Hackers of India

ADRecon: Active Directory Recon

 Prashant Mahajan 

2018/03/22


Presentation Material

Abstract

ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis. The report can provide a holistic picture of the current state of the target AD environment. The tool is useful to various classes of security professionals like auditors, DIFR, students, administrators, etc. It can also be an invaluable post-exploitation tool for a penetration tester. It can be run from any workstation that is connected to the environment, even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) accounts. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts. The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP.

The following information is gathered by the tool: Forest; domains in the Forest and other attributes such as sites; domain password policy; domain controllers and their roles; users and their attributes; service principal names; groups and and their members; organizational units and their ACLs; group policy object details; DNS zones and records; printers; computers and their attributes; LAPS passwords (if implemented); and BitLocker Recovery Keys (if implemented).