An authenticated enumeration using pywerview against ignite.local with low-privileged credentials (‘raj’) exposed extensive Active Directory information including users, computers, groups, delegation settings, and SPN-registered accounts. Critical misconfigurations include a Domain Admin account (‘aaru’), a Kerberoastable SPN account (‘kavish’) with constrained delegation to WIN-SQL, unconstrained delegation on multiple hosts, and a Backup Operators member (‘shivam’) who could be leveraged for credential extraction. #ignite.local #pywerview
Keypoints
- Authenticated enumeration with low-privileged user ‘raj’ revealed extensive AD objects and attributes.
- A Domain Admin account ‘aaru’ was identified and marked with adminCount=1.
- Service account ‘kavish’ is Kerberoastable with constrained delegation to WIN-SQL, enabling impersonation if its ticket is cracked.
- Multiple computers have unconstrained delegation and Backup Operators member ‘shivam’ could be abused to extract NTDS.dit or registry hives.
- pywerview modules and flags (e.g., -spn, -admin-count, -unconstrained, -full-data) automated LDAP enumeration and privilege checks.
Read More: https://www.hackingarticles.in/active-directory-enumeration-pywerview/