Domain Goodness – How I Learned to LOVE AD Explorer
OR How to Pentest with AD Explorer!
Mark Russinovich’s Sysinternals tools (Microsoft) are nothing new. They have been a favorite among system administrators for many, many years. Maybe a little less known is that they are super helpful for pentesters too! One of my favorites is AD Explorer. My colleague Dave Fletcher, who has worn many hats including that of sysadmin extraordinaire, reminded me of this tool on an engagement and I have been using it on internal assessments faithfully ever since. Of course for organizations that expose domain controllers on the Internet this could be useful on external tests as well (read on for more about that using Shodan).
All you need is a domain account – any domain account – and you can talk to a domain controller and ask it to enumerate the domain for you. It will layout the OU structure, the user accounts, computer accounts. It may offer some help on finding juicy targets like privileged users and database servers.
Like all the Sysinternals tools, they are standalone executables, no installation required. So as long as you have write access somewhere you can download it from http://live.sysinternals.com.
But what if you don’t have write access or are not allowed to download executables? No worries, you can also give it the following UNC path directly from the Run box or an Explorer window and execute it without downloading the file to disk.
Click on an executable to load it directly into memory from Microsoft’s site
Let’s look at a couple of examples of how awesome this tool is. First, you might find metadata giving you clues about an object like in the screenshot below. It looks like we found the CIO’s laptop. I don’t know about you but if I learn the machine name of the CIO’s computer I can’t resist finding a way to login there and grab their credentials from memory. That would typically be a pretty privileged account as well.
There may be other attributes with interesting information as well, such as the “info” attribute. In the example below, we show an AD record from a real test. The data is redacted but suffice it to say the data there is quite sensitive and presents some excellent social engineering opportunities (think password reset)!
If you need to find high-value target servers then more often than not the organization’s naming convention will help you with that. Servers are very frequently named according to their function, eg. with “SQL” or “Sharepoint” in the name.
The search feature in AD Explorer is also excellent and helps you slice and dice through the mountains of data to find just what you need. For example, do you need to identify the disabled accounts? Just select the userAccountControl attribute and search for values of 514. (Actually, the userAccountControl attribute is a value representing multiple flags, one of which is the “disabled” flag so there could be multiple values here that represent disabled accounts but the most common would be 514.)
If you have high enough privileges you can also add and modify objects and attributes. It doesn’t let you do as much as Active Directory Users and Computers but this feature still could be useful on a pentest. As a demo, I added the “Comment” attribute for user Grace in my test domain.
The tool also gives you the wonderful option of saving a snapshot…
…that you can copy off anywhere and open it back up in AD Explorer for your viewing pleasure.
Viewing a snapshot won’t let you make any changes but it is excellent for reconnaissance activities.
AD Explorer can also do a “diff” of two snapshots. How might this be useful on a pentest? Take a snapshot right away when you get access to the domain. Then after you have done some hacking and cracking and people start changing their passwords or disabling accounts you can take another snapshot and see who has changed their passwords or which are disabled. As far as I can tell, AD Explorer does not allow you to modify passwords or change the status from disabled to enabled (even as DA) but at least you can check and avoid disabled accounts to stay a bit stealthier using this method.
Now, about the external testing…..What if you do a Shodan search for DCs that are exposed on the Internet and log on to one that way? Of course, you’ll need to come up with a domain account if you want to connect to the server using AD Explorer. The search below is for two common LDAP ports and a hostname that contains the letters “DC”. There are plenty out there accessible from the Internet surprisingly enough.
Or take it a step further and add in port 445 to find Domain Controllers that may be vulnerable to some of the freshly leaked SMB exploits from Shadow Brokers. (Note: Not all these hits have all three ports open.)
A compromise of one of these servers could represent the compromise of an entire domain. Yikes. Make sure your organization is not on this list!
!!New Tips and Tricks Added May 2018!!
Use AD Explorer to Assist with Phishing Ruses.
If you want to send targeted phishing emails to a particular group from an external email address, you can query AD for distribution groups that allow mail from external sources. The attribute msExchRequireAuthToSendTo reveals this. When that attribute is False, anyone can send mail to the group.
You can also double-click a group from the search results and then examine the member attribute of the group to get a list of the members. Individual email addresses can be extracted that way but it is much more tedious. The ability to send to a group is much quicker and it just might make the email a bit more believable to the recipients.
Create a Snapshot from the Command Line
AD Explorer is a GUI tool but as you know, GUI access is often not available. But from shell access, you can create a snapshot too (Thanks Fletch!). Upload the executable to the host you have shell access on and use the following command:
adexplorer.exe -snapshot “” mysnap.dat
Or run it without uploading first with this command:
\\live.sysinternals.com\tools\adexplorer.exe -snapshot “” snap.dat
You can see the required syntax by typing “adexplorer /?” from the command prompt:
Hunting for Privileged Accounts
Also, if you are hunting for privileged accounts to don’t forget to check the Builtin Administrators group. This may contain accounts that are not necessarily Domain Admins but might have local admin access to domain controllers FTW!
Hunting for Passwords
There are 3-4 fields that seem to be common in most AD schemas, UserPassword, UnixUserPassword, unicodePwd, and msSFU30Password. On a surprising number of tests, we find one or more of these fields are populated with ACTUAL passwords. They are sometimes obfuscated by converting to the ASCII decimal equivalents but that is nothing that “man ascii” can’t help you with.
Here is an example from a recent snapshot we took.
These both have the same password, which decodes to A B C D ! e f g h 1 2 3 4 5 $ 6 7 8 9 0.
If you know of any other tips or tricks using AD Explorer please let us know and will add them on. Thanks!
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Available live/virtual and on-demand
May 15, 2017 @ 6:07 pm
To create the snapshot from command line (one-liner):
reg add “HKCU\software\Sysinternals\Active Directory Explorer” /v EulaAccepted /t REG_DWORD /d 1 /f & ADexplorer.exe -snapshot “” ad_snapshot.dat
As this executable doesn’t have the option of -accepteula as procdump we have to create the reg key. Then we execute it with -snapshot option for (“”) current server and we set the output file name.