Credentialed Enumeration - from Windows
Active Directory PowerShell Module
The ActiveDirectory PowerShell module is a group of PowerShell cmdlets for administering an Active Directory environment from the command line. It consists of 147 different cmdlets at the time of writing. We can check the modules that are already loaded in PowerShell using the command :
Get-ModuleIf Active Directory module is not loaded than we can load it using:
Import-Module ActiveDirectoryLets look at the cmdlets
Get-ADDomainThis will give us some valuable information about the domain such as domain SID, domain functional level, any child domains etc.
Next, to get user information we can use Get-ADUser cmdlet with ServicePrincipalName property:
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalNameNext, we can determine if they are trusts within our forest or with domains in other forests, the type of trust, the direction of the trust, and the name of the domain the relationship is with:
Get-ADTrust -Filter *Next, we can gather AD group information:
Get-ADGroup -Filter * | select name# To get detailed info on a specific group
Get-ADGroup -Identity "Backup Operators"Next, we can get member information of a group:
Get-ADGroupMember -Identity "Backup Operators"PowerView
PowerView is a tool written in PowerShell to help us gain situational awareness within an AD environment. Much like BloodHound, it provides a way to identify where users are logged in on a network, enumerate domain information such as users, computers, groups, ACLS, trusts, hunt for file shares and passwords, perform Kerberoasting, and more.
Here are some useful functions that PowerView offers:
Export-PowerViewCSV
Append results to a CSV file
ConvertTo-SID
Convert a User or group name to its SID value
Get-DomainSPNTicket
Requests the Kerberos ticket for a specified Service Principal Name (SPN) account
Domain/LDAP Functions:
Get-Domain
Will return the AD object for the current (or specified) domain
Get-DomainController
Return a list of the Domain Controllers for the specified domain
Get-DomainUser
Will return all users or specific user objects in AD
Get-DomainComputer
Will return all computers or specific computer objects in AD
Get-DomainGroup
Will return all groups or specific group objects in AD
Get-DomainOU
Search for all or specific OU objects in AD
Find-InterestingDomainAcl
Finds object ACLs in the domain with modification rights set to non-built in objects
Get-DomainGroupMember
Will return the members of a specific domain group
Get-DomainFileServer
Returns a list of servers likely functioning as file servers
Get-DomainDFSShare
Returns a list of all distributed file systems for the current (or specified) domain
GPO Functions:
Get-DomainGPO
Will return all GPOs or specific GPO objects in AD
Get-DomainPolicy
Returns the default domain policy or the domain controller policy for the current domain
Computer Enumeration Functions:
Get-NetLocalGroup
Enumerates local groups on the local or a remote machine
Get-NetLocalGroupMember
Enumerates members of a specific local group
Get-NetShare
Returns open shares on the local (or a remote) machine
Get-NetSession
Will return session information for the local (or a remote) machine
Test-AdminAccess
Tests if the current user has administrative access to the local (or a remote) machine
Threaded 'Meta'-Functions:
Find-DomainUserLocation
Finds machines where specific users are logged in
Find-DomainShare
Finds reachable shares on domain machines
Find-InterestingDomainShareFile
Searches for files matching specific criteria on readable shares in the domain
Find-LocalAdminAccess
Find machines on the local domain where the current user has local administrator access
Domain Trust Functions:
Get-DomainTrust
Returns domain trusts for the current domain or a specified domain
Get-ForestTrust
Returns all forest trusts for the current forest or a specified forest
Get-DomainForeignUser
Enumerates users who are in groups outside of the user's domain
Get-DomainForeignGroupMember
Enumerates groups with users outside of the group's domain and returns each foreign member
Get-DomainTrustMapping
Will enumerate all trusts for the current domain and any others seen.
Let's look at user information for the user mmorgan
Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrolNext, looking at group information and nested groups with -recurse:
Get-DomainGroupMember -Identity "Domain Admins" -RecurseNext, enumerating trust information:
Get-DomainTrustMappingNext, we can check weather a user has admin access:
Test-AdminAccess -ComputerName ACADEMY-EA-MS01Next, we can check for users with SPN property set which indicates they might be susceptible to Kerberoasting attack:
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalNameSnaffler
Snaffler is a tool that can help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories.
#-s is to output it on terminal, data is the best option
Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v dataBloodhound
Bloodhound is an exceptional open-source tool that can identify attack paths within an AD environment by analyzing the relationships between objects.
First, we run Sharphound while being on the same network as the domain:
.\SharpHound.exe -c All --zipfilename ILFREIGHTNext, we upload it into Bloodhound GUI. Where we can run queries such as Find Computers with Unsupported Operating Systems to find legacy systems that might be a good attack surface. We can also run the query Find Computers where Domain Users are Local Admin to quickly see if there are any hosts where all users have local admin rights.
Last updated
Was this helpful?