RoadToOSCP: Active Directory CORPORATIVE.domain.local Series[VII] : Active Directory Enumeration process

Hi everyone!,

So far so good, right now in this post we are going to review enumeration over Domain Controller, from the attacker computer side and from the host client that belong to CORPORATIVE.DOMAIN.local environment:

1. OUTSIDE OF DOMAIN

From the attacker side using a valid user and credentials without admin rights, it's possible perform the followings enumerations:

1.1 RPCCLIENT:

rpcclient -U "worker2%Passw0rd1" 10.0.2.17
rpcclient $> enumdomusers
user:[Administrador] rid:[0x1f4]
user:[Invitado] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[worker1] rid:[0x452]
user:[worker2] rid:[0x453]
rpcclient $> enumdomgroups
group:[Enterprise Domain Controllers de sólo lectura] rid:[0x1f2]
group:[Admins. del dominio] rid:[0x200]
group:[Usuarios del dominio] rid:[0x201]
group:[Invitados del dominio] rid:[0x202]
group:[Equipos del dominio] rid:[0x203]
group:[Controladores de dominio] rid:[0x204]
group:[Administradores de esquema] rid:[0x206]
group:[Administradores de empresas] rid:[0x207]
group:[Propietarios del creador de directivas de grupo] rid:[0x208]
group:[Controladores de dominio de sólo lectura] rid:[0x209]
group:[Controladores de dominio clonables] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Administradores clave] rid:[0x20e]
group:[Administradores clave de la organización] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[RDP] rid:[0x454]

queryusers / querygroups / querygroupsmem:

Obtain the groups that an specific user belong:

rpcclient $> enumdomusers
user:[Administrador] rid:[0x1f4]
user:[Invitado] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[worker1] rid:[0x452]
user:[worker2] rid:[0x453]
rpcclient $> queryusergroups 0x1f4
group rid:[0x200] attr:[0x7]
group rid:[0x201] attr:[0x7]
group rid:[0x208] attr:[0x7]
group rid:[0x206] attr:[0x7]
group rid:[0x207] attr:[0x7]
rpcclient $> querygroup 0x200
Group Name: Admins. del dominio
Description: Administradores designados del dominio
Group Attribute:7
Num Members:1
rpcclient $> querygroup 0x201
Group Name: Usuarios del dominio
Description: Todos los usuarios del dominio
Group Attribute:7
Num Members:5
rpcclient $> querygroup 0x208
Group Name: Propietarios del creador de directivas de grupo
Description: Los miembros de este grupo pueden modificar la directiva de grupo del dominio
Group Attribute:7
Num Members:1
rpcclient $> querygroup 0x206
Group Name: Administradores de esquema
Description: Administradores designados del esquema
Group Attribute:7
Num Members:1
rpcclient $> querygroup 0x207
Group Name: Administradores de empresas
Description: Administradores designados de la empresa
Group Attribute:7
Num Members:1
rpcclient $>

