# Active Directory ## Introduction Once the attacker has obtained a foothold on a computer inside an Active Directory network, its design must be understood, including the number of users, groups, computers, OUs, ACLs, and their relationships. In this phase, the attacker should be focused on enumerating information that can be further used to elevate privileges or perform lateral movements. ## Domain ### General Information * **Get current domain** {% tabs %} {% tab title="PowerView" %} ```powershell Get-Domain [-Domain ] ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADDomain [-Identity ] ``` {% endtab %} {% endtabs %} * **Get current domain controller** {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainController [-Domain ] | select Forest, Name, OSVersion | fl ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADDomainController [-DomainName ] [-Discover] ``` {% endtab %} {% endtabs %} * **Get domain policy data** {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainController [-Domain ] | select Forest, Name, OSVersion | fl ``` {% endtab %} {% endtabs %} ### Forest * **Return the forest object** {% tabs %} {% tab title="PowerView" %} ```powershell Get-Forest [-Forest ] ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADForest [-Identity ] ``` {% endtab %} {% endtabs %} * **Get all domains from your current forest** {% tabs %} {% tab title="PowerView" %} ```powershell Get-ForestDomain [-Forest ] ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADForest [-Identity ] | fl Domains ``` {% endtab %} {% endtabs %} * **Get the Global Catalogs of the forest** {% tabs %} {% tab title="PowerView" %} ```powershell Get-ForestGlobalCatalog [-Forest ] ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADForest | select -ExpandProperty GlobalCatalogs ``` {% endtab %} {% endtabs %} ### Trust * **Return all domain trusts for the current or specified domain** {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainTrust [-Domain ] ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADTrust {-Filter * | -Identity ""} ``` {% endtab %} {% tab title="CMD" %} ```bash nltest /domain_trusts ``` {% endtab %} {% endtabs %} * **Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds.** {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainTrustMapping ``` {% endtab %} {% endtabs %} * **Return all forest trusts for the current forest or a specified forest.** {% tabs %} {% tab title="PowerView" %} ```powershell Get-ForestTrust [-Forest <"FOREST>"] ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"' ``` {% endtab %} {% endtabs %} ## Users ### General Information * **Obtain users** {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainUser -Identity [-Properties DisplayName, MemberOf | fl] Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADUser -Filter * | ?{ $_.Enabled -eq "true" } Select SamAccountName # Detailed information about a user Get-ADUser -Identity -Properties * ``` {% endtab %} {% tab title="ADSearch" %} ```powershell .\ADSearch.exe --search "objectCategory=user" ``` {% endtab %} {% endtabs %} * **Built-in accounts** {% tabs %} {% tab title="PowerView" %} ```powershell Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name, Description ``` {% endtab %} {% endtabs %} * **Get group memberships** {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainGroup -UserName "" ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADPrincipalGroupMembership -Identity "" ``` {% endtab %} {% endtabs %} * **Obtain the Last time a password was set of each user** {% tabs %} {% tab title="PowerView" %} ```powershell Get-ADUser -Filter * -Properties * | select name ,logoncount ,@{expression={[datetime]::fromFileTime($_pwdlastset)}} ``` {% endtab %} {% endtabs %} * **Finds domain machines where specific users are logged into. By default 'Domain Admins'** {% tabs %} {% tab title="PowerView" %} ```powershell Find-DomainUserLocation -Verbose [-CheckAccess] [{-UserGroupIdentity|-UserIdentity} ] ``` {% endtab %} {% endtabs %} ### Security * **Kerberoast** {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainUser -SPN | select serviceprincipalname ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName ``` {% endtab %} {% tab title="ADSearch" %} ```powershell .