Introduction
Once the attacker has obtained a foothold on a computer inside an Active Directory network, its design must be understood, including the number of users, groups, computers, OUs, ACLs, and their relationships.
In this phase, the attacker should be focused on enumerating information that can be further used to elevate privileges or perform lateral movements.
Domain
General Information
PowerView ADModule
Copy Get-Domain [ -Domain <DIFFERENT _ DOMAIN> ]
Copy Get-ADDomain [ -Identity <DOMAIN> ]
Get current domain controller
PowerView ADModule
Copy Get-DomainController [ -Domain <DIFFERENT _ DOMAIN> ] | select Forest , Name , OSVersion | fl
Copy Get-ADDomainController [ -DomainName <DOMAIN> ] [ -Discover ]
PowerView
Copy Get-DomainController [ -Domain <DIFFERENT _ DOMAIN> ] | select Forest , Name , OSVersion | fl
Forest
PowerView ADModule
Copy Get-Forest [ -Forest <FOREST> ]
Copy Get-ADForest [ -Identity <FOREST> ]
Get all domains from your current forest
PowerView ADModule
Copy Get-ForestDomain [ -Forest <FOREST> ]
Copy Get-ADForest [ -Identity <FOREST> ] | fl Domains
Get the Global Catalogs of the forest
PowerView ADModule
Copy Get-ForestGlobalCatalog [ -Forest <FOREST> ]
Copy Get-ADForest | select - ExpandProperty GlobalCatalogs
Trust
Return all domain trusts for the current or specified domain
PowerView ADModule
Copy Get-DomainTrust [ -Domain <DomainName> ]
Copy Get-ADTrust { - Filter * | - Identity "<Domain>" }
Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds.
PowerView
Copy Get-DomainTrustMapping
Return all forest trusts for the current forest or a specified forest.
PowerView ADModule
Copy Get-ForestTrust [ -Forest < "FOREST>" ]
Copy Get-ADTrust - Filter 'msDS-TrustForestTrustInfo -ne "$null"'
Users
General Information
PowerView ADModule ADSearch
Copy Get-DomainUser - Identity < USERNAME > [ -Properties DisplayName, MemberOf | fl ]
Get-DomainUser - UACFilter NOT_ACCOUNTDISABLE | select samaccountname
Copy Get-ADUser - Filter * | ? { $_.Enabled -eq "true" } Select SamAccountName
# Detailed information about a user
Get-ADUser - Identity < USERNAME > - Properties *
Copy .\ ADSearch.exe -- search "objectCategory=user"
PowerView
Copy Get-ADUser - Filter 'Description -like "*built*"' - Properties Description | select name , Description
PowerView ADModule
Copy Get-DomainGroup - UserName "<USERNAME>"
Copy Get-ADPrincipalGroupMembership - Identity "<USERNAME>"
Obtain the Last time a password was set of each user
PowerView
Copy Get-ADUser - Filter * - Properties * | select name , logoncount ,@ {expression = {[ datetime ]::fromFileTime($_pwdlastset)}}
Finds domain machines where specific users are logged into. By default 'Domain Admins'
PowerView
Copy Find-DomainUserLocation - Verbose [ -CheckAccess ] [{ - UserGroupIdentity |- UserIdentity} <Identity> ]
Security
PowerView ADModule ADSearch
Copy Get-DomainUser - SPN | select serviceprincipalname
Copy Get-ADUser - Filter {ServicePrincipalName -ne " $null " } - Properties ServicePrincipalName
Copy .\ ADSearch.exe -- search "(&(objectCategory=user)(servicePrincipalName=*))" -- attributes cn , servicePrincipalName , samAccountName
PowerView ADModule ADSearch
Copy Get-DomainUser - PreauthNotRequired - Verbose
Copy Get-ADUser - Filter {DoesNotRequirePreAuth -eq $True } - Properties DoesNotRequirePreAuth | select UserPrincipalName
Search passwords on the description attribute
PowerView
Copy Get-ADUser - Filter 'Description -like "*pass*"' - Properties Description | select name , Description
Show in which machine you are admin (based on your current privileges)
PowerView
Copy Find-LocalAdminAccess
PowerView ADModule ADSearch
Copy Get-NetUser - TrustedToAuth
Copy Get-ADObject - Filter {msDS - AllowedToDelegateTo -ne " $null " } - Properties msDS - AllowedToDelegateTo
Copy .\ ADSearch.exe -- search "(&(objectCategory=user)(msds-allowedtodelegateto=*))" -- attributes dnshostname , samaccountname , msds - allowedtodelegateto -- json
Groups
List all the groups in the current domain
PowerView ADModule ADSearch
Copy Get-DomainGroup [ | where Name -like "*Admins*" | select SamAccountName ]
Copy Get-ADGroup - Filter * | select name
