3. Enumerating Active Directory
Last updated
Last updated
Once you have established foothold on the machine, we can enumerate for more valid accounts and credentials
RSAT or Remote Server Administration is an AD "add-on" to the MMC application, and allows you to administer AD objects
On Windows, Start->Run->mmc
In mmc, File->Add/Remove Snap-in and add in these 3 Snap-ins
We can now start to enumerate AD objects in the AD
Getting users in a domain
C:\> net user /domain
The request will be processed at a domain controller for domain za.tryhackme.com
User accounts for \\THMDC
-------------------------------------------------------------------------------
aaron.conway aaron.hancock aaron.harris
aaron.johnson aaron.lewis aaron.mooreInspecting a single user
C:\> net user zoe.marshall /domain
The request will be processed at a domain controller for domain za.tryhackme.com
User name zoe.marshall
Full Name Zoe Marshall
CommentGetting all groups in a domain
C:\> net group /domain
The request will be processed at a domain controller for domain za.tryhackme.com
Group Accounts for \\THMDC
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*Domain Users
[...]
*Schema AdminsGetting users in a group
C:\> net group "Tier 1 Admins" /domain
The request will be processed at a domain controller for domain za.tryhackme.com
Group name Tier 1 Admins
Comment
Members
-------------------------------------------------------------------------------
t1_arthur.tyler t1_gary.moss t1_henry.millerGetting password policy for a domain for brute-forcing
C:\> net accounts /domain
The request will be processed at a domain controller for domain za.tryhackme.com
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): UnlimitedImport PowerView for running subsequent commands
powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1# Gets domain name, the forest name and the domain controllers.
powershell> Get-Domain
Forest : cyberbotic.io
DomainControllers : {dc-2.dev.cyberbotic.io}
Children : {}
DomainMode : Unknown
DomainModeLevel : 7
Parent : cyberbotic.io
PdcRoleOwner : dc-2.dev.cyberbotic.io
# Returns the domain controllers for the current or specified domain.
powershell> Get-DomainController | select Forest, Name, OSVersion | fl
Forest : cyberbotic.io
Name : dc-2.dev.cyberbotic.io
OSVersion : Windows Server 2022 Datacenter
# Returns all domains for the current forest or the forest specified by -Forest.
powershell> Get-ForestDomain
Forest : cyberbotic.io
DomainControllers : {dc-1.cyberbotic.io}
Children : {dev.cyberbotic.io}
# Useful for finding domain password policy for password cracking
powershell> Get-DomainPolicyData | select -expand SystemAccess
MinimumPasswordAge : 1
MaximumPasswordAge : 42
MinimumPasswordLength : 7
PasswordComplexity : 1
PasswordHistorySize : 24
# Return all users in the Domain.
# To only return specific properties, use -Properties.
# use -Identity to return a specific user.
powershell> Get-DomainUser -Identity jking -Properties DisplayName, MemberOf | fl
displayname : John King
memberof : {CN=Internet Users,CN=Users,DC=dev,DC=cyberbotic,DC=io, CN=Support
Engineers,CN=Users,DC=dev,DC=cyberbotic,DC=io}
# Return all computers or specific computer objects in the domain
powershell> Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
dnshostname
-----------
dc-2.dev.cyberbotic.io
fs.dev.cyberbotic.io
# Search for all organization units (OUs) or specific OU objects.
powershell> Get-DomainOU -Properties Name | sort -Property Name
name
----
Domain Controllers
File Servers
Servers
# Return all domain groups or specific domain group objects.
powershell> Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName
samaccountname
--------------
Domain Admins
Key Admins
DnsAdmins
# Return the members of a specific domain group.
powershell> Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName
MemberDistinguishedName
-----------------------
CN=Nina Lamb,CN=Users,DC=dev,DC=cyberbotic,DC=io
CN=Administrator,CN=Users,DC=dev,DC=cyberbotic,DC=io
# Return all Group Policy Objects (GPOs) or specific GPO objects.
# To enumerate all GPOs that are applied to a particular machine, use -ComputerIdentity.
powershell> Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
displayname
-----------
Computer Certificates
Default Domain Controllers Policy
Default Domain Policy
# Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences.
powershell> Get-DomainGPOLocalGroup | select GPODisplayName, GroupName
GPODisplayName GroupName powershell
-------------- ---------
Workstation Admins DEV\Support Engineers
Server Admins DEV\Support Engineers
# Returns machines in a specific local group.
# This is useful for finding where domain groups have local admin access
powershell> Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl
ObjectName : Support Engineers
GPODisplayName : Server Admins
ContainerName : {OU=Servers,DC=dev,DC=cyberbotic,DC=io}
ComputerName : {web.dev.cyberbotic.io, sql-2.dev.cyberbotic.io, fs.dev.cyberbotic.io}
# Return all domain trusts for the current or specified domain.
# Refer to Active Directory page for how to exploit this
powershell> Get-DomainTrust
SourceName : dev.cyberbotic.io
TargetName : cyberbotic.io
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 8/15/2022 4:00:00 PM
WhenChanged : 8/15/2022 4:00:00 PMSharphound is the enumeration tool of Bloodhound.
Collecting information on the host machine using Sharphound
Sharphound.exe --CollectionMethods All --Domain za.tryhackme.com --ExcludeDCsOnce done, move the artifacts to the attacker machine to open them with Bloodhound