Full automation recon process: users-memberof-groups

for i in `rpcclient -U "worker2%Passw0rd1" 10.0.2.17 -c "enumdomusers" | awk -F "rid:" '{ print $2}' | tr -d "[]"`; do echo "User rid: $i";echo "User data : ";rpcclient -U "worker2%Passw0rd1" 10.0.2.17 -c "queryuser $i";echo " User groups: " ;rpcclient -U "worker2%Passw0rd1" 10.0.2.17 -c "queryusergroups $i"; for j in `rpcclient -U "worker2%Passw0rd1" 10.0.2.17 -c "queryusergroups $i" | awk '{print $2}' | awk -F ":" '{print $2}' |tr -d "[]"`; do echo $j; rpcclient -U "worker2%Passw0rd1" 10.0.2.17 -c "querygroup $j" ;done done
User rid: 0x1f4
User data :
User Name : Administrador
Full Name :
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Cuenta integrada para la administración del equipo o dominio
Workstations:
Comment :
Remote Dial :
Logon Time : sáb, 18 sep 2021 19:44:09 CEST
Logoff Time : jue, 01 ene 1970 01:00:00 CET
Kickoff Time : jue, 14 sep 30828 04:48:05 CEST
Password last set Time : sáb, 11 sep 2021 23:18:53 CEST
Password can change Time : dom, 12 sep 2021 23:18:53 CEST
Password must change Time: jue, 14 sep 30828 04:48:05 CEST
unknown_2[0..31]...
user_rid : 0x1f4
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x0000001a
padding1[0..7]...
logon_hrs[0..21]...
User groups:
group rid:[0x200] attr:[0x7]
group rid:[0x201] attr:[0x7]
group rid:[0x208] attr:[0x7]
group rid:[0x206] attr:[0x7]
group rid:[0x207] attr:[0x7]
0x200
Group Name: Admins. del dominio
Description: Administradores designados del dominio
Group Attribute:7
Num Members:1
0x201
Group Name: Usuarios del dominio
Description: Todos los usuarios del dominio
Group Attribute:7
Num Members:5
0x208
Group Name: Propietarios del creador de directivas de grupo
Description: Los miembros de este grupo pueden modificar la directiva de grupo del dominio
Group Attribute:7
Num Members:1
0x206
Group Name: Administradores de esquema
Description: Administradores designados del esquema
Group Attribute:7
Num Members:1
0x207
Group Name: Administradores de empresas
Description: Administradores designados de la empresa
Group Attribute:7
Num Members:1
User rid: 0x1f5
User data :
User Name : Invitado
Full Name :
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Cuenta integrada para el acceso como invitado al equipo o dominio
Workstations:
Comment :
Remote Dial :
Logon Time : jue, 01 ene 1970 01:00:00 CET
Logoff Time : jue, 01 ene 1970 01:00:00 CET
Kickoff Time : jue, 14 sep 30828 04:48:05 CEST
Password last set Time : jue, 01 ene 1970 01:00:00 CET
Password can change Time : jue, 01 ene 1970 01:00:00 CET
Password must change Time: jue, 14 sep 30828 04:48:05 CEST
unknown_2[0..31]...
user_rid : 0x1f5
group_rid: 0x202
acb_info : 0x00000215
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000000
padding1[0..7]...
logon_hrs[0..21]...
User groups:
group rid:[0x202] attr:[0x7]
0x202
Group Name: Invitados del dominio
Description: Todos los invitados del dominio
Group Attribute:7
Num Members:1
User rid: 0x1f6
User data :
User Name : krbtgt
Full Name :
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Cuenta de servicio de centro de distribución de claves
Workstations:
Comment :
Remote Dial :
Logon Time : jue, 01 ene 1970 01:00:00 CET
Logoff Time : jue, 01 ene 1970 01:00:00 CET
Kickoff Time : jue, 14 sep 30828 04:48:05 CEST
Password last set Time : dom, 12 sep 2021 00:29:47 CEST
Password can change Time : lun, 13 sep 2021 00:29:47 CEST
Password must change Time: dom, 24 oct 2021 00:29:47 CEST
unknown_2[0..31]...
user_rid : 0x1f6
group_rid: 0x201
acb_info : 0x00000011
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000000
padding1[0..7]...
logon_hrs[0..21]...
User groups:
group rid:[0x201] attr:[0x7]
0x201
Group Name: Usuarios del dominio
Description: Todos los usuarios del dominio
Group Attribute:7
Num Members:5
User rid: 0x1f7
User data :
User Name : DefaultAccount
Full Name :
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Cuenta de usuario administrada por el sistema.
Workstations:
Comment :
Remote Dial :
Logon Time : jue, 01 ene 1970 01:00:00 CET
Logoff Time : jue, 01 ene 1970 01:00:00 CET
Kickoff Time : jue, 14 sep 30828 04:48:05 CEST
Password last set Time : jue, 01 ene 1970 01:00:00 CET
Password can change Time : jue, 01 ene 1970 01:00:00 CET
Password must change Time: jue, 14 sep 30828 04:48:05 CEST
unknown_2[0..31]...
user_rid : 0x1f7
group_rid: 0x201
acb_info : 0x00000215
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000000
padding1[0..7]...
logon_hrs[0..21]...
User groups:
group rid:[0x201] attr:[0x7]
0x201
Group Name: Usuarios del dominio
Description: Todos los usuarios del dominio
Group Attribute:7
Num Members:5
User rid: 0x452
User data :
User Name : worker1
Full Name : trabajador1
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description :
Workstations:
Comment :
Remote Dial :
Logon Time : dom, 12 sep 2021 19:57:13 CEST
Logoff Time : jue, 01 ene 1970 01:00:00 CET
Kickoff Time : jue, 14 sep 30828 04:48:05 CEST
Password last set Time : dom, 12 sep 2021 13:14:04 CEST
Password can change Time : lun, 13 sep 2021 13:14:04 CEST
Password must change Time: jue, 14 sep 30828 04:48:05 CEST
unknown_2[0..31]...
user_rid : 0x452
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000009
padding1[0..7]...
logon_hrs[0..21]...
User groups:
group rid:[0x201] attr:[0x7]
0x201
Group Name: Usuarios del dominio
Description: Todos los usuarios del dominio
Group Attribute:7
Num Members:5
User rid: 0x453
User data :
User Name : worker2
Full Name : trabajador2
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description :
Workstations:
Comment :
Remote Dial :
Logon Time : sáb, 18 sep 2021 20:33:46 CEST
Logoff Time : jue, 01 ene 1970 01:00:00 CET
Kickoff Time : jue, 14 sep 30828 04:48:05 CEST
Password last set Time : dom, 12 sep 2021 13:14:39 CEST
Password can change Time : lun, 13 sep 2021 13:14:39 CEST
Password must change Time: jue, 14 sep 30828 04:48:05 CEST
unknown_2[0..31]...
user_rid : 0x453
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x0000004b
padding1[0..7]...
logon_hrs[0..21]...
User groups:
group rid:[0x201] attr:[0x7]
0x201
Group Name: Usuarios del dominio
Description: Todos los usuarios del dominio
Group Attribute:7
Num Members:5

