Enumeration
Enumerating Active Directory
Current Domain info
info like Forest, DomainControllers
Enumeration Tools
Powerview - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Microsoft AD Module - https://github.com/samratashok/ADModule https://docs.microsoft.com/en-us/powershell/module/addsadministration/?view=win10-ps import Microsoft.ActiveDirectory.Management.dll and ActiveDirectory.psd1
Here Upper command is PowerView Lower Command is AD Module
Domain
Get current domain
Get Object of another domain(if trusts)
Get domain SID for the current domain
Policy
Get domain policy for the current domain
Get domain policy for another domain
Get domain controllers for the current domain and it's IP
Get domain controllers for another domain
Users
Get a list of users in the current domain
Get List of all properties for users in the current domain
pwdlastset, badpwdcounts property helps in understanding if the account id honeypot or decoy account users have bad passwords and pwdlastset is very old for decoy accounts
Search for a particular string in a user's attributes:
Computers
Get a list of computers in the current domain
These could be actual computes or VMs Ping ICMP Request is used to detect if host is online . If ICMP packets are didabled in firewall it could give false positives that machine is offline
Groups
Get all the groups in the current domain
Get all groups containing the word "admin" in group name
Get all the members of the Domain Admins group
RID 500 denotes administrator
Get the group membership for a user:
RID 513 denotes a built-in group
List all the local groups on a machine (needs administrator privs on nondc machines)
Get members of all the local groups on a machine (needs administrator privs on non-dc machines)
Get actively logged users on a computer (needs local admin rights on
the target)
Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)
Get the last logged user on a computer (needs administrative rights and
remote registry on the target)
Shares
Find shares on hosts in current domain.
Find sensitive files on computers in the domain
Get all fileservers of the domain
enumerates high-value targets
GPO
Get list of GPO in current domain
Get-WindowsOptionalFeature -Online -FeatureName Enable-WindowsOptionalFeature -Online -FeatureName RSAT Install-WindowsFeature -Name GPMC Import-Module grouppolicy
Get GPO(s) which use Restricted Groups or groups.xml for interesting
users
List the restricted groups, if get access to one of the groups we can access all others as it might be pushed to all the machines
Get users which are in a local group of a machine using GPO
Get machines where the given user is member of a specific group
Get OUs in a domain
Get GPO applied on an OU. Read GPOname from gplink attribute from
Get-NetOU
gplink in get-netou is entered in -gponame
Get the ACLs associated with the specified object
Get the ACLs associated with the specified prefix to be used for search
We can also enumerate ACLs using ActiveDirectory module but without
resolving GUIDs
Get the ACLs associated with the specified LDAP path to be used for search
Search for interesting ACEs
Get the ACLs associated with the specified path
Trusts
Get a list of all domain trusts for the current domain
Get details about the current forest
Get all domains in the current forest
Get all global catalogs for the current forest
Map trusts of a forest
maps trust between forests, not domains or child entities.so no output
Enumerating computers from the trustee domain
Map domain trust
Sessions
Find all machines on the current domain where the current user has
local admin access
This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine.
This can also be done with the help of remote administration tools like WMI and PowerShell remoting. Pretty useful in cases ports (RPC and SMB) used by Find-LocalAdminAccess are blocked.
Find local admins on all machines of the domain (needs administrator
privs on non-dc machines).
This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded GetNetLocalGroup on each machine.
Find computers where a domain admin (or specified user/group) has sessions
This function queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of computers (Get-NetComputer) and list sessions and logged on users (GetNetSession/Get-NetLoggedon) from each machine.
Find computers where a domain admin is logged-in.
performs only on high valued targets
This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list only of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine.
Get actively logged users on a computer (needs local admin rights on
the target)
Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)
Get the last logged user on a computer (needs administrative rights and
remote registry on the target)
Defense
Netcease is a script which changes permissions on the NetSessionEnum method by removing permission for Authenticated Users group.
This fails many of the attacker's session enumeration and hence user hunting capabilities. .\NetCease.ps1 .\NetCease.ps1 -revert
Another interesting script from the same author is SAMRi10 which hardens Windows 10 and Server 2016 against enumeration which uses SAMR protocol (like net.exe) • https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote48d94b5b
find for sensitive texts like pass, password,etc in all files
search files in recycle bin also from shares
There are various ways of locally escalating privileges on Windows box: – Missing patches – Automated deployment and AutoLogon passwords in clear text – AlwaysInstallElevated (Any user can run MSI as SYSTEM) – Misconfigured Services – DLL Hijacking and more • We can use below tools for complete coverage – PowerUp: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc – BeRoot: https://github.com/AlessandroZ/BeRoot .\beRoot.exe – Privesc: https://github.com/enjoiz/Privesc Invoke-PrivEsc – WinPEAS: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
Services Issues using PowerUp • Get services with unquoted paths and a space in their name. Invoke-AllChecks Get-ServiceUnquoted -Verbose • Get services where the current user can write to its binary path or change arguments to the binary Get-ModifiableServiceFile -Verbose • Get the services whose configuration current user can modify. Get-ModifiableService -Verbose
Feature Abuse
You can miss-use Enterprise applications like Jenkins which mostly have admin privileges and find a way to run commands
Without logging in we can list users
Bloodhound
Bloodhound represents AD entities and relationships in the form of GUI
bloodhound requires ne04j use suitable version v3 and v2 are incompatible to each other
upload zip files in bloodhound start mapping you can use built-in queries you can mark users as owned you can find paths,etc
Last updated
Was this helpful?