# More detailed version
Get-ADGroup - Filter * - Properties *
Copy # Admin Groups
.\ ADSearch.exe -- search "(&(objectCategory=group)(cn=*Admins))" [ --attributes cn,member ]
# MSSQL Groups
.\ ADSearch.exe -- search "(&(objectCategory=group)(cn=MS SQL Admins))" -- attributes cn , member
List all the members in a specific group :
PowerView ADModule
Copy Get-DomainGroupMember - Identity "Domain Admins" [ | select MemberDistinguishedName ]
Copy Get-ADGroupMember - Identity "Domain Admins" - Recursive | Select-Object SamAccountName
ADModule
Copy Get-ADPrincipalGroupMembership < USER >
PowerView
Copy Get-DomainGPOUserLocalGroupMapping [ -Identity "<GROUP_NAME>" | -LocalGroup Administrators ] | select ObjectName , GPODisplayName , ContainerName , ComputerName | fl
Computers
General information
PowerView ADModule
Copy Get-NetComputer [ | select samaccountname, DnsHostName, operatingsystem ]
Get-DomainComputer - OperatingSystem "*Server 2016*"
# Get Name, IP and Operating System
Get-NetComputer - Properties name , dnshostname , OperatingSystem | ForEach-Object { $_ | Add-Member - NotePropertyName IPAddressV4 - NotePropertyValue ( Resolve-DnsName - Type A - Name $_.dnshostname ).IPAddress - Force; $_ } | Select-object - Property name , dnshostname , IPAddressV4 , OperatingSystem | Format-Table - AutoSize
Copy Get-AdComputer - Filter * | select Name
Return PCs that can be pinged
PowerView
Copy Get-NetComputer - Ping
Get-ADComputer - Filter * - Properties DNSHostName | % { Test-Connection - Count 1 - ComputerName $_.DNSHostName | fl Address , IPV4Address , IPV6Address , ResponseTime}
Get users logged on (Requires admin privileges)
PowerView
Copy Get-NetLoggedon - ComputerName "<COMPUTER_NAME>" | Select Username
Get locally logged on users
PowerView
Copy Get-LoggedonLocal - ComputerName "<HOSTNAME>"
Enumerates local or groups on a machine (Requires admin privileges).
PowerView
Copy Get-NetLocalGroup - ComputerName "<HOSTNAME>"
# Get the members of Local Groups
Get-NetLocalGroupMember - ComputerName "<HOSTNAME>" - GroupName "<GROUP_NAME>"
Returns the last user who logged onto the local machine (Requires administrative rights and remote registry enabled on the target)
PowerView
Copy Get-LastLoggedOn - ComputerName < HOSTNAME >
Security
Enumerate all ACES for all domain computers that matches our current computer .
Copy Get-DomainComputer | Get-ObjectAcl - ResolveGUIDs | Foreach-Object { $_ | Add-Member - NotePropertyName Identity - NotePropertyValue ( ConvertFrom-SID $_.SecurityIdentifier.value ) - Force; $_ } | Foreach-Object { if ( $_.Identity -eq $ ( "$ env: UserDomain\$ env: Username" )) { $_ | Select-object - Property ObjectDN , ActiveDirectoryRights , AceType , ObjectAceType , Identity | Format-List }}
PowerView ADModule ADSearch
Copy Get-DomainComputer - UnConstrained | select samaccountname
Copy Get-ADComputer - Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515 } - Properties trustedfordelegation , serviceprincipalname , description
Copy .\ ADSearch.exe -- search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" -- attributes samaccountname , dnshostname
PowerView ADModule
Copy Get-DomainComputer - TrustedToAuth | select name , msds - allowedtodelegateto , useraccountcontrol | fl
Get-NetComputer | where-object { $_ . "msds-allowedtodelegateto" -ne $null } | select name , msds - allowedtodelegateto , useraccountcontrol | fl
Get-NetComputer < COMPUTER_NAME > | Select-Object - ExpandProperty msds - allowedtodelegateto | fl
Copy Get-ADObject - Filter {msDS - AllowedToDelegateTo -ne " $null " } - Properties msDS - AllowedToDelegateTo
Need a privilege like WriteProperty , GenericAll , GenericWrite or WriteDacl on the computer object:
PowerView ADModule ADSearch
Copy Get-DomainComputer | Get-DomainObjectAcl - ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }
Copy Get-ADObject - Filter {msDS - AllowedToDelegateTo -ne " $null " } - Properties msDS - AllowedToDelegateTo
Copy .\ ADSearch.exe -- search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" -- attributes dnshostname , samaccountname , msds - allowedtodelegateto -- json
Group Policies Objects (GPO)s
General information
Get list of GPO in current domain .
