUB\Domänencomputer
Authenticated Users
[*] +++++ Searching for Credentials Exposure +++++
[*] +++++ Searching for ASREPRoast Users +++++
[*] https://book.hacktricks.xyz/windows/active-directory-methodology/asreproast
[!] Account Boody1946 does not require kerberos preauthentication to get a TGT
[*] Hashcat usage: hashcat -m 18200
Searching for ASREPRoast Users - Details for User 'Boody1946':
sAMAccountName : Boody1946
userPrincipalName : [email protected]
distinguishedName : CN=Kevin Ehrlichmann,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-2289
userAccountControl : NORMAL_ACCOUNT, DONT_REQ_PREAUTH
memberOf :
pwdLastSet : 12.06.2019 13:18:36
lastLogonTimestamp : 13.11.2020 13:32:41
[email protected]:d38e4dcd90019ddda3ec04e535eb81b7$b3943db8194504c13e706358d9600a34c1269570c232f8dd
039f164ceed1bf15XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXaa084060f8b18db692b79749caf1e3149a
ad42059aeb56d39fc9862596a75f74ff414c476577a4b18f0b3a790ce642ac3f0096f6ab7e9b8ca20e1494a65d9e26b68e2952ed732a9eecea24c21
1b07314c69d0385ff42cd6180562a36035e9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXff12ce17b66921
c91f35d66bdcf241f8fa821db4cf0db74247b508401fe17639c488f379d43043bfb3c99
[*] +++++ Searching for Kerberoastable Users +++++
[*] https://book.hacktricks.xyz/windows/active-directory-methodology/kerberoast#kerberoast
[!] Account svc_web has a SPN and is vulnerable to Kerberoasting
[*] Hashcat usage: hashcat -m 13100
Searching for Kerberoastable Users - Details for User 'svc_web':
sAMAccountName : svc_web
userPrincipalName : [email protected]
distinguishedName : CN=svc_web,OU=service accounts,OU=corp,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-3952
userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
memberOf :
pwdLastSet : 21.01.2020 17:40:15
lastLogonTimestamp :
$krb5tgs$23$*svc_web$sub.pen.local$http/web.server*$C2D4F2B64EC91A55A605229DBA5598FB$48B30F628AEE1917D1B401410937A633C2
4A586F186F6F8E5936EE2A375D21F226DF85AB2E29CE9866BBC985B2D12C57C3ADE298DC67293BDB5A258D092AAFC18415F60D925F69F4AC8832543
468D4371CB9464B18A1651A028D19273C7480421177ED589E0539265B63A833250964AB572451EE6589DD0041DBF06A3F5A63817594637D6CBA7A6D
D5B62281F6E29BD350F45F674F7C879A374284E95FB5344E100767F7BED97F609F6F2A2AFFE25135757F3119644B4ACFEC293E0709F4D7A139D322F
10910440302D6FA6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX30E5C0587F4F1A9742B919ED1A9B2
41D812434FE9BAC01AA3688F885DC4EF58D6D1ADD664D4315636DD0537DDA058F68963DF413829C89A18265F0FF6966C55AFE14C642C46EA9BABFCB
E849F4ADE91E7E86F23E4DA78CC19AE93A676F42BAB1F3C9D34D3EED8CD35FCE43E69A3AF2996370249ACEFA92BB1DE6F3F2D00368FE03E2F39C32B
D8C49BF5B66065EDDFDF0A2436CD45F17557D68823909353F6AE75AA60DAB2752EC21497D79999A1C9FF47ECBE330A86924DCD4A7C97858D573244C
5D63863CA6D5AD4838CB4F0A1D78D579B063CAD8953FD56F002DC6CB5D2253CB7CAC0300D26ED5FF0379C8F1C409870FD53B3AFFE9FF7773229BC77
12E6A459F459828D334744AE1AE35A673C47A643FDD315B2414170FD4E9CA07B1C26F055AF42019FC36A68A8501FEB6B1C1424AA50415C2BBBA9E1E
647A4703096A2CF3563C404CE5E9F55D5A0A010C9140783B6956351ADD6C09B82F6D21B6810F3E08C67C68A547560F3589C18A5D44E26C76F078552
8EFEC05A13188058362F8800798BDDB21A67CFD79FA244740FEBB1A2736A24EC4C1E5FDEB5765C7E5E8905B4E8AB7B86FFD8A601EEAB0E9FD51E678
112B82BACCBA64C86XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXB133302F9E3A2D0070BA725E786852A9139ED12CC40B4
