HackNotes

Appearance

Tools ​

This section covers various tools that can be used to enumerate an Active Directory environment.

ActiveDirectory PowerShell Module ​

The Active Directory PowerShell Module is a collection of cmdlets designed for performing various Active Directory operations. This module is available by default on Windows Server 2012 and later. This module is intended who manage Active Directory, but is also very useful for penetration testers.

One of the key advantages of this module is that it is signed by Microsoft, making it less likely to be detected by antivirus software.

🔗 Download: GitHub - ADModule

Usage ​

Download the module from the link above and import it into your PowerShell session.

powershell
Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\ADModule\ActiveDirectory.psd1

The full list of commands can be found on Microsoft's documentation: Microsoft Docs: Active Directory PowerShell Module

BloodHound ​

BloodHound is a tool developed by SpecterOps that is used for analyzing and visualizing the relationships within an Active Directory environment. It is particularly useful for identifying attack paths that can be used to compromise an environment.

There are two versions of BloodHound:

  1. BloodHound Legacy - https://github.com/BloodHoundAD/BloodHound
  2. BloodHound CE (Community Edition) - https://github.com/SpecterOps/BloodHound

Ingesting Data ​

BloodHound requires data to be ingested from the target Active Directory environment. This can be done by running SharpHound on a domain-joined machine. It will collect data about the environment and save it to a file that can be imported into BloodHound.

🔗 Download: GitHub - SharpHound

powershell
SharpHound.exe -c All

To make the collection more stealthy, use –-stealth option. This removes noisy collection methods like RDP, DCOM, PSRemote and LocalAdmin.

The gathered data can be uploaded to the BloodHound application (on both Legacy and Community Edition)

PowerView ​

PowerView is a PowerShell tool that is part of the PowerSploit project. It is used for querying and interacting with Active Directory. PowerView is particularly useful for enumeration and privilege escalation in Active Directory environments.

🔗 Download: GitHub - PowerSploit

Usage ​

Import the PowerView module into your PowerShell session.

powershell
. C:\Tools\PowerView.ps1

See the Active Directory Enumeration section for a list of useful commands that can be used with PowerView.