\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName ``` {% endtab %} {% endtabs %} * **AS-Reporoast** {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainUser -PreauthNotRequired -Verbose ``` {% endtab %} {% tab title="ADModule" %} ```powershell ``` {% endtab %} {% tab title="ADSearch" %} ```powershell Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True } -Properties DoesNotRequirePreAuth | select UserPrincipalName ``` {% endtab %} {% endtabs %} * **Search passwords on the description attribute** {% tabs %} {% tab title="PowerView" %} ```powershell Get-ADUser -Filter 'Description -like "*pass*"' -Properties Description | select name, Description ``` {% endtab %} {% endtabs %} * **Show in which machine you are admin (based on your current privileges)** {% tabs %} {% tab title="PowerView" %} ```powershell Find-LocalAdminAccess ``` {% endtab %} {% endtabs %} * **Constrained delegation** {% tabs %} {% tab title="PowerView" %} ```powershell Get-NetUser -TrustedToAuth ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo ``` {% endtab %} {% tab title="ADSearch" %} ```powershell .\ADSearch.exe --search "(&(objectCategory=user)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json ``` {% endtab %} {% endtabs %} ## Groups * **List all the groups in the current domain** {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainGroup [| where Name -like "*Admins*" | select SamAccountName] ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADGroup -Filter * | select name # More detailed version Get-ADGroup -Filter * -Properties * ``` {% endtab %} {% tab title="ADSearch" %} ```powershell # Admin Groups .\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admins))" [--attributes cn,member] # MSSQL Groups .\ADSearch.exe --search "(&(objectCategory=group)(cn=MS SQL Admins))" --attributes cn,member ``` {% endtab %} {% endtabs %} * **List all the members in a specific group**: {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainGroupMember -Identity "Domain Admins" [| select MemberDistinguishedName] ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select-Object SamAccountName ``` {% endtab %} {% endtabs %} * **List groups of a user** {% tabs %} {% tab title="ADModule" %} ```powershell Get-ADPrincipalGroupMembership ``` {% endtab %} {% endtabs %} * **Get GPOs of a group** > :information\_source:To obtain GPO name from `GPOUid` use `Get-GPO -Guid "{...}"` {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainGPOUserLocalGroupMapping [-Identity "" | -LocalGroup Administrators] | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl ``` {% endtab %} {% endtabs %} ## Computers ### General information * **List computers** {% tabs %} {% tab title="PowerView" %} ```powershell Get-NetComputer [| select samaccountname, DnsHostName, operatingsystem] Get-DomainComputer -OperatingSystem "*Server 2016*" # Get Name, IP and Operating System Get-NetComputer -Properties name,dnshostname, OperatingSystem | ForEach-Object { $_ | Add-Member -NotePropertyName IPAddressV4 -NotePropertyValue (Resolve-DnsName -Type A -Name $_.dnshostname).IPAddress -Force; $_ } | Select-object -Property name,dnshostname,IPAddressV4, OperatingSystem | Format-Table -AutoSize ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-AdComputer -Filter * | select Name ``` {% endtab %} {% endtabs %} * **Return PCs that can be pinged** {% tabs %} {% tab title="PowerView" %} ```powershell Get-NetComputer -Ping Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName | fl Address,IPV4Address,IPV6Address,ResponseTime} ``` {% endtab %} {% endtabs %} * **Get users logged on** (Requires admin privileges) {% tabs %} {% tab title="PowerView" %} ```powershell Get-NetLoggedon -ComputerName "" | Select Username ``` {% endtab %} {% endtabs %} * **Get locally logged on users** {% tabs %} {% tab title="PowerView" %} ```powershell Get-LoggedonLocal -ComputerName "" ``` {% endtab %} {% endtabs %} * **Enumerates local or groups on a machine** (Requires admin privileges). {% tabs %} {% tab title="PowerView" %} ```powershell Get-NetLocalGroup -ComputerName "" # Get the members of Local Groups Get-NetLocalGroupMember -ComputerName "" -GroupName "" ``` {% endtab %} {% endtabs %} * **Returns the last user who logged onto the local machine** (Requires administrative rights and remote registry enabled on the target) {% tabs %} {% tab title="PowerView" %} ```powershell Get-LastLoggedOn -ComputerName ``` {% endtab %} {% endtabs %} ### Security * **Enumerate all ACES for all domain computers that matches our current computer**. ```powershell Get-DomainComputer | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_ | Select-object -Property ObjectDN,ActiveDirectoryRights, AceType,ObjectAceType, Identity | Format-List}} ``` * **Computers with unconstrained delegation**: Exploitation at [Unconstrained Delegation](https://the-pentesting-guide.marmeus.com/active-directory/kerberos#unconstrained-delegation) {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainComputer -UnConstrained | select samaccountname ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description ``` {% endtab %} {% tab title="ADSearch" %} ```powershell .\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname ``` {% endtab %} {% endtabs %} * **Computers with constrained delegation**: Exploitation at [Constrained Delegation](https://the-pentesting-guide.marmeus.com/active-directory/kerberos#constrained-delegation) {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainComputer -TrustedToAuth | select name,msds-allowedtodelegateto,useraccountcontrol | fl Get-NetComputer | where-object {$_."msds-allowedtodelegateto" -ne $null} | select name, msds-allowedtodelegateto, useraccountcontrol | fl Get-NetComputer | Select-Object -ExpandProperty msds-allowedtodelegateto | fl ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo ``` {% endtab %} {% endtabs %} * **Resource-Based Constrained Delegation**: Exploitation at [Resource-Based Constrained Delegation (GenericWrite to Computer)](https://the-pentesting-guide.marmeus.com/active-directory/kerberos#resource-based-constrained-delegation-genericwrite-to-computer) > Need a privilege like **WriteProperty**, **GenericAll**, **GenericWrite** or **WriteDacl** on the **computer** object: {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" } ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo ``` {% endtab %} {% tab title="ADSearch" %} ```powershell .\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json ``` {% endtab %} {% endtabs %} ## Group Policies Objects (GPO)s ### General information * **Get list of GPO in current domain**. {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainGPO [-ComputerIdentity ] -Properties DisplayName | sort -Property DisplayName ``` {% endtab %} {% endtabs %} * **Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences**: {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainGPOLocalGroup [-ComputerIdentity ] | select GPODisplayName, GroupName ``` {% endtab %} {% endtabs %} * **Enumerates the machines where a specific domain user/group is a member of a specific local group** (Useful for finding where domain groups have local admin access): {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl ``` {% endtab %} {% endtabs %} * **Finds what users/groups are in the specified local group for a target machine through GPO correlation** {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity "" ``` {% endtab %} {% endtabs %} ### Get Modifiable GPOs {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty|GenericWrite" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" } ``` {% endtab %} {% endtabs %} **Principals with "Create groupPolicyContainer objects" privilege** {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier } ``` {% endtab %} {% endtabs %} ## Organizational Units (OU) * **Get Domain Organizational Units**: {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainOU [-Properties Name | sort -Property Name] ``` {% endtab %} {% tab title="ADModule" %} ```powershell Get-ADOrganizationalUnit -Filter * -Properties * ``` {% endtab %} {% endtabs %} * **Get GPO applied to an OU** {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainGPO -Identity "" ``` {% endtab %} {% endtabs %} ## Access Control Lists (ACL)s * **Enumerate user rights**: {% tabs %} {% tab title="PowerView" %} ```powershell Get-ObjectAcl -SamAccountName "" -ResolveGUIDs ``` {% endtab %} {% endtabs %} * **Returns the ACLs associated with a specific active directory object**. {% tabs %} {% tab title="PowerView" %} ```powershell Get-DomainObjectAcl -ResolveGUIDs -SamAccountName "" ``` {% endtab %} {% tab title="ADModule" %} ```powershell (Get-Acl 'AD:\CN=Administrator,CN=Users,DC=cs,DC=org').Access ``` {% endtab %} {% endtabs %} * **Finds interesting object ACLS