Enum ✓ EXAM-SAFE orta :88 :135:139:389 :445 :636 :3268:3269

Kimlik Doğrulamalı Domain Enumeration (Authenticated Enum)

Gecerli bir domain kullanici kimligi (parola veya NT hash) ele gecirildikten sonra LDAP/SMB uzerinden kullanicilar, gruplar, parola politikasi, GPO ve ACL bilgilerini cikararak saldiri yuzeyini haritalandirma.

ÖN KOŞULLAR

Gecerli bir domain hesabi (USER + PASS veya NTHASH)
DC ile ag baglantisi (LDAP 389/636, SMB 445)
Kerberos icin saatler senkron (max 5 dk skew)

┌──

Komutlar

netexec ✓ EXAM-SAFE user

nxc smb {{DC_IP}} -u '{{USER}}' -p '{{PASS}}' --users

SMB uzerinden domain kullanici listesi (badPwdCount, lastLogon dahil) NetExec Wiki - SMB Enumeration

netexec ✓ EXAM-SAFE user

nxc smb {{DC_IP}} -u '{{USER}}' -p '{{PASS}}' --groups

Domain gruplarini ve uye sayilarini listeler NetExec Wiki - SMB Enumeration

netexec ✓ EXAM-SAFE user

nxc smb {{DC_IP}} -u '{{USER}}' -p '{{PASS}}' --pass-pol

Parola politikasi (lockout threshold, min length) — spray oncesi sart NetExec Wiki - SMB Enumeration

netexec ✓ EXAM-SAFE user

nxc ldap {{DC_IP}} -u '{{USER}}' -p '{{PASS}}' --users

LDAP uzerinden kullanici cekme (description alaninda parola olabilir) NetExec Wiki - LDAP Enumeration

netexec ✓ EXAM-SAFE user

nxc ldap {{DC_IP}} -u '{{USER}}' -p '{{PASS}}' --password-not-required

PASSWD_NOTREQD bayrakli hesaplari bulur NetExec Wiki - LDAP Enumeration

netexec ✓ EXAM-SAFE user

nxc ldap {{DC_IP}} -u '{{USER}}' -H {{NTHASH}} --trusted-for-delegation

Unconstrained delegation icin yapilandirilmis hesaplari listeler (Pass-the-Hash ile) NetExec Wiki - LDAP Enumeration

ldapsearch ✓ EXAM-SAFE user

ldapsearch -x -H ldap://{{DC_IP}} -D '{{USER}}@{{DOMAIN}}' -w '{{PASS}}' -b 'DC=corp,DC=local' '(objectClass=user)' sAMAccountName description memberOf

Authenticated LDAP sorgusu — kullanici nitelikleri ve description alanlari HackTricks - LDAP enumeration

ldapsearch ✓ EXAM-SAFE user

ldapsearch -x -H ldap://{{DC_IP}} -D '{{USER}}@{{DOMAIN}}' -w '{{PASS}}' -b 'DC=corp,DC=local' '(&(objectClass=user)(servicePrincipalName=*))' sAMAccountName servicePrincipalName

SPN'e sahip hesaplar (Kerberoast adaylari) icin filtreli sorgu HackTricks - Kerberoast (LDAP filter)

rpcclient ✓ EXAM-SAFE user

rpcclient -U '{{DOMAIN}}/{{USER}}%{{PASS}}' {{DC_IP}} -c 'enumdomusers'

RPC uzerinden kullanici RID/isim enumerasyonu HackTricks - rpcclient enumeration

rpcclient ✓ EXAM-SAFE user

rpcclient -U '{{DOMAIN}}/{{USER}}%{{PASS}}' {{DC_IP}} -c 'querygroupmem 0x200; queryuser 0x1f4'

Belirli grup uyeligi (Domain Admins RID 512) ve kullanici detayi HackTricks - rpcclient enumeration

enum4linux-ng ✓ EXAM-SAFE user

enum4linux-ng -u '{{USER}}' -p '{{PASS}}' -A {{DC_IP}}

Otomatik users/groups/shares/pass-pol toplayici (kimlikli mod) enum4linux-ng GitHub README

pywerview ✓ EXAM-SAFE user

pywerview get-netuser -u '{{USER}}' -p '{{PASS}}' -d {{DOMAIN}} --dc-ip {{DC_IP}}