1.2 ad-ldap-enum

You'll follow tool installation from github: https://github.com/CroweCybersecurity/ad-ldap-enum

Tool execution over domain:

kali@kali:/opt/ad-ldap-enum$ python ad-ldap-enum.py -l 10.0.2.17 -d CORPORATIVE.DOMAIN.local -u worker2 -p Passw0rd1
2021-09-18 21:02:39 INFO Querying users
2021-09-18 21:02:39 INFO Querying groups
2021-09-18 21:02:39 INFO Querying computers
2021-09-18 21:02:39 INFO Building users dictionary
2021-09-18 21:02:39 INFO Building groups dictionary
2021-09-18 21:02:39 INFO Building computers dictionary
2021-09-18 21:02:39 INFO Exploding large groups
2021-09-18 21:02:39 INFO Building group membership
2021-09-18 21:02:39 INFO There is a total of [50] groups
2021-09-18 21:02:39 INFO Elapsed Time [0:00:00.028534]

1.3 ldapdomaindump

I include this tool because it permits one of the better recognition enumeration output that i've never seen:

Tool execution process:

ldapdomaindump -u "CORPORATIVE\worker2" -p Passw0rd1 10.0.2.17
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

Launching a local python3 http server:

kali@kali:/tmp$ python3 -m http.server 8989
Serving HTTP on 0.0.0.0 port 8989 (http://0.0.0.0:8989/) ...
127.0.0.1 - - [18/Sep/2021 21:11:50] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [18/Sep/2021 21:11:55] "GET /domain_computers.html HTTP/1.1" 200 -
127.0.0.1 - - [18/Sep/2021 21:11:58] "GET /domain_computers_by_os.html HTTP/1.1" 200 -
127.0.0.1 - - [18/Sep/2021 21:11:59] "GET /domain_groups.html HTTP/1.1" 200 -
127.0.0.1 - - [18/Sep/2021 21:12:01] "GET /domain_policy.html HTTP/1.1" 200 -
127.0.0.1 - - [18/Sep/2021 21:12:01] code 404, message File not found
127.0.0.1 - - [18/Sep/2021 21:12:01] "GET /favicon.ico HTTP/1.1" 404 -
----------------------------------------

Access to the html content from your browser:

Domain computers by operative system:

Doamain groups:

Domain policy:

Domain users:

Domain groups:

Domain computer accounts:

2. INSIDE OF DOMAIN

On that part of enumeration we perform the recognition of domain controller inside of corporate domain, using the tools from windows 10 computer client:

2.1 Windows CMD enumeration commands

Domain users:

C:\Users\worker2>net users /domain
Se procesará la solicitud en un controlador de dominio del dominio CORPORATIVE.DOMAIN.local.

Cuentas de usuario de \\CORPORATIVE-DOMAIN.CORPORATIVE.DOMAIN.local

-------------------------------------------------------------------------------
Administrador DefaultAccount Invitado
krbtgt worker1 worker2
Se ha completado el comando correctamente.

Domain groups:

C:\Users\worker2>net groups /domain
Se procesará la solicitud en un controlador de dominio del dominio CORPORATIVE.DOMAIN.local.

Cuentas de grupo de \\CORPORATIVE-DOMAIN.CORPORATIVE.DOMAIN.local

-------------------------------------------------------------------------------
*Administradores clave
*Administradores clave de la organización
*Administradores de empresas
*Administradores de esquema
*Admins. del dominio
*Controladores de dominio
*Controladores de dominio clonables
*Controladores de dominio de sólo lectura
*DnsUpdateProxy
*Enterprise Domain Controllers de sólo lectura
*Equipos del dominio
*Invitados del dominio
*Propietarios del creador de directivas de grupo
*Protected Users
*RDP
*Usuarios del dominio
Se ha completado el comando correctamente.

Groups membership:

C:\Users\worker2>net group "Usuarios del dominio" /domain
Se procesará la solicitud en un controlador de dominio del dominio CORPORATIVE.DOMAIN.local.

Nombre de grupo Usuarios del dominio
Comentario Todos los usuarios del dominio

Miembros

-------------------------------------------------------------------------------
Administrador DefaultAccount krbtgt
worker1 worker2
Se ha completado el comando correctamente.

