Active Directory

Introduction

Once the attacker has obtained a foothold on a computer inside an Active Directory network, its design must be understood, including the number of users, groups, computers, OUs, ACLs, and their relationships.

In this phase, the attacker should be focused on enumerating information that can be further used to elevate privileges or perform lateral movements.

Domain

General Information

Get current domain

Get-Domain [-Domain <DIFFERENT_DOMAIN>]

Get current domain controller

Get-DomainController [-Domain <DIFFERENT_DOMAIN>] | select Forest, Name, OSVersion | fl

Get domain policy data

Get-DomainController [-Domain <DIFFERENT_DOMAIN>] | select Forest, Name, OSVersion | fl

Forest

Return the forest object

Get-Forest [-Forest <FOREST>]

Get all domains from your current forest

Get-ForestDomain [-Forest <FOREST>]

Get the Global Catalogs of the forest

Get-ForestGlobalCatalog [-Forest <FOREST>]

Trust

Return all domain trusts for the current or specified domain

Get-DomainTrust [-Domain <DomainName>]

Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds.

Get-DomainTrustMapping

Return all forest trusts for the current forest or a specified forest.

Get-ForestTrust [-Forest <"FOREST>"]

Users

General Information

Obtain users

Get-DomainUser -Identity <USERNAME> [-Properties DisplayName, MemberOf | fl]
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname

Built-in accounts

Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name, Description

Get group memberships

Get-DomainGroup -UserName "<USERNAME>"

Obtain the Last time a password was set of each user

Get-ADUser -Filter * -Properties * | select name ,logoncount ,@{expression={[datetime]::fromFileTime($_pwdlastset)}}

Finds domain machines where specific users are logged into. By default 'Domain Admins'

Find-DomainUserLocation -Verbose [-CheckAccess] [{-UserGroupIdentity|-UserIdentity} <Identity>]

Security

Kerberoast

Get-DomainUser -SPN | select serviceprincipalname

AS-Reporoast

Get-DomainUser -PreauthNotRequired -Verbose

Search passwords on the description attribute

Get-ADUser -Filter 'Description -like "*pass*"' -Properties Description | select name, Description

Show in which machine you are admin (based on your current privileges)

Find-LocalAdminAccess

Constrained delegation

Get-NetUser -TrustedToAuth

Groups

List all the groups in the current domain

Get-DomainGroup [| where Name -like "*Admins*" | select SamAccountName]

# Admin Groups
.\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admins))" [--attributes cn,member]
# MSSQL Groups
.\ADSearch.exe --search "(&(objectCategory=group)(cn=MS SQL Admins))" --attributes cn,member

List all the members in a specific group:

Get-DomainGroupMember -Identity "Domain Admins" [| select MemberDistinguishedName]

List groups of a user

Get-ADPrincipalGroupMembership <USER>

Get GPOs of a group

ℹ️To obtain GPO name from GPOUid use Get-GPO -Guid "{...}"

Get-DomainGPOUserLocalGroupMapping [-Identity "<GROUP_NAME>" | -LocalGroup Administrators] | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl

Computers

General information

List computers

Get-NetComputer [| select samaccountname, DnsHostName, operatingsystem]
Get-DomainComputer -OperatingSystem "*Server 2016*"

# Get Name, IP and Operating System
Get-NetComputer  -Properties name,dnshostname, OperatingSystem | ForEach-Object { $_ | Add-Member -NotePropertyName IPAddressV4 -NotePropertyValue (Resolve-DnsName -Type A -Name $_.dnshostname).IPAddress -Force; $_  } | Select-object -Property name,dnshostname,IPAddressV4, OperatingSystem | Format-Table -AutoSize

Return PCs that can be pinged

Get-NetComputer -Ping
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName | fl Address,IPV4Address,IPV6Address,ResponseTime}

Get users logged on (Requires admin privileges)

Get-NetLoggedon -ComputerName "<COMPUTER_NAME>" | Select Username

Get locally logged on users

Get-LoggedonLocal -ComputerName "<HOSTNAME>"

Enumerates local or groups on a machine (Requires admin privileges).

Get-NetLocalGroup -ComputerName "<HOSTNAME>"
# Get the members of Local Groups
Get-NetLocalGroupMember -ComputerName "<HOSTNAME>" -GroupName "<GROUP_NAME>"

Returns the last user who logged onto the local machine (Requires administrative rights and remote registry enabled on the target)

Get-LastLoggedOn -ComputerName <HOSTNAME>

Security

Enumerate all ACES for all domain computers that matches our current computer.

