Active Directory Enumeration After Gaining Shell Access via WMIexec (Step-by-Step)

 In this lab, I simulated a real-world post-exploitation scenario after compromising an Active Directory (AD) user account.

The goal was to gain shell access on a domain-joined Windows machine and perform Active Directory enumeration using PowerView and Bloodhound two powerful tools for discovering attack paths and privilege escalation opportunities.

Step 1: Gaining Domain Credentials

I previously captured NTLMv2 hashes using a responder attack during the network reconnaissance phase.
 After cracking the hash offline, I obtained valid domain credentials, With these credentials, I proceeded to attempt remote command execution and shell access. The image of the cracked NTLMv2 hash is in the first blog of the AD Journey.

Step 2: Attempting Remote Shell Access

My next objective was to use the compromised credentials to gain a shell on a domain-joined target machine.

I tested multiple approaches:

Attempt 1 – Metasploit smb/psexec 



 Result: Windows Defender flagged the payload even though Defender was shown as disabled as seen below.


 Attempt 2 – Impacket’s psexec.py


 Result: Connection was established but no interactive shell.

Attempt 3 – Impacket’s wmiexec.py

Result: Successfully obtained an interactive shell on the target system.

Step 3: Preparing for Enumeration

With shell access obtained, I began Active Directory enumeration to identify users, groups, permissions, trusts, and privilege escalation paths.

I planned to use:

ToolPurpose
PowerView.ps1                                   PowerShell-based AD enumeration
SharpHound.exe                                   Data collector for BloodHound visualization

 PowerView Enumeration

After gaining a shell and confirming Defender restrictions, I set up a local HTTP server to host PowerView and executed it directly in PowerShell.

Using PowerView, I performed initial domain enumeration as seen below, though there is a lot more that can be done with PowerView:


These commands helped me map out:

  • Domain Name & Controllers

  • Domain Users and Computers

  • Privileged Accounts

  • Active Sessions

 SharpHound Enumeration

After setting up the BloodHound server and confirming successful connectivity, I proceeded to enumerate the Active Directory (AD) environment using SharpHound, one of the key data collection tools included in the BloodHound toolkit.

1. Purpose

The goal of this enumeration was to gather comprehensive AD relationship data, including:

  • User and group memberships

  • Local administrator rights

  • Domain trust relationships

  • Session information

  • ACL permissions

This data is crucial for privilege escalation path analysis and attack path visualization in BloodHound.

2. Execution

To initiate enumeration, I launched the SharpHound executable directly from the Windows system:

SharpHound.exe

This triggered the data collection process, where SharpHound queried the domain and compiled the gathered data into a ZIP archive containing JSON files.
 Upon completion, the tool automatically generated an output file:
20251006082457_BloodHound.zip

This archive includes:

  • sessions.json

  • users.json

  • groups.json

  • computers.json

  • acls.json

Each file contains detailed information on AD relationships necessary for BloodHound analysis.

4. Data Upload

Once enumeration was completed, the generated .zip file was transferred to the Kali/BloodHound server and uploaded into the BloodHound web interface for visualization and analysis.

After uploading i was able to view Active Directory relationships and high-value targets such as ADMINISTRATOR@MARVEL.LOCAL, DOMAIN ADMINS@MARVEL.LOCAL, and your domain controller (BASKA-DC.MARVEL.LOCAL).





After upload, the dataset can be used to:

  • Analyze privilege escalation paths

  • Identify high-value targets (HVTs)

  • View group memberships and admin rights

  • Build a graph-based map of AD relationships

BloodHound Analysis

After uploading the SharpHound data into the BloodHound interface, the collected AD relationship data was successfully parsed and visualized.

BloodHound automatically categorized and displayed high-value targets (HVTs), including privileged accounts, domain controllers, and critical groups within the MARVEL.LOCAL domain.

Key Observations:

  • Domain Controller Identified: BASKA-DC.MARVEL.LOCAL

  • Tier Zero Assets: Administrator accounts and core AD groups

  • High-Value Groups: Domain Admins, Enterprise Admins, Backup Operators

  • Delegation Detected: The domain controller allows unconstrained delegation, which could be leveraged for privilege escalation.