Using wmic for domain enumeration:

Using wmic for domain groups enumeration:

2.2 Powershell: Active directory Module:

All suported functions:

PS C:\Users\worker2\Documents> Get-command -Module activedirectory

CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Add-ADCentralAccessPolicyMember 1.0.0.0 ActiveDirectory
Cmdlet Add-ADComputerServiceAccount 1.0.0.0 ActiveDirectory
Cmdlet Add-ADDomainControllerPasswordReplicationPolicy 1.0.0.0 ActiveDirectory
Cmdlet Add-ADFineGrainedPasswordPolicySubject 1.0.0.0 ActiveDirectory
Cmdlet Add-ADGroupMember 1.0.0.0 ActiveDirectory
Cmdlet Add-ADPrincipalGroupMembership 1.0.0.0 ActiveDirectory
Cmdlet Add-ADResourcePropertyListMember 1.0.0.0 ActiveDirectory
Cmdlet Clear-ADAccountExpiration 1.0.0.0 ActiveDirectory
Cmdlet Clear-ADClaimTransformLink 1.0.0.0 ActiveDirectory
Cmdlet Disable-ADAccount 1.0.0.0 ActiveDirectory
Cmdlet Disable-ADOptionalFeature 1.0.0.0 ActiveDirectory
Cmdlet Enable-ADAccount 1.0.0.0 ActiveDirectory
Cmdlet Enable-ADOptionalFeature 1.0.0.0 ActiveDirectory
Cmdlet Get-ADAccountAuthorizationGroup 1.0.0.0 ActiveDirectory
Cmdlet Get-ADAccountResultantPasswordReplicationPolicy 1.0.0.0 ActiveDirectory
Cmdlet Get-ADAuthenticationPolicy 1.0.0.0 ActiveDirectory
Cmdlet Get-ADAuthenticationPolicySilo 1.0.0.0 ActiveDirectory
Cmdlet Get-ADCentralAccessPolicy 1.0.0.0 ActiveDirectory
Cmdlet Get-ADCentralAccessRule 1.0.0.0 ActiveDirectory
Cmdlet Get-ADClaimTransformPolicy 1.0.0.0 ActiveDirectory
Cmdlet Get-ADClaimType 1.0.0.0 ActiveDirectory
Cmdlet Get-ADComputer 1.0.0.0 ActiveDirectory
Cmdlet Get-ADComputerServiceAccount 1.0.0.0 ActiveDirectory
Cmdlet Get-ADDCCloningExcludedApplicationList 1.0.0.0 ActiveDirectory
Cmdlet Get-ADDefaultDomainPasswordPolicy 1.0.0.0 ActiveDirectory
Cmdlet Get-ADDomain 1.0.0.0 ActiveDirectory
Cmdlet Get-ADDomainController 1.0.0.0 ActiveDirectory
Cmdlet Get-ADDomainControllerPasswordReplicationPolicy 1.0.0.0 ActiveDirectory
Cmdlet Get-ADDomainControllerPasswordReplicationPolicy... 1.0.0.0 ActiveDirectory
Cmdlet Get-ADFineGrainedPasswordPolicy 1.0.0.0 ActiveDirectory
Cmdlet Get-ADFineGrainedPasswordPolicySubject 1.0.0.0 ActiveDirectory
Cmdlet Get-ADForest 1.0.0.0 ActiveDirectory
Cmdlet Get-ADGroup 1.0.0.0 ActiveDirectory
Cmdlet Get-ADGroupMember 1.0.0.0 ActiveDirectory
Cmdlet Get-ADObject 1.0.0.0 ActiveDirectory
Cmdlet Get-ADOptionalFeature 1.0.0.0 ActiveDirectory
Cmdlet Get-ADOrganizationalUnit 1.0.0.0 ActiveDirectory
Cmdlet Get-ADPrincipalGroupMembership 1.0.0.0 ActiveDirectory
Cmdlet Get-ADReplicationAttributeMetadata 1.0.0.0 ActiveDirectory
Cmdlet Get-ADReplicationConnection 1.0.0.0 ActiveDirectory
Cmdlet Get-ADReplicationFailure 1.0.0.0 ActiveDirectory
Cmdlet Get-ADReplicationPartnerMetadata 1.0.0.0 ActiveDirectory
Cmdlet Get-ADReplicationQueueOperation 1.0.0.0 ActiveDirectory
Cmdlet Get-ADReplicationSite 1.0.0.0 ActiveDirectory
Cmdlet Get-ADReplicationSiteLink 1.0.0.0 ActiveDirectory
Cmdlet Get-ADReplicationSiteLinkBridge 1.0.0.0 ActiveDirectory
Cmdlet Get-ADReplicationSubnet 1.0.0.0 ActiveDirectory
Cmdlet Get-ADReplicationUpToDatenessVectorTable 1.0.0.0 ActiveDirectory
Cmdlet Get-ADResourceProperty 1.0.0.0 ActiveDirectory
Cmdlet Get-ADResourcePropertyList 1.0.0.0 ActiveDirectory
Cmdlet Get-ADResourcePropertyValueType 1.0.0.0 ActiveDirectory
Cmdlet Get-ADRootDSE 1.0.0.0 ActiveDirectory
Cmdlet Get-ADServiceAccount 1.0.0.0 ActiveDirectory
Cmdlet Get-ADTrust 1.0.0.0 ActiveDirectory
Cmdlet Get-ADUser 1.0.0.0 ActiveDirectory
Cmdlet Get-ADUserResultantPasswordPolicy 1.0.0.0 ActiveDirectory
Cmdlet Grant-ADAuthenticationPolicySiloAccess 1.0.0.0 ActiveDirectory
Cmdlet Install-ADServiceAccount 1.0.0.0 ActiveDirectory
Cmdlet Move-ADDirectoryServer 1.0.0.0 ActiveDirectory
Cmdlet Move-ADDirectoryServerOperationMasterRole 1.0.0.0 ActiveDirectory
Cmdlet Move-ADObject 1.0.0.0 ActiveDirectory
Cmdlet New-ADAuthenticationPolicy 1.0.0.0 ActiveDirectory
Cmdlet New-ADAuthenticationPolicySilo 1.0.0.0 ActiveDirectory
Cmdlet New-ADCentralAccessPolicy 1.0.0.0 ActiveDirectory
Cmdlet New-ADCentralAccessRule 1.0.0.0 ActiveDirectory
Cmdlet New-ADClaimTransformPolicy 1.0.0.0 ActiveDirectory
Cmdlet New-ADClaimType 1.0.0.0 ActiveDirectory
Cmdlet New-ADComputer 1.0.0.0 ActiveDirectory
Cmdlet New-ADDCCloneConfigFile 1.0.0.0 ActiveDirectory
Cmdlet New-ADFineGrainedPasswordPolicy 1.0.0.0 ActiveDirectory
Cmdlet New-ADGroup 1.0.0.0 ActiveDirectory
Cmdlet New-ADObject 1.0.0.0 ActiveDirectory
Cmdlet New-ADOrganizationalUnit 1.0.0.0 ActiveDirectory
Cmdlet New-ADReplicationSite 1.0.0.0 ActiveDirectory
