Ok so the other day “we” as a community put out some guidance around post active directory compromise actions for when you can’t simply nuke the forest from orbit. Well, following on from that a friend asked about how to restore AdminSDHolder permissions? Read more “How to restore AdminSDHolder Object Permissions using ADSIedit”
Ever needed to test active directory in a hurry? Well, here’s some common commands to test active directory domain services. In this post today we are going to focus on DNS and username enumeration, there are however a range of weaknesses you want to look for:
- SMB Null Session/Guest Access
- LDAP Null Bind
- Sensitive Information Disclosure
- Weak Password Policies
- Unpatched Software Vulnerabilities
Port Scanning and Service Fingerprinting
nmap -p- -sC -sV -Pn -v -A -oA ecorp.local.txt 192.168.1.22
Domain Name and Domain Controller Enumeation
History of NULL bind
Back in the early Active Directory days NULL bind was actually enabled by default, these days you can get a rootDSE NULL bind out of the box but on Windows Server 2019 you can even disable this!
So why would I want to enable NULL bind? Well, some legacy apps may need it but generally speaking you don’t want NULL bind enabled.
The lesson here is DO NOT copy what I am doing here! Simples! Read more “How to enable NULL Bind on LDAP with Windows Server 2019”