The High Value tab provided an overview of critical objects that should be prioritized during post-exploitation and lateral movement planning.

BloodHound Pathfinding and Relationship Mapping

After uploading the collected SharpHound data to the BloodHound interface, I explored potential attack paths within the MARVEL.LOCAL domain.
Using the Pathfinding feature, I attempted to trace relationships between standard domain users and privileged accounts (e.g., Domain Admins or Administrators).
The screenshot below illustrates an example of path exploration from TSTARK@MARVEL.LOCAL to ADMINISTRATOR@MARVEL.LOCAL, showcasing possible group memberships and relationship chains BloodHound detected.


Conclusion

The BloodHound analysis provided a clear overview of the Active Directory environment, highlighting key assets, privileged groups, and potential attack surfaces within the MARVEL.LOCAL domain.

After importing the SharpHound data into BloodHound, I explored the relationships of my compromised user (SHASSAN@MARVEL.LOCAL). The user was found to be a Local Administrator on two domain-joined systems, confirming elevated privileges. However, BloodHound did not identify any direct or indirect path to Domain Admins.

Further queries showed no active sessions by privileged accounts and no delegation or ACL paths, suggesting this user account requires additional lateral movement techniques (such as credential dumping or exploitation of misconfigurations) for escalation.

That’s all for today’s post! In the next part of my AD lab journey, I’ll explore more stay tuned! πŸ”₯ 

 

Comments

Post a Comment

Popular posts from this blog

Using Hydra to Brute-Force SSH And WI-Fi Login Portal

Image
  Welcome back again to my cybersecurity blog! i'm Basit Hassan, a student penetration tester passionate about ethical hack ing. On this blog, i'll be sharing tutorials, walkthroughs, and real-world exploitation techniques  that i've personally tested and can get you started in the penetration testing field. Today's post, i'll demonstrate how to use Hydra , a powerful brute-forcing tool, to test login credentials on a SSH server and a WI-FI admin portal. This test was done on my own network and machine to show how attackers operate and how to protect against them. What is Hydra? Hydra is a powerful tool used by penetration testers to automate brute-force attacks on various protocols like SSH, FTP, HTTP, and more. In this blog, we’ll learn how to use Hydra to brute-force SSH logins and web-based login forms safely in a lab environment. πŸ”“ What is a Brute-Force Attack? A brute-force attack is a method use to gain unauthorized access to account and systems by trying co...
Read more

Discover AWS Organization ID Via S3 Bucket

Image
  Welcome to my cybersecurity blog! i'm Basit Hassan, a student penetration tester passionate about ethical hack ing. On this blog, i'll be sharing tutorials, walkthroughs, and real-world exploitation techniques  that i've personally tested and can get you started in the penetration testing field. Today's post is about AWS pentesting using an assume breached scenario, where the target  organization provide you with low level credentials,command line interface credentials that you can connect to the AWS CLI (Command Line Interface) with.  Let The Hacking Begin!!!! we will be using platform called CYBR click on the url and create a free account and do this lab along side with me  https://cybr.com/hands-on-labs/lab/discover-aws-organization-id-via-s3-bucket/  this is how the interface looks like below πŸ‘‡πŸ‘‡after creating  an account and starting the lab  once it's ready you are going to get an Access key ID and a Secret Access key. So now if you are n...
Read more

SMB Relay Attack in AD Lab (Step-by-Step)

Image
Welcome back again to my cybersecurity blog! I'm Basit Hassan, a Vulnerability Assessment and Penetration Tester passionate about ethical hacking. On this blog, I’ll be sharing tutorials, walkthroughs, and real-world exploitation techniques that I’ve personally tested all designed to help you get started and grow in the penetration testing field. Today’s post , I’ll demonstrate how I leveraged SMB Relay attacks in my Active Directory lab to understand how attackers exploit network misconfigurations and relay authentication requests. This simulation was done in my own isolated lab environment to show how these attacks work  and more importantly, how to secure your network against them.  What is an SMB Relay Attack? SMB Relay is a man-in-the-middle (MITM) attack technique where an attacker intercepts and relays authentication requests from one system to another, without cracking any password. Instead of capturing and brute-forcing hashes, SMB Relay forwards the authenticatio...
Read more