Cmdlet New-ADReplicationSiteLink 1.0.0.0 ActiveDirectory
Cmdlet New-ADReplicationSiteLinkBridge 1.0.0.0 ActiveDirectory
Cmdlet New-ADReplicationSubnet 1.0.0.0 ActiveDirectory
Cmdlet New-ADResourceProperty 1.0.0.0 ActiveDirectory
Cmdlet New-ADResourcePropertyList 1.0.0.0 ActiveDirectory
Cmdlet New-ADServiceAccount 1.0.0.0 ActiveDirectory
Cmdlet New-ADUser 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADAuthenticationPolicy 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADAuthenticationPolicySilo 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADCentralAccessPolicy 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADCentralAccessPolicyMember 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADCentralAccessRule 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADClaimTransformPolicy 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADClaimType 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADComputer 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADComputerServiceAccount 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADDomainControllerPasswordReplicationPolicy 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADFineGrainedPasswordPolicy 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADFineGrainedPasswordPolicySubject 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADGroup 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADGroupMember 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADObject 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADOrganizationalUnit 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADPrincipalGroupMembership 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADReplicationSite 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADReplicationSiteLink 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADReplicationSiteLinkBridge 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADReplicationSubnet 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADResourceProperty 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADResourcePropertyList 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADResourcePropertyListMember 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADServiceAccount 1.0.0.0 ActiveDirectory
Cmdlet Remove-ADUser 1.0.0.0 ActiveDirectory
Cmdlet Rename-ADObject 1.0.0.0 ActiveDirectory
Cmdlet Reset-ADServiceAccountPassword 1.0.0.0 ActiveDirectory
Cmdlet Restore-ADObject 1.0.0.0 ActiveDirectory
Cmdlet Revoke-ADAuthenticationPolicySiloAccess 1.0.0.0 ActiveDirectory
Cmdlet Search-ADAccount 1.0.0.0 ActiveDirectory
Cmdlet Set-ADAccountAuthenticationPolicySilo 1.0.0.0 ActiveDirectory
Cmdlet Set-ADAccountControl 1.0.0.0 ActiveDirectory
Cmdlet Set-ADAccountExpiration 1.0.0.0 ActiveDirectory
Cmdlet Set-ADAccountPassword 1.0.0.0 ActiveDirectory
Cmdlet Set-ADAuthenticationPolicy 1.0.0.0 ActiveDirectory
Cmdlet Set-ADAuthenticationPolicySilo 1.0.0.0 ActiveDirectory
Cmdlet Set-ADCentralAccessPolicy 1.0.0.0 ActiveDirectory
Cmdlet Set-ADCentralAccessRule 1.0.0.0 ActiveDirectory
Cmdlet Set-ADClaimTransformLink 1.0.0.0 ActiveDirectory
Cmdlet Set-ADClaimTransformPolicy 1.0.0.0 ActiveDirectory
Cmdlet Set-ADClaimType 1.0.0.0 ActiveDirectory
Cmdlet Set-ADComputer 1.0.0.0 ActiveDirectory
Cmdlet Set-ADDefaultDomainPasswordPolicy 1.0.0.0 ActiveDirectory
Cmdlet Set-ADDomain 1.0.0.0 ActiveDirectory
Cmdlet Set-ADDomainMode 1.0.0.0 ActiveDirectory
Cmdlet Set-ADFineGrainedPasswordPolicy 1.0.0.0 ActiveDirectory
Cmdlet Set-ADForest 1.0.0.0 ActiveDirectory
Cmdlet Set-ADForestMode 1.0.0.0 ActiveDirectory
Cmdlet Set-ADGroup 1.0.0.0 ActiveDirectory
Cmdlet Set-ADObject 1.0.0.0 ActiveDirectory
Cmdlet Set-ADOrganizationalUnit 1.0.0.0 ActiveDirectory
Cmdlet Set-ADReplicationConnection 1.0.0.0 ActiveDirectory
Cmdlet Set-ADReplicationSite 1.0.0.0 ActiveDirectory
Cmdlet Set-ADReplicationSiteLink 1.0.0.0 ActiveDirectory
Cmdlet Set-ADReplicationSiteLinkBridge 1.0.0.0 ActiveDirectory
Cmdlet Set-ADReplicationSubnet 1.0.0.0 ActiveDirectory
Cmdlet Set-ADResourceProperty 1.0.0.0 ActiveDirectory
Cmdlet Set-ADResourcePropertyList 1.0.0.0 ActiveDirectory
Cmdlet Set-ADServiceAccount 1.0.0.0 ActiveDirectory
Cmdlet Set-ADUser 1.0.0.0 ActiveDirectory
Cmdlet Show-ADAuthenticationPolicyExpression 1.0.0.0 ActiveDirectory
Cmdlet Sync-ADObject 1.0.0.0 ActiveDirectory
Cmdlet Test-ADServiceAccount 1.0.0.0 ActiveDirectory
Cmdlet Uninstall-ADServiceAccount 1.0.0.0 ActiveDirectory
Cmdlet Unlock-ADAccount 1.0.0.0 ActiveDirectory