090DCD3579110C17DE189695B5F3D8EFDFC626A7E7713A073F3861CCA6929CFA1DB9CAA2063587870C733A52BE23DD92F048A9DC0049315FA116F73
A9112AE205F53251B1F1BAC51939951C2D96089E8022D3E780F46CB17B8B858CDBE3E8A292ED6E02F175171E10840623F0407ED1E5DB445DA7A6FCA
40F1BDFD0A310CA89328E98382C7FD1DC600897DDDEC71D65AA8C98AD70C0E223F0372740F36DC1CC1C66F2E61A9FBFCB3705478471DAE696BCE92F
91309ABAEEDB101B652CC7A8F2C28F5339765BA0E89C86611F5C17E45073AFED15ABF02F6E65DF2A7483BB8E0802E5891F30A9668BDC126F52ED9FA
169B3BE775BC87EA99521506AD48C93DB025XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXFB1BF977339341
AA40386C102807D5F33656BABEBAB8FE983CB9C2D1E56E28D9488671A56AE205686EF2324F9EBD9DACEFF9C7E8E3D10814444E00DEFB024C3DC856F
C326EC09C657BC09F6502A4058CA88258CCDAEB34E12A652D76C07C0D2547E52A8FFF50CA164E748B34CD6F8119DAB66A1B21043BBCD16C05F6
[*] +++++ Searching for Users with a set 'Linux/Unix Password' attribute +++++
[*] https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer/
[!] User Tiledgets has a legacy cleartext Linux/Unix password set
Searching for Users with a set 'Linux/Unix Password' attribute - Details for User 'Tiledgets':
sAMAccountName : Tiledgets
userPrincipalName : [email protected]
distinguishedName : CN=Lucas Maier,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-2115
userAccountControl : NORMAL_ACCOUNT
memberOf :
pwdLastSet : 12.06.2019 13:18:07
lastLogonTimestamp :
UnixUserPassword : ABCD!efgh12345$67890
[*] +++++ Searching for Computers with enabled and readable LAPS attribute +++++
[*] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#antivirus-and-detectors
[!] Computer SRVCLOUD$ has enabled LAPS - Found password 'SecretPW0815!'
Searching for Computers with enabled LAPS - Details for Computer 'SRVCLOUD$':
sAMAccountName : SRVCLOUD$
dNSHostName : srvcloud.sub.pen.local
distinguishedName : CN=SRVCLOUD,OU=corp,DC=sub,DC=pen,DC=local
IPv4Address : 192.168.46.31
operatingSystem : Windows Server 2019 Standard
description : Ask the administrator for the password
objectSid : S-1-5-21-575725702-4057784316-641645133-1715
userAccountControl : ACCOUNTDISABLE, WORKSTATION_TRUST_ACCOUNT
ms-Mcs-AdmPwd [Password] : SecretPW0815!
ms-mcs-AdmPwdExpirationTime [Password Expiration] : 01.12.2020 00:00:00
[*] +++++ Searching for Group Managed Service Accounts (gMSA) +++++
[*] https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges
[+] Account gMSA-Service$ is a Group Managed Service Account
Searching for gMSA - Details for Account 'gMSA-Service$':
sAMAccountName : gMSA-Service$
distinguishedName : CN=gMSA-Service,CN=Managed Service Accounts,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-36616
userAccountControl : WORKSTATION_TRUST_ACCOUNT
memberOf : CN=Testgroup,OU=test,OU=corp,DC=sub,DC=pen,DC=local
pwdLastSet : 26.09.2021 12:31:44
lastLogonTimestamp : 26.09.2021 12:38:07
PrincipalsAllowedToRetrieveManagedPassword : SUB\superadmin
SUB\SRV-DB01$
SUB\test
[*] +++++ Searching for Crypted Passwords in SYSVOL Group Policy Objects +++++
[*] https://www.andreafortuna.org/2019/02/13/abusing-group-policy-preference-files-for-password-discovery/
[!] Password 'P8ssw0rd#! for user local-admin-srv has been found
Searching for Crypted Passwords in SYSVOL Policies Directory - Details for File '\\sub.pen.local\SYSVOL\sub.pen.local\Policies\{6F6C332E-79D5-4C77-BF23-6FB5ED9381D4}\Machine\Preferences\Groups\Groups.xml':
Username : local-admin-srv
Password : 'P8ssw0rd#!
