1 - Manual Enumeration

Low Hanging Fruits

List local and domain users

net user
net user /domain

Basically /domain queries the DC while w/o it queries the local machine

Check specific user:

net user jeffadmin
net user jeffadmin /domain

List local and domain groups:

net localgroup
net group /domain

Check specifc group:

net localgroup "Sales Department"
net group "Sales Department" /domain

Bypass Script Execution Policy Scope

Set-ExecutionPolicy Bypass -Scope Process

Powerview

Download here => https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

Import module:

Import-Module .\PowerView.ps1

Get domain information:

Get-NetDomain

Get all users:

Get-NetUser
Get-NetUser | select cn
Get-NetUser | select cn,pwdlastset,lastlogon

Get all groups:

Get-NetGroup
Get-NetGroup | select cn

Get group members:

Get-NetGroup "Sales Department" | select member

Get computers joined to the domain:

Get-NetComputer
Get-NetComputer | select operatingsystem,dnshostname

List domain joined computers where we have local admin access

Find-LocalAdminAccess

List users connected to a specific machine:

Get-NetSession -ComputerName <NAME> -Verbose
.\PsLoggedon.exe \\<NAME>

Services Instances (SPNs)

SPN is a unique identifier for Kerberos that links a service account (unique) to a service instance (0,1 or more. E.g. a IIS webserver running on SERVER01)

List all SPNs for IIS

> setspn -L iis_service

Registered ServicePrincipalNames for CN=iis_service,CN=Users,DC=corp,DC=com:
        HTTP/web04.corp.com
        HTTP/web04
        HTTP/web04.corp.com:80

We can see a webserver running on the web04 machine.

List all SPN for all service accounts (requires powerview)

Get-NetUser -SPN | select samaccountname,serviceprincipalname

Get the IP of the machine the service instance is running on:

nslookup.exe web04.corp.com

Objects ACL

What to look for:

GenericAll: Full permissions on object
GenericWrite: Edit certain attributes on the object
WriteOwner: Change ownership of the object
WriteDACL: Edit ACE's applied to object
AllExtendedRights: Change password, reset password, etc.
ForceChangePassword: Password change for object
Self (Self-Membership): Add ourselves to for example a group

Check our own user object ACL:

Get-ObjectAcl -Identity stephanie

ObjectDN               : CN=stephanie,CN=Users,DC=corp,DC=com
ObjectSID              : S-1-5-21-1987370270-658905905-1781884369-1104
ActiveDirectoryRights  : ReadProperty
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : 4c164200-20c0-11d0-a768-00aa006e0529
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 56
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 16
SecurityIdentifier     : S-1-5-21-1987370270-658905905-1781884369-553
AceType                : AccessAllowedObject
AceFlags               : None
IsInherited            : False
InheritanceFlags       : None
PropagationFlags       : None
AuditFlags             : None

One ACL returned:

ActiveDirectoryRights: ReadProperty means a security principal has read access to our user object
SecurityIdentifier is the SID of the security principal that has the read permission on our object

We can translate the SID to something readable like that:

Convert-SidToName <SID>

To get the ACL of a file for example:

Get-Acl -Path C:\path\to\your\file.txt

List all security principa' SIDs that have full permission on the group specified:

Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

We can bulk translate the SIDs to readable names:

"S-1-5-21-1987370270-658905905-1781884369-512","S-1-5-21-1987370270-658905905-1781884369-1104","S-1-5-32-548","S-1-5-18","S-1-5-21-1987370270-658905905-1781884369-519" | Convert-SidToName

Domain Shares

We find domain shares with Powerview:

Find-DomainShare

This will return machine names and share names:

Name           Type Remark                 ComputerName
----           ---- ------                 ------------
ADMIN$   2147483648 Remote Admin           DC1.corp.com
C$       2147483648 Default share          DC1.corp.com
IPC$     2147483651 Remote IPC             DC1.corp.com
NETLOGON          0 Logon server share     DC1.corp.com
SYSVOL            0 Logon server share     DC1.corp.com
ADMIN$   2147483648 Remote Admin           web04.corp.com
backup            0                        web04.corp.com
C$       2147483648 Default share          web04.corp.com
IPC$     2147483651 Remote IPC             web04.corp.com
ADMIN$   2147483648 Remote Admin           FILES04.corp.com
C                 0                        FILES04.corp.com
C$       2147483648 Default share          FILES04.corp.com
docshare          0 Documentation purposes FILES04.corp.com
IPC$     2147483651 Remote IPC             FILES04.corp.com
Tools             0                        FILES04.corp.com
Users             0                        FILES04.corp.com
Windows           0                        FILES04.corp.com
ADMIN$   2147483648 Remote Admin           client74.corp.com
C$       2147483648 Default share          client74.corp.com
IPC$     2147483651 Remote IPC             client74.corp.com
ADMIN$   2147483648 Remote Admin           client75.corp.com
C$       2147483648 Default share          client75.corp.com
IPC$     2147483651 Remote IPC             client75.corp.com
sharing           0                        client75.corp.com

This is how we list the content of a share (we can cat, cd...):

ls \\dc1.corp.com\sysvol\
ls \\dc1.corp.com\sysvol\corp.com\

PreviousHacking AD Next2 - Sharphound + BloodHound

Last updated 2 years ago

hashtagLow Hanging Fruits

hashtagBypass Script Execution Policy Scope

hashtagPowerview

hashtagServices Instances (SPNs)

hashtagObjects ACL

hashtagDomain Shares