Execution examples:

- Get domain users:

PS C:\Users\worker2\Documents> Get-ADUser

cmdlet Get-ADUser en la posición 1 de la canalización de comandos
Proporcione valores para los parámetros siguientes:
(Escriba !? para obtener Ayuda).
Filter: *

DistinguishedName : CN=Administrador,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local
Enabled : True
GivenName :
Name : Administrador
ObjectClass : user
ObjectGUID : fac68faf-e080-4edc-8c0d-e9074b6b245e
SamAccountName : Administrador
SID : S-1-5-21-2048228633-4105951457-1013245227-500
Surname :
UserPrincipalName :

DistinguishedName : CN=Invitado,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local
Enabled : False
GivenName :
Name : Invitado
ObjectClass : user
ObjectGUID : e97cfc2c-0d03-47e6-8da7-9196cb028e2f
SamAccountName : Invitado
SID : S-1-5-21-2048228633-4105951457-1013245227-501
Surname :
UserPrincipalName :

DistinguishedName : CN=DefaultAccount,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local
Enabled : False
GivenName :
Name : DefaultAccount
ObjectClass : user
ObjectGUID : 34b807f2-66a4-47cd-b140-20f32341c678
SamAccountName : DefaultAccount
SID : S-1-5-21-2048228633-4105951457-1013245227-503
Surname :
UserPrincipalName :

DistinguishedName : CN=krbtgt,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local
Enabled : False
GivenName :
Name : krbtgt
ObjectClass : user
ObjectGUID : 32daa5cd-711e-4054-9dba-e718739a7c0f
SamAccountName : krbtgt
SID : S-1-5-21-2048228633-4105951457-1013245227-502
Surname :
UserPrincipalName :

DistinguishedName : CN=trabajador1,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local
Enabled : True
GivenName : trabajador1
Name : trabajador1
ObjectClass : user
ObjectGUID : 1c1959f2-3042-48a0-8127-2266b90fc647
SamAccountName : worker1
SID : S-1-5-21-2048228633-4105951457-1013245227-1106
Surname :
UserPrincipalName : worker1@CORPORATIVE.DOMAIN.local

DistinguishedName : CN=trabajador2,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local
Enabled : True
GivenName : trabajador2
Name : trabajador2
ObjectClass : user
ObjectGUID : 29a63c66-b44a-48cf-93bc-b1acdd9ca77a
SamAccountName : worker2
SID : S-1-5-21-2048228633-4105951457-1013245227-1107
Surname :
UserPrincipalName : worker2@CORPORATIVE.DOMAIN.local

- Obtaining domain groups:

PS C:\Users\worker2\Documents> Get-ADGroup

cmdlet Get-ADGroup en la posición 1 de la canalización de comandos
Proporcione valores para los parámetros siguientes:
(Escriba !? para obtener Ayuda).
Filter: *

DistinguishedName : CN=Administradores,CN=Builtin,DC=CORPORATIVE,DC=DOMAIN,DC=local
GroupCategory : Security
GroupScope : DomainLocal
Name : Administradores
ObjectClass : group
ObjectGUID : b8cbfc78-0068-4e59-8de0-bd29995f88f2
SamAccountName : Administradores
SID : S-1-5-32-544

