Enumerating AD from Linux

Privesc using SCCM Software Center and Viewfinity

This article will describe two scenarios where you have a foothold in an Active Directory environment on a Linux system. The first is that you have a limited user account on a machine that is not attached to the domain. The second is that you are on a Linux machine that is domain joined but do not have any user credentials. This was a scenario I encountered in a client environment and it turned out to be very useful to be able to make LDAP queries to the domain. Queries you can perform include finding account descriptions (which sometimes contain passwords), group memberships, server names, account names, group policy information, and plenty of other things.

Linux with AD credentials

LDAP Queries

Install ldap-utils

sudo apt install ldap-utils

Query all AD DCs

ldapsearch -x -h <DC IP Address> -b "dc=ad,dc=test,dc=local" -D "account@ad.test.local" -W -s sub "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" | grep distinguishedname -i

Get all user descriptions from AD

ldapsearch -x -h <DC IP Address> -b "dc=ad,dc=test,dc=local" -D "account@ad.test.local" -W -s sub '(&(objectCategory=person)(objectClass=user))' | grep "cn:\|description:"

Get all members of Domain Admins group

ldapsearch -x -h <DC IP Address> -b "dc=ad,dc=test,dc=local" -D "account@ad.test.local" -W -s sub '(&(objectCategory=user)(memberOf=cn=Domain Admins,cn=Users,dc=ad,dc=test,dc=local))' | grep "distinguishedName:"

Get all machines with “server” in the DN

ldapsearch -x -h <DC IP Address> -b "dc=ad,dc=test,dc=local" -D "account@ad.test.local" -W -s sub "(objectCategory=computer)" | grep -E "distinguishedname.*server" -i

SMBClient - Finding GPP XML files {#smbclient-finding-gpp-xml-files}

Search for XML files in the SYSVOL share

smbclient \\\\<DC IP Address>\\sysvol -E -U account -c "recurse ON; ls" 2> Desktop/test.txt
cat Desktop/test.txt | grep xml -i

Checking if you can add a machine to the domain

Another insteresting default in Active directory is the ability for a regular user to add a machine to the domain. In some cases doing so could grant you additional permissions in the domain, in addition to being able to then use other post exploitation tools against the domain such as Empire or Metasploit. One possible scenario could be startup scripts located in a share that only Domain Computers have permission to. The following will show you first how to determine whether this permission exists in the domain using your user credentials, then the process of actually adding a machine to the domain.

There are two ways this default functionality can be disabled. First, it can be disabled by changing the default ms-DS-MachineAccountQuota value at the domain to 0 from 10.

Check if ms-DS-MachineAccountQuota is > 0

ldapsearch -x -h <DC IP Address> -b "dc=ad,dc=test,dc=local" -D "account@ad.test.local" -W -s sub "(objectclass=domain)" | grep "ms-ds-machineaccountquota" -i

ms-DS-MachineAccountQuota: 10

The second way this can be disabled is by altering the default User Rights Assignment in the Default Domain Controllers Policy from Authenticated Users to another group. Checking this without a domain foothold will take a few steps.

Locate Default Domain Controllers Policy share location

ldapsearch -x -h <DC IP Address> -b "dc=ad,dc=test,dc=local" -D "account@ad.test.local" -W -s sub "(objectclass=groupPolicyContainer)" | grep -i "gpcfilesyspath\|displayname" -A 1

displayName: Default Domain Controllers Policy
uSNCreated: 7975
gPCFileSysPath: \\ad.test.local\sysvol\ad.test.local\Policies\{6AC1786C-016F-1

Download the group policy inf file, and check for SeMachineAccountPrivilege set to SID: S-1-5-11 (Authenticated Users)

smbclient "\\\\<DC IP Address>\\sysvol" -U account
smb: \> cd "ad.test.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit"
smb: \ad.test.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit> get GptTmpl.inf
getting file \ad.test.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as SecEdit\GptTmpl.inf (191.3 KiloBytes/sec) (average 191.3 KiloBytes/sec)
smb: \ad.test.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit> exit
ninjastyle@ninja:~$ cat GptTmpl.inf 
[Registry Values]
[Privilege Rights]
SeAssignPrimaryTokenPrivilege = *S-1-5-20,*S-1-5-19
SeAuditPrivilege = *S-1-5-20,*S-1-5-19
SeBackupPrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeBatchLogonRight = *S-1-5-32-559,*S-1-5-32-551,*S-1-5-32-544
SeChangeNotifyPrivilege = *S-1-5-32-554,*S-1-5-11,*S-1-5-32-544,*S-1-5-20,*S-1-5-19,*S-1-1-0
SeCreatePagefilePrivilege = *S-1-5-32-544
SeDebugPrivilege = *S-1-5-32-544
SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
SeIncreaseQuotaPrivilege = *S-1-5-32-544,*S-1-5-20,*S-1-5-19
SeInteractiveLogonRight = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544
SeLoadDriverPrivilege = *S-1-5-32-550,*S-1-5-32-544
SeMachineAccountPrivilege = *S-1-5-11
SeNetworkLogonRight = *S-1-5-32-554,*S-1-5-9,*S-1-5-11,*S-1-5-32-544,*S-1-1-0
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-544
SeRestorePrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeSecurityPrivilege = *S-1-5-32-544
SeShutdownPrivilege = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420,*S-1-5-32-544
SeSystemTimePrivilege = *S-1-5-32-549,*S-1-5-32-544,*S-1-5-19
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeUndockPrivilege = *S-1-5-32-544
SeEnableDelegationPrivilege = *S-1-5-32-544

With both of the permissions as shown above, any account can be used to add a machine to the domain.

More to come. This post is a work in progress.