[*] +++++ Searching for Sensitive Information in NETLOGON Share +++++
[+] Possible sensitive information have been found
Searching for sensitive information in NETLOGON Share - Details for File '\\sub.pen.local\NETLOGON\login-script.cmd':
LineNumber : 5
LineContent : rem password: SuperS3cr3t!
[+] Possible sensitive information have been found
Searching for sensitive information in NETLOGON Share - Details for File '\\sub.pen.local\NETLOGON\login-script_test.cmd':
LineNumber : {5, 7}
LineContent : {rem password: TestPW0815!, net use l: \\srv-rfile.pen.local\Deparmentshare$ Passw0rd1!
/user:sub\%username%}
[*] +++++ Searching for Delegation Issues +++++
[*] +++++ Searching for Computers with Unconstrained Delegation Rights +++++
[*] https://book.hacktricks.xyz/windows/active-directory-methodology/unconstrained-delegation
[!] Computer PEN-SEXCH$ has unconstrained delegation rights
Searching for Computers with Unconstrained Delegation Rights - Details for Computer 'PEN-SEXCH$':
sAMAccountName : PEN-SEXCH$
dNSHostName : PEN-SEXCH.sub.pen.local
distinguishedName : CN=PEN-SEXCH,OU=servers,OU=corp,DC=sub,DC=pen,DC=local
IPv4Address : 192.168.46.22
operatingSystem : Windows Server 2016 Datacenter
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-1106
userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
[*] +++++ Searching for Computers with Constrained Delegation Rights +++++
[*] https://book.hacktricks.xyz/windows/active-directory-methodology/constrained-delegation
[!] Computer PEN-SCA$ has constrained delegation rights
Searching for Computers with Constrained Delegation Rights - Details for Computer 'PEN-SCA$':
sAMAccountName : PEN-SCA$
dNSHostName : PEN-SCA.sub.pen.local
distinguishedName : CN=PEN-SCA,OU=servers,OU=corp,DC=sub,DC=pen,DC=local
IPv4Address : 192.168.46.23
operatingSystem : Windows Server 2016 Datacenter
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-1104
userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTH_FOR_DELEGATION
msDS-AllowedToDelegateTo : HOST/PEN-SDC01.sub.pen.local/sub.pen.local
HOST/PEN-SDC01.sub.pen.local
HOST/PEN-SDC01
HOST/PEN-SDC01.sub.pen.local/SUB
HOST/PEN-SDC01/SUB
[*] +++++ Searching for Computers with Resource-Based Constrained Delegation Rights +++++
[*] https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
[!] Computer SRVVM$ has resource-based constrained delegation rights
Searching for Computers with Resource-Based Constrained Delegation Rights - Details for Computer 'SRVVM$':
sAMAccountName : SRVVM$
dNSHostName : srvvm.sub.pen.local
distinguishedName : CN=SRVVM,OU=corp,DC=sub,DC=pen,DC=local
IPv4Address : 192.168.46.56
operatingSystem : Windows Server 2016 Datacenter
description : vCenter
objectSid : S-1-5-21-575725702-4057784316-641645133-1187
userAccountControl : ACCOUNTDISABLE, WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
AllowedToActOnBehalfOfOtherIdentity : SUB\SRV-TEST$
[*] +++++ Searching for Users with Constrained Delegation Rights +++++
[*] https://book.hacktricks.xyz/windows/active-directory-methodology/constrained-delegation
[!] User test has constrained delegation rights
[+] The account test is or was member of a high privileged protected group
[+] https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges#adminsdholder-group
Searching for Users with Constrained Delegation Rights - Details for User 'test':
sAMAccountName : test
userPrincipalName : [email protected]
distinguishedName : CN=test,OU=test,OU=corp,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-2613
userAccountControl : PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_REQ_PREAUTH
memberOf : CN=Testgroup,OU=test,OU=corp,DC=sub,DC=pen,DC=local
pwdLastSet : 20.10.2020 13:48:35
lastLogonTimestamp : 19.11.2020 16:43:36
msDS-AllowedToDelegateTo : HOST/PEN-SDC01.sub.pen.local/sub.pen.local