DistinguishedName : CN=Usuarios,CN=Builtin,DC=CORPORATIVE,DC=DOMAIN,DC=local
GroupCategory : Security
GroupScope : DomainLocal
Name : Usuarios
ObjectClass : group
ObjectGUID : b4da0565-18ab-405c-8236-052cc188f9cd
SamAccountName : Usuarios
SID : S-1-5-32-545

DistinguishedName : CN=Invitados,CN=Builtin,DC=CORPORATIVE,DC=DOMAIN,DC=local
GroupCategory : Security
GroupScope : DomainLocal
Name : Invitados
ObjectClass : group
ObjectGUID : 4ff00d11-fd45-418e-833f-ce1775122be3
SamAccountName : Invitados
SID : S-1-5-32-546

DistinguishedName : CN=Opers. de impresión,CN=Builtin,DC=CORPORATIVE,DC=DOMAIN,DC=local
GroupCategory : Security
GroupScope : DomainLocal
Name : Opers. de impresión
ObjectClass : group
ObjectGUID : f0082985-9e5b-4968-9517-7007bc0048eb
SamAccountName : Opers. de impresión
SID : S-1-5-32-550

.....

etc

- Obtaining Domain Computers:

PS C:\Users\worker2\Documents> Get-ADComputer

cmdlet Get-ADComputer en la posición 1 de la canalización de comandos
Proporcione valores para los parámetros siguientes:
(Escriba !? para obtener Ayuda).
Filter: *
DistinguishedName : CN=CORPORATIVE-DOM,OU=Domain Controllers,DC=CORPORATIVE,DC=DOMAIN,DC=local
DNSHostName : CORPORATIVE-DOMAIN.CORPORATIVE.DOMAIN.local
Enabled : True
Name : CORPORATIVE-DOM
ObjectClass : computer
ObjectGUID : cda5f480-f490-4cbf-bf0f-354e232a603d
SamAccountName : CORPORATIVE-DOM$
SID : S-1-5-21-2048228633-4105951457-1013245227-1000
UserPrincipalName :

DistinguishedName : CN=WKS-002,CN=Computers,DC=CORPORATIVE,DC=DOMAIN,DC=local
DNSHostName : WKS-002.CORPORATIVE.DOMAIN.local
Enabled : True
Name : WKS-002
ObjectClass : computer
ObjectGUID : fb8e2755-be32-43bd-90e1-3c259e1df104
SamAccountName : WKS-002$
SID : S-1-5-21-2048228633-4105951457-1013245227-1103
UserPrincipalName :

DistinguishedName : CN=WKS-001,CN=Computers,DC=CORPORATIVE,DC=DOMAIN,DC=local
DNSHostName : WKS-001.CORPORATIVE.DOMAIN.local
Enabled : True
Name : WKS-001
ObjectClass : computer
ObjectGUID : e5c3910e-a9f2-403d-922a-35d41451308f
SamAccountName : WKS-001$
SID : S-1-5-21-2048228633-4105951457-1013245227-1104
UserPrincipalName :

- Obtaining Default domain Access policy:

PS C:\Users\worker2\Documents> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled : True
DistinguishedName : DC=CORPORATIVE,DC=DOMAIN,DC=local
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 0
MaxPasswordAge : 42.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : 2628752b-488d-4d56-83c1-6a3088415297
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False

2.3 Powershell: Powerview Module

Interesting functions for enumeration:

Domain/LDAP Functions:

Get-DomainDNSZone               -   enumerates the Active Directory DNS zones for a given domain
Get-DomainDNSRecord             -   enumerates the Active Directory DNS records for a given zone
Get-Domain                      -   returns the domain object for the current (or specified) domain
Get-DomainController            -   return the domain controllers for the current (or specified) domain
Get-Forest                      -   returns the forest object for the current (or specified) forest
Get-ForestDomain                -   return all domains for the current (or specified) forest
Get-ForestGlobalCatalog         -   return all global catalogs for the current (or specified) forest
Find-DomainObjectPropertyOutlier-   inds user/group/computer objects in AD that have 'outlier' properties set
Get-DomainUser                  -   return all users or specific user objects in AD
New-DomainUser                  -   creates a new domain user (assuming appropriate permissions) and returns the user object
Get-DomainUserEvent             -   enumerates account logon events (ID 4624) and Logon with explicit credential events
Get-DomainComputer              -   returns all computers or specific computer objects in AD
Get-DomainObject                -   returns all (or specified) domain objects in AD
Set-DomainObject                -   modifies a gven property for a specified active directory object
Get-DomainObjectAcl             -   returns the ACLs associated with a specific active directory object
Add-DomainObjectAcl             -   adds an ACL for a specific active directory object
Find-InterestingDomainAcl       -   finds object ACLs in the current (or specified) domain with modification rights set to non-built in objects
Get-DomainOU                    -   search for all organization units (OUs) or specific OU objects in AD
Get-DomainSite                  -   search for all sites or specific site objects in AD
Get-DomainSubnet                -   search for all subnets or specific subnets objects in AD
Get-DomainSID                   -   returns the SID for the current domain or the specified domain
Get-DomainGroup                 -   return all groups or specific group objects in AD
New-DomainGroup                 -   creates a new domain group (assuming appropriate permissions) and returns the group object
Get-DomainManagedSecurityGroup  -   returns all security groups in the current (or target) domain that have a manager set
Get-DomainGroupMember           -   return the members of a specific domain group
Add-DomainGroupMember           -   adds a domain user (or group) to an existing domain group, assuming appropriate permissions to do so
Get-DomainFileServer            -   returns a list of servers likely functioning as file servers
Get-DomainDFSShare              -   returns a list of all fault-tolerant distributed file systems for the current (or specified) domain

