Enumeration
NOTE: Goal is to privilege escalate to Domain Administrator
Initial Access
RDP
xfreerdp3 /u:'<Username>' /d:'<Domain Name>' /p:'<Password>' /v:<Target IP Address> /dynamic-resolution +clipboard /drive:/home/kali/offsec/downloads,/shared
Enumeration
Manual
NOTE: Make sure to run the following!
powershell -ep bypass
Get users on domain
net user /domain
Get info on particular user
net user <Username> /domain
Get groups on domain
net group /domain
Get info on particular CUSTOM group
net group "<Group Name>" /domain
PowerView
NOTE: Remember to run the following
powershell -ep bypass
Import-Module .\PowerView.ps1
Enumerate Users in the Domain
Get-NetUser
To get filtered result
Get-NetUser | select <Field Name> ...
EXAMPLE:
Get-NetUser | select samaccountname, cn, pwdlastset, lastlogon
To get specific information of a particular user
Get-NetUser <Username>
Enumerate Groups in the Domain
Get-NetGroup
To get filtered result
Get-NetGroup | select <Field name> ...
EXAMPLE:
Get-NetGroup | select cn
To get specific information of a particular group
Get-NetGroup <Group Name>
Enumerate Computers in the Domain
Get-NetComputer
To get filtered result
Get-NetComputer | select <Field name> ...
EXAMPLE:
Get-NetComputer | select operatingsystem, dnshostname
To get specific information of a particular computer
Get-NetComputer <DNS Host Name>
To look for administrative rights on other computer for the current user
Find-LocalAdminAccess
To look for logged on users on target machine
Get-NetSession -ComputerName <Computer Name> -Verbose
NOTE: If something is not right check for permission.
Permissions for NetSessionEnum are defined in SrvsvcSessionInfo registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity)
Alternatives
C:\Tools\PSTools\PsLoggedon.exe \\<Host Name>
NOTE: Remote machine must have Remote Registry service enabled
To check for permission
Get-Acl -Path <Registery Hive>:<Registry Path> | fl
EXAMPLE:
Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl
To enumerate Service Principal Name
Get-NetUser -SPN | select samaccountname, serviceprincipalname
To enumerate ACEs
Get-ObjectAcl -Identity "<Username | Group Name>"
NOTE: Look out for ActiveDirectoryRights and SecurityIdentifier
To enumerate interesting ACL
Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft
To enumerate all user that has ActiveDirectoryRights = GenericAll under a group
Get-ObjectAcl -Identity "<Group Name>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier, ActiveDirectoryRights
To enumerate all ActiveDirectoryRights = GenericWrite under a group
Get-ObjectAcl -Identity "<Group Name>" | ?{$_.ActiveDirectoryRights -eq "GenericWrite"} | select SecurityIdentifier, ActiveDirectoryRights
To convert SID to Name in bulk
"<SID>", "<SID>", "<SID>", "<SID>", "<SID>" | Convert-SidToName
To convert SID to Name individually
Convert-SidToName "<SID>"
Add user into group in domain
net group "<Group Name>" <Username> /add /domain
To enumerate all shares on Domain
Find-DomainShare
To enumerate shares available to current user
Find-DomainShare -CheckShareAccess
To enumerate Group Policy
Get-GPO -Name "<Group Policy Name>"
EXAMPLE:
Get-GPO -Name "Default Domain Policy"
To enumerate permission on the group policy
Get-GPPermission -Guid <Group Unique ID> -TargetType User -TargetName <Username>
NOTE: Only if the permission either contains "ModifySecurity" or "FullControl"
BloodHound
To import BloodHound
Import-Module C:\Tools\Bloodhound.ps1
To begin enumerationg on BloodHound
Invoke-BloodHound -CollectionMethod All -OutputDirectory <Path> -OutputPrefix "corp audit"
On kali:
sudo neo4j start
NOTE: Head over to http://localhost:7474
Username: neo4j
Password: arctic-iris-zipper-prism-courage-7161
Last updated