PowerView
Copy Get-DomainGPO [ -ComputerIdentity <COMPUTER _ NAME> ] - Properties DisplayName | sort - Property DisplayName
Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences :
PowerView
Copy Get-DomainGPOLocalGroup [ -ComputerIdentity <COMPUTER _ NAME> ] | select GPODisplayName , GroupName
Enumerates the machines where a specific domain user/group is a member of a specific local group (Useful for finding where domain groups have local admin access):
PowerView
Copy Get-DomainGPOUserLocalGroupMapping - LocalGroup Administrators | select ObjectName , GPODisplayName , ContainerName , ComputerName | fl
Finds what users/groups are in the specified local group for a target machine through GPO correlation
PowerView
Copy Get-DomainGPOComputerLocalGroupMapping - ComputerIdentity "<HOSTNAME>"
Get Modifiable GPOs
PowerView
Copy Get-DomainGPO | Get-DomainObjectAcl - ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty|GenericWrite" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }
Principals with "Create groupPolicyContainer objects" privilege
PowerView
Copy Get-DomainObjectAcl - Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" - ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }
Organizational Units (OU)
Get Domain Organizational Units :
PowerView ADModule
Copy Get-DomainOU [ -Properties Name | sort -Property Name ]
Copy Get-ADOrganizationalUnit - Filter * - Properties *
PowerView
Copy Get-DomainGPO - Identity "<GPLink_RelativeCN>"
Access Control Lists (ACL)s
PowerView
Copy Get-ObjectAcl - SamAccountName "<USER>" - ResolveGUIDs
Returns the ACLs associated with a specific active directory object .
PowerView ADModule
Copy Get-DomainObjectAcl - ResolveGUIDs - SamAccountName "<USERNAME>"
Copy ( Get-Acl 'AD:\CN=Administrator,CN=Users,DC=cs,DC=org' ).Access
Finds interesting object ACLS in the current domain
PowerView
Copy Find-InterestingDomainAcl - ResolveGUIDs
Enumerate RDP Users permissions
PowerView
Copy Find-InterestingDomainAcl - ResolveGUIDs | ? { $_.IdentityReferenceName -match "RDPUsers" }
Shares
PowerView
Copy Find-DomainShare
# Enumerate the Domain Shares the current user has access
Find-DomainShare - CheckShareAccess
Enumerates the shares you have access
PowerView
Copy Find-DomainShare - CheckShareAccess
Find shares on hosts in current domain .
PowerView
Copy Invoke-ShareFinder - Verbose
Get all fileservers of the domain
Searches for files matching specific criteria on readable shares in the domain
PowerView
Copy Invoke-FileFinder - Verbose
MSSQL
General information
Discover Active Directory Domain SQL Server Instances
PowerUpSQL
Copy Get-SQLInstanceDomain
Tests if the current Windows account or provided SQL Server login can log into an SQL Server.
PowerUpSQL
Copy Get-SQLConnectionTest - Instance "<HOSTNAME,PORT>" | fl
# If there are several instances use the following oneline
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
Returns basic server and user information from target SQL Servers.
PowerUpSQL
Copy Get-SQLServerInfo - Instance "<HOSTNAME,PORT>"
Links
Look for links to remote servers
PowerUpSQL MSSQL
Copy Get-SQLServerLink - Verbose - Instance "<HOSTNAME,PORT>"
Copy select * from master ..sysservers
Enumerate and follow MSSQL database links
PowerUpSQL
Copy Get-SQLServerLinkCrawl - Verbose - Instance "<HOSTNAME,PORT>"
Perform Queries
PowerUpSQL
Copy Get-SQLQuery - Instance "<HOSTNAME,PORT>" - Query "select @@servername"
Perform queries using the linked database
MSSQL
Copy SELECT * FROM OPENQUERY( "sql-1.cyberbotic.io" , 'select @@servername' );
CMDShell
Check if xp_cmdshell module is enabled
MSSQL
Copy SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell'
MSSQL
Copy sp_configure 'Show Advanced Options' , 1 ; RECONFIGURE ;sp_configure 'xp_cmdshell' , 1 ; RECONFIGURE ;
MSSQL
Copy "EXEC xp_cmdshell 'powershell -w hidden -enc <ENCODED_COMMAND>';
Tools
LinWinPwn : Automates a number of Active Directory Enumeration and Vulnerability checks.
PowerView : PowerShell tool to gain network situational awareness on Windows domains.
PowerUPSQL : Module that includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post-exploitation actions such as OS command execution.
ADModule : The Active Directory module for Windows PowerShell.
References
Last updated 10 months ago