AD: Authenticated Enumeration

In the previous room, AD: Basic Enumeration, we covered various reconnaissance and enumeration activities that don’t require authentication. In this room, our focus will be on activities that are carried out once we have access to an authenticated account.

Learning Objectives

Upon completing this room, you will learn about:

• AS-REP Roasting
• Using the net command for enumeration among others
• Enumeration using the ActiveDirectory PowerShell module
• Enumeration using PowerSploit’s PowerView module
• Enumeration with BloodHound

Learning Prerequisites

For maximum benefit, you should have a good understanding of networking concepts and protocols and knowledge of Linux, MS Windows, and Active Directory. You can learn about these topics or refresh your knowledge by going through the following, depending on your goals:

• The Windows and AD Fundamentals module, including its last room, the Active Directory Basics room
• The Linux Fundamentals module
• The Command Line module
• The Networking module

In addition to familiarity with the above topics, we recommend finishing the AD: Basic Enumeration room.

Starting the Network

Before moving to the next task, click the green Start button under the network diagram. Give the network enough time to launch.

You can connect to the network in two ways:

Option 1: Using the AttackBox

Click the Start AttackBox button at the top of this room (make sure you have started the network first). Once ready, your AttackBox will be available in split view. In case it's not showing up, you can click the Show Split View button at the top of the page.

It is worth noting that if you have started the AttackBox in another room before starting the network, you will have to terminate your AttackBox instance and start it again so that it gives you access to this room's network.

Option 2: Over a VPN Connection

Alternatively, you can connect to the network via the VPN. To establish a VPN connection to this network, you need to browse to the access page, click the Networks tab, select Jr-Pentester-AD-v01-BH, and hit the Download configuration file button. Note that if you don’t see this file available for download, please ensure you have started the network in the room and give it a few minutes.

Then run the following command from the same directory where your VPN configuration file is located:

sudo openvpn [your_configuration_file_name.ovpn]

Note: It is important that you do not use the AttackBox and the VPN connection simultaneously.

Verifying Connectivity to the Network

You can run the route command to verify that your attacker machine can communicate with the target network. The terminal below shows an example output. In particular, note the 10.211.12.0 line.

           root@tryhackme:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.10.0.1       0.0.0.0         UG    100    0        0 ens5
10.10.0.0       0.0.0.0         255.255.0.0     U     100    0        0 ens5
10.10.0.1       0.0.0.0         255.255.255.255 UH    100    0        0 ens5
[...]
10.211.12.0     10.250.12.1     255.255.255.0   UG    1000   0        0 tun0
10.250.12.0     0.0.0.0         255.255.255.0   U     0      0        0 tun0
[...]
        

Alternatively, you can use the ip route command. In particular, note the 10.211.12.0 line.

           root@tryhackme:~# ip route
default via 10.10.0.1 dev ens5 proto dhcp src 10.10.130.73 metric 100 
10.10.0.0/16 dev ens5 proto kernel scope link src 10.10.130.73 metric 100 
10.10.0.1 dev ens5 proto dhcp scope link src 10.10.130.73 metric 100 
[...]
10.211.12.0/24 via 10.250.11.1 dev tun0 metric 1000 
10.250.12.0/24 dev tun0 proto kernel scope link src 10.250.12.2 
[...]
        

Confirm that you can see the 10.211.12.0 subnet in the command output. If it is in the output, your machine should be able to communicate with the target network. Moreover, we have enabled the target machines to respond to the ping command, so you can use it to verify connectivity.

Troubleshooting Connectivity Issues

If you cannot connect to the network from your AttackBox, please open the terminal and run the tryconnectme command. This will run a troubleshooting script:

           root@tryhackme# tryconnectme                                                  

TryHackMe's network room connection debugger, at your service!

Before we dive deeper, please make sure that you are only using the AttackBox
and do not have your network VPN profile running anywhere!

The AttackBox uses the same VPN profile as you would use on your own machine
and you are only allowed to run the VPN profile once!

If you are running in two places, stop the other VPN and restart the AttackBox please!

If you confirm that you are only using the AttackBox, press [Y], otherwise, the debugger will quit: Y

        

Once you have made sure that you are only connecting to the network from the AttackBox, you can enter the following IP: 10.211.12.10

           [...]
In the network room, look at the network diagram and please provide an IP address being shown to you there.
Format should be X.X.X.X: 10.211.12.10

Trying to ping the VPN server at 10.211.12.250...
        

From there, follow the instructions given by the script. When the script asks for your VPN server, enter Jr-Pentester-AD-v01-BH.

If you encounter any issues, please reach out to us on Discord (opens in new tab) or via email at support@tryhackme.com.