LDAP
A lot of information on an AD domain can be obtained through LDAP. Most of the information can only be obtained with an authenticated bind but metadata (naming contexts, DNS server name, Domain Functional Level (DFL)) can be obtainable anonymously, even with anonymous binding disabled.
The ldeep (Python) tool can be used to enumerate essential information like delegations, gpo, groups, machines, pso, trusts, users, and so on.
bash
# remotely dump information
ldeep ldap -u "$USER" -p "$PASSWORD" -d "$DOMAIN" -s ldap://"$DC_IP" all "ldeepdump/$DOMAIN"
# parse saved information (in this case, enumerate trusts)
ldeep cache -d "ldeepdump" -p "$DOMAIN" trustsNetExec (Python) also has useful modules that can be used to
- map information regarding AD-CS (Active Directory Certificate Services)
- show subnets listed in AD-SS (Active Directory Sites and Services)
- list the users description
- print the Machine Account Quota domain-level attribute's value
bash
# list PKIs/CAs
nxc ldap "domain_controller" -d "domain" -u "user" -p "password" -M adcs
# list subnets referenced in AD-SS
nxc ldap "domain_controller" -d "domain" -u "user" -p "password" -M subnets
# machine account quota
nxc ldap "domain_controller" -d "domain" -u "user" -p "password" -M maq
# users description
nxc ldap "domain_controller" -d "domain" -u "user" -p "password" -M get-desc-usersThe PowerShell equivalent to netexec's subnets modules is the following
powershell
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites.SubnetsLDAP anonymous binding is usually disabled but it's worth checking. It could be handy to list the users and test for ASREProasting (since this attack needs no authentication).