in the current domain** {% tabs %} {% tab title="PowerView" %} ```powershell Find-InterestingDomainAcl -ResolveGUIDs ``` {% endtab %} {% endtabs %} * **Enumerate RDP Users permissions** {% tabs %} {% tab title="PowerView" %} ```powershell Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} ``` {% endtab %} {% endtabs %} ## Shares * **Enumerate shares**: {% tabs %} {% tab title="PowerView" %} ```powershell Find-DomainShare # Enumerate the Domain Shares the current user has access Find-DomainShare -CheckShareAccess ``` {% endtab %} {% endtabs %} * **Enumerates the shares you have access** {% tabs %} {% tab title="PowerView" %} ```powershell Find-DomainShare -CheckShareAccess ``` {% endtab %} {% endtabs %} * **Find shares on hosts in current domain**. {% tabs %} {% tab title="PowerView" %} ```powershell Invoke-ShareFinder -Verbose ``` {% endtab %} {% endtabs %} * **Get all fileservers of the domain** {% tabs %} {% tab title="PowerView" %} ```powershell Get-NetFileServer ``` {% endtab %} {% endtabs %} * **Searches for files matching specific criteria on readable shares in the domain** {% tabs %} {% tab title="PowerView" %} ```powershell Invoke-FileFinder -Verbose ``` {% endtab %} {% endtabs %} ## MSSQL ### General information * **Discover Active Directory Domain SQL Server Instances** {% tabs %} {% tab title="PowerUpSQL" %} ```powershell Get-SQLInstanceDomain ``` {% endtab %} {% endtabs %} * **Tests if the current Windows account or provided SQL Server login can log into an SQL Server.** {% tabs %} {% tab title="PowerUpSQL" %} ```powershell Get-SQLConnectionTest -Instance "" | fl # If there are several instances use the following oneline Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo ``` {% endtab %} {% endtabs %} * **Returns basic server and user information from target SQL Servers.** {% tabs %} {% tab title="PowerUpSQL" %} ```powershell Get-SQLServerInfo -Instance "" ``` {% endtab %} {% endtabs %} ### **Links** * **Look for links to remote servers** {% tabs %} {% tab title="PowerUpSQL" %} ```powershell Get-SQLServerLink -Verbose -Instance "" ``` {% endtab %} {% tab title="MSSQL" %} ```sql select * from master..sysservers ``` {% endtab %} {% endtabs %} * **Enumerate and follow MSSQL database links** {% tabs %} {% tab title="PowerUpSQL" %} ```powershell Get-SQLServerLinkCrawl -Verbose -Instance "" ``` {% endtab %} {% endtabs %} ### **Perform Queries** * **Perform queries** {% tabs %} {% tab title="PowerUpSQL" %} ```powershell Get-SQLQuery -Instance "" -Query "select @@servername" ``` {% endtab %} {% endtabs %} * **Perform queries using the linked database** {% tabs %} {% tab title="MSSQL" %} ```powershell SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername'); ``` {% endtab %} {% endtabs %} ### **CMDShell** * **Check if xp\_cmdshell module is enabled** {% tabs %} {% tab title="MSSQL" %} ```powershell SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell' ``` {% endtab %} {% endtabs %} * **Enable xp\_cmdshell** {% tabs %} {% tab title="MSSQL" %} ```sql sp_configure 'Show Advanced Options', 1; RECONFIGURE;sp_configure 'xp_cmdshell', 1; RECONFIGURE; ``` {% endtab %} {% endtabs %} * **Execute commands** {% tabs %} {% tab title="MSSQL" %} ```sql "EXEC xp_cmdshell 'powershell -w hidden -enc '; ``` {% endtab %} {% endtabs %} ## Tools * [LinWinPwn](https://github.com/lefayjey/linWinPwn): Automates a number of Active Directory Enumeration and Vulnerability checks. * [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1): PowerShell tool to gain network situational awareness on Windows domains. * [ADSearch](https://github.com/tomcarver16/ADSearch): Perform LDAP queries. * [PowerUPSQL](https://github.com/NetSPI/PowerUpSQL): Module that includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post-exploitation actions such as OS command execution. * [ADModule](https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps): The Active Directory module for Windows PowerShell. ## References * [AD Enumeration Toolkit](https://academy.hackthebox.com/course/preview/active-directory-powerview/ad-enumeration-toolkit) * [Bloodhound docs](https://bloodhound.readthedocs.io/en/latest/index.html) * [PowerView (HackTricks)](https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters/powerview) * [Red Team Ops](https://training.zeropointsecurity.co.uk/courses/red-team-ops)