HOST/PEN-SDC01.sub.pen.local
HOST/PEN-SDC01
HOST/PEN-SDC01.sub.pen.local/SUB
HOST/PEN-SDC01/SUB
[*] +++++ Searching for Users with Resource-Based Constrained Delegation Rights +++++
[*] https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
[!] User test1 has resource-based constrained delegation rights
Searching for Users with Resource-Based Constrained Delegation Rights - Details for User 'test1':
sAMAccountName : test1
userPrincipalName : [email protected]
distinguishedName : CN=test1,OU=test,OU=corp,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-5165
userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
memberOf :
pwdLastSet : 18.10.2020 17:45:20
lastLogonTimestamp : 02.12.2020 14:39:26
AllowedToActOnBehalfOfOtherIdentity : SUB\SRV-DB01$
[*] +++++ Starting Account Enumeration +++++
[*] +++++ Starting Domain User Enumeration +++++
[*] +++++ Searching for Searching for Azure AD Connect +++++
[*] https://www.synacktiv.com/en/publications/azure-ad-introduction-for-red-teamers.html
[+] Found Azure AD Connect user MSOL_31B43A257955
[*] https://www.hub.trimarcsecurity.com/post/securing-microsoft-azure-ad-connect
Searching for Azure AD Connect user - Details for User 'MSOL_31B43A257955':
sAMAccountName : MSOL_31B43A257955
userPrincipalName : [email protected]
distinguishedName : CN=MSOL_31B43A257955,CN=Users,DC=sub,DC=pen,DC=local
description : Account created by Microsoft Azure Active Directory Connect with installation
identifier 31B43A2579554f8affe815e99a07ab685 running on computer SRV-Azure
configured to synchronize to tenant penlab-test.onmicrosoft.com. This account must have
directory replication permissions in the local Active Directory and write permission
on certain attributes to enable Hybrid Deployment.
objectSid : S-1-5-21-575725702-4057784316-641645133-36622
pwdLastSet : 17.10.2021 13:25:01
lastLogonTimestamp : 17.10.2021 13:25:01
Running on Server : SRV-Azure
Used for AzureAD : penlab-test.onmicrosoft.com.
[*] +++++ Searching for Users in High Privileged Groups +++++
[*] https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges
Searching for Users in High Privileged Groups - Members of Group 'BUILTIN\Administrators':
GroupName : Domain Admins
distinguishedName : CN=Domain Admins,CN=Users,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-512
MemberDomain : sub.pen.local
GroupName : Enterprise Admins
distinguishedName : CN=Enterprise Admins,CN=Users,DC=pen,DC=local
description :
objectSid : S-1-5-21-2219892162-3422002451-1011183393-519
MemberDomain : pen.local
sAMAccountName : superadmin
userPrincipalName : [email protected]
distinguishedName : CN=Superadmin,CN=Users,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-3954
MemberDomain : sub.pen.local
pwdLastSet : 16.04.2020 11:28:31
lastLogonTimestamp : 16.04.2020 11:29:54
UserAccountControl : NORMAL_ACCOUNT
sAMAccountName : Andend
userPrincipalName : [email protected]
distinguishedName : CN=Alexander Baumgartner,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-2273
MemberDomain : sub.pen.local
pwdLastSet : 12.06.2019 13:18:33
lastLogonTimestamp : 14.04.2020 15:12:20
UserAccountControl : NORMAL_ACCOUNT
sAMAccountName : Administrator
userPrincipalName : [email protected]
distinguishedName : CN=Administrator,CN=Users,DC=sub,DC=pen,DC=local
description : Built-in account for administering the computer/domain
objectSid : S-1-5-21-575725702-4057784316-641645133-500
MemberDomain : sub.pen.local
pwdLastSet : 28.10.2019 10:37:49
lastLogonTimestamp : 30.12.2020 14:10:15
UserAccountControl : NORMAL_ACCOUNT
Searching for Users in High Privileged Groups - Members of Group 'SUB\Domain Admins':
sAMAccountName : superadmin
userPrincipalName : [email protected]
distinguishedName : CN=Superadmin,CN=Users,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-3954
