- I. Presentation
- II. The value of Active Directory information
- III. Discovering an Active Directory with ADRecon
- IV. Conclusion
I. Presentation
In this article, we will discover the ADRecon tool for Active Directory Recon which will allow us to collect different information from an Active Directory directory.
ADRecon will generate an Excel report which will contain a set of information about the Active Directory environment analyzed, including the following:
- Domains, forests, sites, trust relationships, subnet
- List of domain controllers (OS, IP address, FSMO roles, supported SMB versions, SMB signing, etc.)
- Password policies (including fine-tuned password policies)
- List of organizational units
- List of users, groups and group members
- List of computers
- List of service accounts
- List of printers
- Group Policy Information ( GPO )
- Information about LAPS and BitLocker recovery keys
- List of permissions (SACLs / DACLs)
- DNS zones, DNS records
- A set of statistics and indicators about users and computers
The ADRecon tool is useful for system administrators, auditors, pentesters, etc. It all depends in what context it is used and what we want to do with the collected data. In a few seconds, the ADRecon tool will create an inventory of the configuration and objects of the Active Directory at time t .
To learn more, visit the project’s GitHub:
II. The value of Active Directory information
By retrieving sensitive information from Active Directory, it becomes possible to more easily identify weak points in the Active Directory domain , as well as accounts with high privileges, or possible configuration errors (an ACL too permissive, a GPO with a script that integrates a password, a weak password policy, etc…).
III. Discovering an Active Directory with ADRecon
The first step is to download the ADRecon project ZIP archive from the official GitHub (or perform a git clone ) in order to retrieve the project sources. Be aware that on a Windows machine (tested on Windows 11 and Windows Server 2022), the tool directly panics Windows Defender . So if you are using it legitimately, you should create an exception in quarantine.
Once the prompt is positioned in the “ADRecon-master” directory, you can run ADRecon. It is possible that the execution policy of the local machine blocks the execution of the PowerShell script , in this case, we will execute it through a PowerShell process executed in “bypass” mode.
.\ADRecon.ps1
# ou
Powershell.exe -ExecutionPolicy bypass -File adrecon.ps1Then, just wait a few seconds while the report runs . In this case, ADRecon is run with a standard user , that is to say he is not domain admin!
Note : if the RSAT tools are not detected (which will surely be the case on a workstation), ADRecon will rely on LDAP queries.
After running the report, we obtain a folder containing an Excel report and a set of CSV files corresponding to all the data collected.
We will take a closer look at the Excel report. When we open it, we have access to a summary which contains a set of links to the different tabs of the Excel workbook. Thus, we can easily navigate in order to have access to information about users, computers, groups, etc.
If we take the example of the ” User Stats ” tab, it gives interesting information on the accounts present in the Active Directory, in particular the number of activated accounts, the number of deactivated accounts, but also the accounts with the “SID History”, dormant accounts, accounts where the password never expires, etc.
Another tab simply named ” Users ” contains the list of all users in the directory with a set of information about them.
We have similar tabs for other objects, including computers. This groups both workstations and servers since they share the same class in the Active Directory. A tab is dedicated to the inventory of Windows versions used.
Furthermore, and in a completely different register, the “ LAPS ” tab allows you to collect “ Administrator ” passwords stored in the Active Directory. In other words, it is better that the reading rights of LAPS attributes are well managed otherwise it can be a real problem!
Beyond providing you with the list of group policies, ADRecon retrieves the list of all the links between your GPOs and your OUs! Each time, the configuration of the link and the OU is integrated (state of inheritance, of the Enforced/Applied option, of the link, etc.).
In summary, the report generated by ADRecon contains a wealth of information about the Active Directory environment!
Note that you can target the domain controller of your choice and authenticate with a specific account, by running ADRecon this way:
.\ADRecon.ps1 -DomainController <adresse IP ou FQDN> -Credential <domaine\utilisateur>In principle, you can also run ADRecon from a computer that is not joined to the Active Directory domain. In this case, authentication will be mandatory (unless anonymous access is authorized…).
.\ADRecon.ps1 -Protocol LDAP -DomainController <adresse IP ou FQDN> -Credential <domaine\utilisateur>Finally, you can use ADRecon with the Kerberoasting attack technique (which aims to crack the password of a service account), by running it in a specific mode where it will simply generate a CSV file with the list of vulnerable accounts . This CSV file will embed the ready-made hash for Hashcat and John the Ripper.
.\ADRecon.ps1 -Collect Kerberoast -OutputType CSVIV. Conclusion
Although very noisy, ADRecon is a very interesting tool for collecting information in an Active Directory. The report being very comprehensive, it will be useful in several scenarios: an intrusion test, carrying out an inventory of its Active Directory (in anticipation of a little cleaning, perhaps), etc.
For Microsoft Entra ID / Azure Active Directory users , be aware that there is a version dedicated to this environment: AzureADRecon .
Source: ADRecon Github, IT-Connect.fr