GPO functions

Get-DomainGPO                           -   returns all GPOs or specific GPO objects in AD
Get-DomainGPOLocalGroup                 -   returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences
Get-DomainGPOUserLocalGroupMapping      -   enumerates the machines where a specific domain user/group is a member of a specific local group, all through GPO correlation
Get-DomainGPOComputerLocalGroupMapping  -   takes a computer (or GPO) object and determines what users/groups are in the specified local group for the machine through GPO correlation
Get-DomainPolicy                        -   returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller

Computer Enumeration Functions

Get-NetLocalGroup                   -   enumerates the local groups on the local (or remote) machine
Get-NetLocalGroupMember             -   enumerates members of a specific local group on the local (or remote) machine
Get-NetShare                        -   returns open shares on the local (or a remote) machine
Get-NetLoggedon                     -   returns users logged on the local (or a remote) machine
Get-NetSession                      -   returns session information for the local (or a remote) machine
Get-RegLoggedOn                     -   returns who is logged onto the local (or a remote) machine through enumeration of remote registry keys
Get-NetRDPSession                   -   returns remote desktop/session information for the local (or a remote) machine
Test-AdminAccess                    -   rests if the current user has administrative access to the local (or a remote) machine
Get-NetComputerSiteName             -   returns the AD site where the local (or a remote) machine resides
Get-WMIRegProxy                     -   enumerates the proxy server and WPAD conents for the current user
Get-WMIRegLastLoggedOn              -   returns the last user who logged onto the local (or a remote) machine
Get-WMIRegCachedRDPConnection       -   returns information about RDP connections outgoing from the local (or remote) machine
Get-WMIRegMountedDrive              -   returns information about saved network mounted drives for the local (or remote) machine
Get-WMIProcess                      -   returns a list of processes and their owners on the local or remote machine
Find-InterestingFile                -   searches for files on the given path that match a series of specified criteria


Execution examples:

PS C:\Users\worker2\Documents\PowerSploit-3.0.0\Recon> Get-DomainSID

S-1-5-21-2048228633-4105951457-1013245227

PS C:\Users\worker2\Documents\PowerSploit-3.0.0\Recon> Get-DomainPolicy

RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.String[]}

SystemAccess   : @{MinimumPasswordAge=1; MaximumPasswordAge=42; LockoutBadCount=0; PasswordComplexity=1;

                 RequireLogonToChangePassword=0; LSAAnonymousNameLookup=0; ForceLogoffWhenHourExpire=0;

                 PasswordHistorySize=24; ClearTextPassword=0; MinimumPasswordLength=7}

Version        : @{Revision=1; signature="$CHICAGO$"}

KerberosPolicy : @{MaxTicketAge=10; MaxServiceAge=600; MaxClockSkew=5; MaxRenewAge=7;

                 TicketValidateClient=1}

Unicode        : @{Unicode=yes}

PS C:\Users\worker2\Documents\PowerSploit-3.0.0\Recon> Get-UserProperty

Name

----

accountexpires

admincount

adspath

badpasswordtime

badpwdcount

cn

codepage

countrycode

description

distinguishedname

dscorepropagationdata

instancetype

iscriticalsystemobject

lastlogoff

lastlogon

lastlogontimestamp

logoncount

memberof

name

objectcategory

objectclass

objectguid

objectsid

primarygroupid

pwdlastset

samaccountname

samaccounttype

useraccountcontrol

usnchanged

usncreated

whenchanged

whencreated

 And this is all, for this Active directory recognition, I hope that you enjoy with my seventh windows entry and you'll follow my blog [https://roadtooscp-f0ns1.blogspot.com/]. We'll keep in touch.

with kind regards, f0ns1

RoadToOSCP

Total Pageviews

Saturday, September 18, 2021

Active Directory CORPORATIVE.domain.local Series[VII] : Active Directory Enumeration process

1. OUTSIDE OF DOMAIN

1.1 RPCCLIENT:

1.2 ad-ldap-enum

1.3 ldapdomaindump

2. INSIDE OF DOMAIN

2.1 Windows CMD enumeration commands

2.2 Powershell: Active directory Module:

2.3 Powershell: Powerview Module

Domain/LDAP Functions:

GPO functions

Computer Enumeration Functions

with kind regards, f0ns1

No comments:

Post a Comment

Mi primera experiencia en una conferencia:

Report Abuse