MemberDomain : sub.pen.local
pwdLastSet : 16.04.2020 11:28:31
lastLogonTimestamp : 16.04.2020 11:29:54
UserAccountControl : NORMAL_ACCOUNT
sAMAccountName : Administrator
userPrincipalName : [email protected]
distinguishedName : CN=Administrator,CN=Users,DC=sub,DC=pen,DC=local
description : Built-in account for administering the computer/domain
objectSid : S-1-5-21-575725702-4057784316-641645133-500
MemberDomain : sub.pen.local
pwdLastSet : 28.10.2019 10:37:49
lastLogonTimestamp : 30.12.2020 14:10:15
UserAccountControl : NORMAL_ACCOUNT
sAMAccountName : Andend
userPrincipalName : [email protected]
distinguishedName : CN=Alexander Baumgartner,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-2273
MemberDomain : sub.pen.local
pwdLastSet : 12.06.2019 13:18:33
lastLogonTimestamp : 14.04.2020 15:12:20
UserAccountControl : NORMAL_ACCOUNT
Searching for Users in High Privileged Groups - Members of Group 'PEN\Enterprise Admins':
GroupName : Domain Admins
distinguishedName : CN=Domain Admins,CN=Users,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-512
MemberDomain : sub.pen.local
sAMAccountName : Administrator
userPrincipalName :
distinguishedName : CN=Administrator,CN=Users,DC=pen,DC=local
description : Built-in account for administering the computer/domain
objectSid : S-1-5-21-2219892162-3422002451-1011183393-500
MemberDomain : pen.local
pwdLastSet : 12.06.2019 11:04:17
lastLogonTimestamp : 30.12.2020 14:06:11
UserAccountControl : NORMAL_ACCOUNT
Searching for Users in High Privileged Groups - Members of Group 'SUB\Group Policy Creator Owners':
sAMAccountName : Administrator
userPrincipalName : [email protected]
distinguishedName : CN=Administrator,CN=Users,DC=sub,DC=pen,DC=local
description : Built-in account for administering the computer/domain
objectSid : S-1-5-21-575725702-4057784316-641645133-500
MemberDomain : sub.pen.local
pwdLastSet : 28.10.2019 10:37:49
lastLogonTimestamp : 30.12.2020 14:10:15
UserAccountControl : NORMAL_ACCOUNT
Searching for Users in High Privileged Groups - Members of Group 'SUB\DnsAdmins':
sAMAccountName : Andend
userPrincipalName : [email protected]
distinguishedName : CN=Alexander Baumgartner,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-2273
MemberDomain : sub.pen.local
pwdLastSet : 12.06.2019 13:18:33
lastLogonTimestamp : 14.04.2020 15:12:20
UserAccountControl : NORMAL_ACCOUNT
Searching for Users in High Privileged Groups - Members of Group 'BUILTIN\Account Operators':
Searching for Users in High Privileged Groups - Members of Group 'BUILTIN\Server Operators':
Searching for Users in High Privileged Groups - Members of Group 'BUILTIN\Print Operators':
Searching for Users in High Privileged Groups - Members of Group 'BUILTIN\Backup Operators':
sAMAccountName : Andend
userPrincipalName : [email protected]
distinguishedName : CN=Alexander Baumgartner,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-2273
MemberDomain : sub.pen.local
pwdLastSet : 12.06.2019 13:18:33
lastLogonTimestamp : 14.04.2020 15:12:20
UserAccountControl : NORMAL_ACCOUNT
Searching for Users in High Privileged Groups - Members of Group 'BUILTIN\Hyper-V Administrators':
Searching for Users in High Privileged Groups - Members of Group 'BUILTIN\Access Control Assistance Operators':
Searching for Users in High Privileged Groups - Members of Group 'SUB\Cert Publishers':
sAMAccountName : Andend
userPrincipalName : [email protected]
distinguishedName : CN=Alexander Baumgartner,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-2273
MemberDomain : sub.pen.local
pwdLastSet : 12.06.2019 13:18:33
lastLogonTimestamp : 14.04.2020 15:12:20
UserAccountControl : NORMAL_ACCOUNT
[*] +++++ Searching for High Privileged Users where the Password does not expire +++++
[*] https://ldapwiki.com/wiki/DONT_EXPIRE_PASSWORD
