Now, about the external testing….What if you do a Shodan search for DCs that are exposed on the Internet and log on to one that way? Of course, you’ll need to come up with a domain account if you want to connect to the server using AD Explorer. As far as I can tell, AD Explorer does not allow you to modify passwords or change the status from disabled to enabled (even as DA) but at least you can check and avoid disabled accounts to stay a bit stealthier using this method. Then after you have done some hacking and cracking and people start changing their passwords or disabling accounts you can take another snapshot and see who has changed their passwords or which are disabled.
How might this be useful on a pentest? Take a snapshot right away when you get access to the domain. Viewing a snapshot won’t let you make any changes but it is excellent for reconnaissance activities.ĪD Explorer can also do a “diff” of two snapshots. So as long as you have write access somewhere you can download it from. Like all the Sysinternals tools, they are standalone executables, no installation required. It may offer some help on finding juicy targets like privileged users and database servers. It will layout the OU structure, the user accounts, computer accounts. Of course for organizations that expose domain controllers on the Internet this could be useful on external tests as well (read on for more about that using Shodan).Īll you need is a domain account – any domain account – and you can talk to a domain controller and ask it to enumerate the domain for you. My colleague Dave Fletcher, who has worn many hats including that of sysadmin extraordinaire, reminded me of this tool on an engagement and I have been using it on internal assessments faithfully ever since. Maybe a little less known is that they are super helpful for pentesters too! One of my favorites is AD Explorer.
They have been a favorite among system administrators for many, many years. Mark Russinovich’s Sysinternals tools (Microsoft) are nothing new. Sally Vandeven // OR How to Pentest with AD Explorer!
0 kommentar(er)