Linux uzerinden PowerView esleniği — kullanici nesnelerini cekme pywerview GitHub - get-netuser

impacket-GetADUsers ✓ EXAM-SAFE user

impacket-GetADUsers -all -dc-ip {{DC_IP}} '{{DOMAIN}}/{{USER}}:{{PASS}}'

Tum domain kullanicilarini ve son giris tarihlerini listeler WADComs - Impacket GetADUsers

powerview ✓ EXAM-SAFE user

Get-DomainUser -SPN -Properties samaccountname,serviceprincipalname | fl

Windows uzerinden PowerView ile SPN'li hesaplar (Kerberoast adaylari) PowerView - Get-DomainUser

powerview ✓ EXAM-SAFE user

Get-DomainGroupMember -Identity 'Domain Admins' -Recurse

Domain Admins yinelemeli uyelik (nested groups dahil) PowerView - Get-DomainGroupMember

adsearch ✓ EXAM-SAFE user

ADSearch.exe --domain {{DOMAIN}} --search '(&(objectCategory=user)(servicePrincipalName=*))' --attributes samaccountname,serviceprincipalname

C# ADSearch ile in-memory LDAP sorgusu (BOF/edr-friendly) ADSearch GitHub README

AD Explorer ✓ EXAM-SAFE user

ADExplorer.exe -snapshot "" C:\Temp\snap.dat {{DC_HOST}}

Sysinternals AD Explorer ile offline analiz icin AD snapshot alma HackTricks - AD Explorer snapshot

Amac

Gecerli bir domain kimligi (parola veya NT hash) elde ettikten sonra amac, dizini icerden okuyarak hedef listesini ve istismar yollarini cikarmaktir. Kimliksiz enum’un aksine burada --users, --groups, --pass-pol ve tum LDAP nitelikleri gorunur hale gelir.

Neden Once Parola Politikasi?

Spray veya AS-REP/Kerberoast hash kirma denemelerinden ONCE --pass-pol ile lockout esigini ogrenmek zorunludur. Yanlis sayida deneme hesaplari kilitler (account lockout) ve hem testi bozar hem de IOC uretir.

Adimlar

SMB hizli tarama: nxc smb {{DC_IP}} -u {{USER}} -p {{PASS}} --users --groups --pass-pol ile temel listeyi al.
LDAP derinlestir: nxc ldap ... --password-not-required ve --trusted-for-delegation ile yanlis yapilandirmalari yakala. description alanlarinda sik sik duz metin parola bulunur.
SPN avi: LDAP filtresi (&(objectClass=user)(servicePrincipalName=*)) ile Kerberoast adaylarini cikar (bkz. ad-kerberoast).
rpcclient ile RID bazli dogrulama yap; querygroupmem 0x200 Domain Admins’i verir.
Windows ucu varsa PowerView (Get-DomainUser -SPN, Get-DomainGroupMember -Recurse) veya ADSearch ile in-memory sorgula; disk’e arac dusurmemek EDR icin avantaj.
Snapshot: AD Explorer ile .dat snapshot alip cevrimdisi analiz et — DC’ye tekrar tekrar sorgu atmaktan kacinir.

Hash ile Kimlik (Pass-the-Hash)

Parola yerine NT hash varsa netexec’te -H {{NTHASH}} kullanilir; ldapsearch dogrudan PtH desteklemez, bu durumda Kerberos bileti (KRB5CCNAME) veya impacket araclari tercih edilir.

Gotchalar

LDAP -b base DN’i domain’e gore ayarla: corp.local -> DC=corp,DC=local.
LDAPS (636) sertifika dogrulama hatasi verirse netexec/ldapsearch icin gerekli -x ve plaintext 389 dene; bazi DC’ler imzasiz LDAP’i reddeder (channel binding).
Bu cikti dogrudan BloodHound beslemesinin girdisidir — toplananlari ad-bloodhound’a aktar.

┌──

Kaynaklar

↗ HackTricks - Active Directory Methodology ↗ NetExec Wiki - LDAP & SMB Protocols ↗ The Hacker Recipes - AD Enumeration ↗ PowerView Cheat Sheet (HarmJ0y)