๐Ÿ”‘Credentialed Enumeration with Windows

ActiveDirectory PowerShell Module

AD PowerShell Module is a group of PowerShell cmdlets for administrating an AD environment from the command line.

We first have to make sure the module is imported.

First, we can check to see if the module is imported otherwise we can run Import-Module

Get-Module

Import-Module ActiveDirectory

Once successfully loaded we can enumerate basic information about the domain

Get Domain Info

Will print out information such as domain SID, domain functional level, child domain and lots more.

Get-ADDomain

Get-ADUser

Will print out a listing of accounts that may be susceptible to kerberoasting.

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Checking For Trust Relationships

Print out any trust relationships the domain has, from this we can determine if they are trusts within our forest in other domain forests.

Get-ADTrust -Filter *

Group Enumeration

Gather group information

Get-ADGroup -Filter * | select name

Detailed Group Info

Pass a group name in to get more detailed information about a certain group

Get-ADGroup -Identity "Backup Operators"

Group Membership

Get a member listing from a certain group

 Get-ADGroupMember -Identity "Backup Operators"

PowerView

PowerView is a tool written in PowerShell to help us gain situational awareness within an AD environment. Similar to BloodHound it provides a way to identify where users are logged on in a network, and enumerate domain information such as users, groups, computers, etc.

Command

Description

Export-PowerViewCSV

Append results to a CSV file

ConvertTo-SID

Convert a User or group name to its SID value

Get-DomainSPNTicket

Requests the Kerberos ticket for a specified Service Principal Name (SPN) account

Domain/LDAP Functions:

Get-Domain

Will return the AD object for the current (or specified) domain

Get-DomainController

Return a list of the Domain Controllers for the specified domain

Get-DomainUser

Will return all users or specific user objects in AD

Get-DomainComputer

Will return all computers or specific computer objects in AD

Get-DomainGroup

Will return all groups or specific group objects in AD

Get-DomainOU

Search for all or specific OU objects in AD

Find-InterestingDomainAcl

Finds object ACLs in the domain with modification rights set to non-built in objects

Get-DomainGroupMember

Will return the members of a specific domain group

Get-DomainFileServer

Returns a list of servers likely functioning as file servers

Get-DomainDFSShare

Returns a list of all distributed file systems for the current (or specified) domain

GPO Functions:

Get-DomainGPO

Will return all GPOs or specific GPO objects in AD

Get-DomainPolicy

Returns the default domain policy or the domain controller policy for the current domain

Computer Enumeration Functions:

Get-NetLocalGroup

Enumerates local groups on the local or a remote machine

Get-NetLocalGroupMember

Enumerates members of a specific local group

Get-NetShare

Returns open shares on the local (or a remote) machine

Get-NetSession

Will return session information for the local (or a remote) machine

Test-AdminAccess

Tests if the current user has administrative access to the local (or a remote) machine

Threaded 'Meta'-Functions:

Find-DomainUserLocation

Finds machines where specific users are logged in

Find-DomainShare

Finds reachable shares on domain machines

Find-InterestingDomainShareFile

Searches for files matching specific criteria on readable shares in the domain

Find-LocalAdminAccess

Find machines on the local domain where the current user has local administrator access

Domain Trust Functions:

Get-DomainTrust

Returns domain trusts for the current domain or a specified domain

Get-ForestTrust

Returns all forest trusts for the current forest or a specified forest

Get-DomainForeignUser

Enumerates users who are in groups outside of the user's domain

Get-DomainForeignGroupMember

Enumerates groups with users outside of the group's domain and returns each foreign member

Get-DomainTrustMapping

Will enumerate all trusts for the current domain and any others seen.

Domain User Information

Provides us with information for all users or a specific user.

Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol

Recursive Group Membership

Retrieves group-specific information, using the -Recurse option will allow it to list all members of any groups it finds that are part of the target group.

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

Trust Enumeration

Enumerate domain trust mappings

Get-DomainTrustMapping

Testing For Local Admin Access

Test for local admin access on either the current machine or a remote one

Test-AdminAccess -ComputerName ACADEMY-EA-MS01

Finding Users with SPN Set

Checks for users with the SPN attribute set, which indicates that the account may be vulnerable to a Kerberoasting attack.

 Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName

SharpView

A .NET port of PowerView, has many of the same function supported by PowerView.

.\SharpView.exe Get-DomainUser -Help

Enumerate Domain Users

.\SharpView.exe Get-DomainUser -Identity forend

Shares

Allow users on the domain to quickly access information relevant to their daily roles and the ability to share content easily with their organization. When set up correctly domain shares require a user to be domain-joined and authenticated to access the system.

If permissions are to be relaxed, it can cause accidental disclosure of sensitive information.

PowerView can be useful for hunting shares and digging through them to find common strings such as files within with a pass in the name. Snaffler can help with this.

Snaffler

A tool that can help us acquire credentials and other sensitive data in an AD environment. It works by getting a list of hosts with the domain and then enumerating through them looking for shares and readable directories. It can then further enumerate through a readable directory and look for files that could be of interest.

Snaffler Execution

  • -s Prints the results to the console

  • -d Specifies the domain to search within

  • -o Write to a file

Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data data

Snaffler in Action

PS C:\htb> .\Snaffler.exe  -d INLANEFREIGHT.LOCAL -s -v data

If nothing useful is returned try changing to a different user and searching again -

runas /netonly /user:DOMAIN\other_user powershell

Bloodhound

As discussed in the Linux section, BloodHound is an incredibly powerful tool.

First, we must authenticate as a domain user from a Windows Attack positioned within the network or transfer the tool to a domain-joined host. We can achieve this with multiple methods but we will use SharpHopund for now.

SharpHound in Action

.\SharpHound.exe 

Running SharpHound collector from our attack host

.\SharpHound.exe -c All --zipfilename name

With our data gathered, we can now import the data into Bloodhound. To move our data into bloodhound we can open bloodhound on the Windows host.

bloodhound

Then we can input our credentials (should be pre-saved) and then clicking the Upload Data button.

The data was imported and we can now see the information below, we can use the analytics tab to run queries against the database.

We can start by typing the domain into the search bar and selecting our domain from the results.

The queries can be custom and specific but we can also use the built-in Path Finding queries.

For example, we could choose the option Find Shortest Paths To Domain Admins that will give us any logical path it finds through users/groups that will likely lead to escalate to Domain Admin Privileges.

We can also try the query Find Computers with Unsupported Operating Systems as it can be great for finding outdated OSs running legacy software.

We will often see users with local admin rights on their hosts. We can run the query Find Computers where Domain Users are Local Admin to quickly look for any hosts where all users have local admin rights.

We need to remember to document every file that is transferred to and from hosts in the domain and where they were placed on disk. As we want to ensure we cover our tracks and clean up anything we put in the environment at the end of an engagement.

Last updated

Was this helpful?