๐Credentialed Enumeration with Windows
ActiveDirectory PowerShell Module
AD PowerShell Module is a group of PowerShell cmdlets for administrating an AD environment from the command line.
We first have to make sure the module is imported.
First, we can check to see if the module is imported otherwise we can run Import-Module
Get-Module
Import-Module ActiveDirectory
Once successfully loaded we can enumerate basic information about the domain
Get Domain Info
Will print out information such as domain SID, domain functional level, child domain and lots more.
Get-ADDomain
Get-ADUser
Will print out a listing of accounts that may be susceptible to kerberoasting.
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Checking For Trust Relationships
Print out any trust relationships the domain has, from this we can determine if they are trusts within our forest in other domain forests.
Get-ADTrust -Filter *
Group Enumeration
Gather group information
Get-ADGroup -Filter * | select name
Detailed Group Info
Pass a group name in to get more detailed information about a certain group
Get-ADGroup -Identity "Backup Operators"
Group Membership
Get a member listing from a certain group
Get-ADGroupMember -Identity "Backup Operators"
PowerView
PowerView is a tool written in PowerShell to help us gain situational awareness within an AD environment. Similar to BloodHound it provides a way to identify where users are logged on in a network, and enumerate domain information such as users, groups, computers, etc.
Command
Description
Export-PowerViewCSV
Append results to a CSV file
ConvertTo-SID
Convert a User or group name to its SID value
Get-DomainSPNTicket
Requests the Kerberos ticket for a specified Service Principal Name (SPN) account
Domain/LDAP Functions:
Get-Domain
Will return the AD object for the current (or specified) domain
Get-DomainController
Return a list of the Domain Controllers for the specified domain
Get-DomainUser
Will return all users or specific user objects in AD
Get-DomainComputer
Will return all computers or specific computer objects in AD
Get-DomainGroup
Will return all groups or specific group objects in AD
Get-DomainOU
Search for all or specific OU objects in AD
Find-InterestingDomainAcl
Finds object ACLs in the domain with modification rights set to non-built in objects
Get-DomainGroupMember
Will return the members of a specific domain group
Get-DomainFileServer
Returns a list of servers likely functioning as file servers
Get-DomainDFSShare
Returns a list of all distributed file systems for the current (or specified) domain
GPO Functions:
Get-DomainGPO
Will return all GPOs or specific GPO objects in AD
Get-DomainPolicy
Returns the default domain policy or the domain controller policy for the current domain
Computer Enumeration Functions:
Get-NetLocalGroup
Enumerates local groups on the local or a remote machine
Get-NetLocalGroupMember
Enumerates members of a specific local group
Get-NetShare
Returns open shares on the local (or a remote) machine
Get-NetSession
Will return session information for the local (or a remote) machine
Test-AdminAccess
Tests if the current user has administrative access to the local (or a remote) machine
Threaded 'Meta'-Functions:
Find-DomainUserLocation
Finds machines where specific users are logged in
Find-DomainShare
Finds reachable shares on domain machines
Find-InterestingDomainShareFile
Searches for files matching specific criteria on readable shares in the domain
Find-LocalAdminAccess
Find machines on the local domain where the current user has local administrator access
Domain Trust Functions:
Get-DomainTrust
Returns domain trusts for the current domain or a specified domain
Get-ForestTrust
Returns all forest trusts for the current forest or a specified forest
Get-DomainForeignUser
Enumerates users who are in groups outside of the user's domain
Get-DomainForeignGroupMember
Enumerates groups with users outside of the group's domain and returns each foreign member
Get-DomainTrustMapping
Will enumerate all trusts for the current domain and any others seen.
Domain User Information
Provides us with information for all users or a specific user.
Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
Recursive Group Membership
Retrieves group-specific information, using the -Recurse
option will allow it to list all members of any groups it finds that are part of the target group.
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Trust Enumeration
Enumerate domain trust mappings
Get-DomainTrustMapping
Testing For Local Admin Access
Test for local admin access on either the current machine or a remote one
Test-AdminAccess -ComputerName ACADEMY-EA-MS01
Finding Users with SPN Set
Checks for users with the SPN attribute set, which indicates that the account may be vulnerable to a Kerberoasting attack.
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
SharpView
A .NET port of PowerView, has many of the same function supported by PowerView.
.\SharpView.exe Get-DomainUser -Help
Enumerate Domain Users
.\SharpView.exe Get-DomainUser -Identity forend
Shares
Allow users on the domain to quickly access information relevant to their daily roles and the ability to share content easily with their organization. When set up correctly domain shares require a user to be domain-joined and authenticated to access the system.
If permissions are to be relaxed, it can cause accidental disclosure of sensitive information.
PowerView can be useful for hunting shares and digging through them to find common strings such as files within with a pass in the name. Snaffler can help with this.
Snaffler
A tool that can help us acquire credentials and other sensitive data in an AD environment. It works by getting a list of hosts with the domain and then enumerating through them looking for shares and readable directories. It can then further enumerate through a readable directory and look for files that could be of interest.
Snaffler Execution
-s
Prints the results to the console-d
Specifies the domain to search within-o
Write to a file
Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data data
Snaffler in Action
PS C:\htb> .\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data
Bloodhound
As discussed in the Linux section, BloodHound is an incredibly powerful tool.
First, we must authenticate as a domain user from a Windows Attack positioned within the network or transfer the tool to a domain-joined host. We can achieve this with multiple methods but we will use SharpHopund for now.
SharpHound in Action
.\SharpHound.exe
Running SharpHound collector from our attack host
.\SharpHound.exe -c All --zipfilename name
With our data gathered, we can now import the data into Bloodhound. To move our data into bloodhound we can open bloodhound on the Windows host.
bloodhound
Then we can input our credentials (should be pre-saved) and then clicking the Upload Data
button.

The data was imported and we can now see the information below, we can use the analytics tab to run queries against the database.
We can start by typing the domain into the search bar and selecting our domain from the results.

The queries can be custom and specific but we can also use the built-in Path Finding queries.
For example, we could choose the option Find Shortest Paths To Domain Admins
that will give us any logical path it finds through users/groups that will likely lead to escalate to Domain Admin Privileges.
We can also try the query Find Computers with Unsupported Operating Systems
as it can be great for finding outdated OSs running legacy software.
We will often see users with local admin rights on their hosts. We can run the query Find Computers where Domain Users are Local Admin
to quickly look for any hosts where all users have local admin rights.


Last updated
Was this helpful?