Get-DomainComputer | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_ | Select-object -Property ObjectDN,ActiveDirectoryRights, AceType,ObjectAceType, Identity |  Format-List}}

Computers with unconstrained delegation: Exploitation at Unconstrained Delegation

Get-DomainComputer -UnConstrained | select samaccountname

Computers with constrained delegation: Exploitation at Constrained Delegation

Get-DomainComputer -TrustedToAuth | select name,msds-allowedtodelegateto,useraccountcontrol | fl

Get-NetComputer | where-object {$_."msds-allowedtodelegateto" -ne $null} | select name, msds-allowedtodelegateto, useraccountcontrol | fl

Get-NetComputer <COMPUTER_NAME> | Select-Object -ExpandProperty msds-allowedtodelegateto | fl

Resource-Based Constrained Delegation: Exploitation at Resource-Based Constrained Delegation (GenericWrite to Computer)

Need a privilege like WriteProperty, GenericAll, GenericWrite or WriteDacl on the computer object:

Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

Group Policies Objects (GPO)s

General information

Get list of GPO in current domain.

Get-DomainGPO [-ComputerIdentity <COMPUTER_NAME>] -Properties DisplayName | sort -Property DisplayName

Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences:

Get-DomainGPOLocalGroup [-ComputerIdentity <COMPUTER_NAME>] | select GPODisplayName, GroupName

Enumerates the machines where a specific domain user/group is a member of a specific local group (Useful for finding where domain groups have local admin access):

Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl

Finds what users/groups are in the specified local group for a target machine through GPO correlation

Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity "<HOSTNAME>"

Get Modifiable GPOs

Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty|GenericWrite" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

Principals with "Create groupPolicyContainer objects" privilege

Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }

Organizational Units (OU)

Get Domain Organizational Units:

Get-DomainOU [-Properties Name | sort -Property Name]

Get GPO applied to an OU

Get-DomainGPO -Identity "<GPLink_RelativeCN>"

Access Control Lists (ACL)s

Enumerate user rights:

Get-ObjectAcl -SamAccountName "<USER>" -ResolveGUIDs

Returns the ACLs associated with a specific active directory object.

Get-DomainObjectAcl -ResolveGUIDs -SamAccountName "<USERNAME>"

Finds interesting object ACLS in the current domain

Find-InterestingDomainAcl -ResolveGUIDs

Enumerate RDP Users permissions

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}

Enumerate shares:

Find-DomainShare
# Enumerate the Domain Shares the current user has access
Find-DomainShare -CheckShareAccess

Enumerates the shares you have access

Find-DomainShare -CheckShareAccess

Find shares on hosts in current domain.

Invoke-ShareFinder -Verbose

Get all fileservers of the domain

Get-NetFileServer

Searches for files matching specific criteria on readable shares in the domain

Invoke-FileFinder -Verbose

MSSQL

General information

Discover Active Directory Domain SQL Server Instances

Get-SQLInstanceDomain

Tests if the current Windows account or provided SQL Server login can log into an SQL Server.

Get-SQLConnectionTest -Instance "<HOSTNAME,PORT>" | fl
# If there are several instances use the following oneline
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo

Returns basic server and user information from target SQL Servers.

Get-SQLServerInfo -Instance "<HOSTNAME,PORT>"

Links

Look for links to remote servers

Get-SQLServerLink -Verbose -Instance "<HOSTNAME,PORT>"

Enumerate and follow MSSQL database links

Get-SQLServerLinkCrawl -Verbose -Instance "<HOSTNAME,PORT>"

Perform Queries

Perform queries

Get-SQLQuery -Instance "<HOSTNAME,PORT>" -Query "select @@servername"

Perform queries using the linked database

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername');

CMDShell

Check if xp_cmdshell module is enabled

SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell'

Enable xp_cmdshell

sp_configure 'Show Advanced Options', 1; RECONFIGURE;sp_configure 'xp_cmdshell', 1; RECONFIGURE;

Execute commands

"EXEC xp_cmdshell 'powershell -w hidden -enc <ENCODED_COMMAND>';

Tools

LinWinPwn: Automates a number of Active Directory Enumeration and Vulnerability checks.
PowerView: PowerShell tool to gain network situational awareness on Windows domains.
ADSearch: Perform LDAP queries.
PowerUPSQL: Module that includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post-exploitation actions such as OS command execution.
ADModule: The Active Directory module for Windows PowerShell.

References

Last updated 8 months ago