3. Enumerating Active Directory
Once you have established foothold on the machine, we can enumerate for more valid accounts and credentials
Microsoft Management Console (MMC) + RSAT
RSAT or Remote Server Administration is an AD "add-on" to the MMC application, and allows you to administer AD objects
On Windows, Start->Run->mmc
In mmc, File->Add/Remove Snap-in and add in these 3 Snap-ins
We can now start to enumerate AD objects in the AD
Command line
Getting users in a domain
C:\> net user /domain
The request will be processed at a domain controller for domain za.tryhackme.com
User accounts for \\THMDC
-------------------------------------------------------------------------------
aaron.conway aaron.hancock aaron.harris
aaron.johnson aaron.lewis aaron.mooreInspecting a single user
C:\> net user zoe.marshall /domain
The request will be processed at a domain controller for domain za.tryhackme.com
User name zoe.marshall
Full Name Zoe Marshall
CommentGetting all groups in a domain
C:\> net group /domain
The request will be processed at a domain controller for domain za.tryhackme.com
Group Accounts for \\THMDC
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*Domain Users
[...]
*Schema AdminsGetting users in a group
C:\> net group "Tier 1 Admins" /domain
The request will be processed at a domain controller for domain za.tryhackme.com
Group name Tier 1 Admins
Comment
Members
-------------------------------------------------------------------------------
t1_arthur.tyler t1_gary.moss t1_henry.millerGetting password policy for a domain for brute-forcing
C:\> net accounts /domain
The request will be processed at a domain controller for domain za.tryhackme.com
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): UnlimitedPowerView
Import PowerView for running subsequent commands
powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1# Gets domain name, the forest name and the domain controllers.
powershell> Get-Domain
Forest : cyberbotic.io
DomainControllers : {dc-2.dev.cyberbotic.io}
Children : {}
DomainMode : Unknown
DomainModeLevel : 7
Parent : cyberbotic.io
PdcRoleOwner : dc-2.dev.cyberbotic.io
# Returns the domain controllers for the current or specified domain.
powershell> Get-DomainController | select Forest, Name, OSVersion | fl
Forest : cyberbotic.io
Name : dc-2.dev.cyberbotic.io
OSVersion : Windows Server 2022 Datacenter
# Returns all domains for the current forest or the forest specified by -Forest.
powershell> Get-ForestDomain
Forest : cyberbotic.io
DomainControllers : {dc-1.cyberbotic.io}
Children : {dev.cyberbotic.io}
# Useful for finding domain password policy for password cracking
powershell> Get-DomainPolicyData | select -expand SystemAccess
MinimumPasswordAge : 1
MaximumPasswordAge : 42
MinimumPasswordLength : 7
PasswordComplexity : 1
PasswordHistorySize : 24
# Return all users in the Domain.
# To only return specific properties, use -Properties.
# use -Identity to return a specific user.
powershell> Get-DomainUser -Identity jking -Properties DisplayName, MemberOf | fl
displayname : John King
memberof : {CN=Internet Users,CN=Users,DC=dev,DC=cyberbotic,DC=io, CN=Support
Engineers,CN=Users,DC=dev,DC=cyberbotic,DC=io}
# Return all computers or specific computer objects in the domain
powershell> Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
dnshostname
-----------
dc-2.dev.cyberbotic.io
fs.dev.cyberbotic.io
# Search for all organization units (OUs) or specific OU objects.
powershell> Get-DomainOU -Properties Name | sort -Property Name
name
----
Domain Controllers
File Servers
Servers
# Return all domain groups or specific domain group objects.
powershell> Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName
samaccountname
--------------
Domain Admins
Key Admins
DnsAdmins
# Return the members of a specific domain group.
powershell> Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName
MemberDistinguishedName
-----------------------
CN=Nina Lamb,CN=Users,DC=dev,DC=cyberbotic,DC=io
CN=Administrator,CN=Users,DC=dev,DC=cyberbotic,DC=io
# Return all Group Policy Objects (GPOs) or specific GPO objects.
# To enumerate all GPOs that are applied to a particular machine, use -ComputerIdentity.
powershell> Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
displayname
-----------
Computer Certificates
Default Domain Controllers Policy
Default Domain Policy
# Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences.
powershell> Get-DomainGPOLocalGroup | select GPODisplayName, GroupName
GPODisplayName GroupName powershell
-------------- ---------
Workstation Admins DEV\Support Engineers
Server Admins DEV\Support Engineers
# Returns machines in a specific local group.
# This is useful for finding where domain groups have local admin access
powershell> Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl
ObjectName : Support Engineers
GPODisplayName : Server Admins
ContainerName : {OU=Servers,DC=dev,DC=cyberbotic,DC=io}
ComputerName : {web.dev.cyberbotic.io, sql-2.dev.cyberbotic.io, fs.dev.cyberbotic.io}
# Return all domain trusts for the current or specified domain.
# Refer to Active Directory page for how to exploit this
powershell> Get-DomainTrust
SourceName : dev.cyberbotic.io
TargetName : cyberbotic.io
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 8/15/2022 4:00:00 PM
WhenChanged : 8/15/2022 4:00:00 PMBloodHound + SharpHound
Sharphound is the enumeration tool of Bloodhound.
Collecting information on the host machine using Sharphound
Sharphound.exe --CollectionMethods All --Domain za.tryhackme.com --ExcludeDCsOnce done, move the artifacts to the attacker machine to open them with Bloodhound
Last updated