[!] The password of account Andend does not expire
[+] The account Andend is or was member of a high privileged protected group
[*] https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges#adminsdholder-group
Searching for High Privileged Users where the Password does not expire - Details for User 'Andend':
sAMAccountName : Andend
userPrincipalName : [email protected]
distinguishedName : CN=Alexander Baumgartner,OU=germany,OU=users,OU=corp,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-2273
userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
memberOf : CN=Domain Admins,CN=Users,DC=sub,DC=pen,DC=local
pwdLastSet : 12.06.2019 13:18:33
lastLogonTimestamp : 14.04.2020 15:12:20
[*] +++++ Searching for High Privileged Users which may not require a Password +++++
[*] https://ldapwiki.com/wiki/PASSWD_NOTREQD
[!] The user test does not require to have a password
[+] The account test is or was member of a high privileged protected group
[*] https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges#adminsdholder-group
Searching for High Privileged Users which may not require a Password - Details for User 'test':
sAMAccountName : test
userPrincipalName : [email protected]
distinguishedName : CN=test,OU=test,OU=corp,DC=sub,DC=pen,DC=local
description :
objectSid : S-1-5-21-2861873120-3432765274-1178769123-2613
userAccountControl : PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_REQ_PREAUTH
memberOf : S-1-5-21-575725702-4057784316-641645133-2613
pwdLastSet : 20.10.2020 13:48:35
lastLogonTimestamp : 19.11.2020 16:43:36
[*] +++++ Starting Computer Enumeration +++++
[*] +++++ Searching Domain Controllers +++++
Searching for Domain Controllers - Details for Computer 'PEN-SDC01$':
sAMAccountName : PEN-SDC01$
dNSHostName : PEN-SDC01.sub.pen.local
distinguishedName : CN=PEN-SDC01,OU=Domain Controllers,DC=sub,DC=pen,DC=local
IPv4Address : 192.168.46.20
operatingSystem : Windows Server 2012 R2 Datacenter
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-1001
userAccountControl : SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
[*] +++++ Searching for Exchange Servers +++++
Searching for Exchange Servers - Details for Exchange Server PEN-SEXCH$:
sAMAccountName : PEN-SEXCH$
dNSHostName : PEN-SEXCH.sub.pen.local
distinguishedName : CN=PEN-SEXCH,OU=servers,OU=corp,DC=sub,DC=pen,DC=local
IPv4Address : 192.168.46.22
operatingSystem : Windows Server 2016 Datacenter
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-1106
userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
[*] +++++ Searching for Enterprise CA Servers +++++
Searching for Computers with Constrained Delegation Rights - Details for Computer 'PEN-SCA$':
sAMAccountName : PEN-SCA$
dNSHostName : PEN-SCA.sub.pen.local
distinguishedName : CN=PEN-SCA,OU=servers,OU=corp,DC=sub,DC=pen,DC=local
IPv4Address : 192.168.46.23
operatingSystem : Windows Server 2019 Datacenter
description :
objectSid : S-1-5-21-575725702-4057784316-641645133-1104
userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTH_FOR_DELEGATION
[*] +++++ Starting BloodHound Enumeration +++++
----------------------------------------------
Initializing SharpHound at 14:16 on 30.07.2021
----------------------------------------------
Resolved Collection Methods: Group, Trusts, ACL, ObjectProps, Container, GPOLocalGroup, DCOnly
[+] Creating Schema map for domain SUB.PEN.LOCAL using path CN=Schema,CN=Configuration,DC=SUB,DC=PEN,DC=LOCAL
PS > [+] Cache File Found! Loaded 143 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 146 MB RAM
Status: 2906 objects finished (+2906 484,3333)/s -- Using 164 MB RAM
Enumeration finished in 00:00:06.0289570
Compressing data to 20210730141650_sub.pen.local_Bloodhound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 14:16 on 30.07.2021! Happy Graphing!```