☕
My OSCP Journey: Tips, Tricks, and Cheat Sheets
  • Introduction
  • Network Scan
  • Services Exploitation
    • 21 - FTP
    • 25, 465, 587 - SMTP
    • 53 - DNS
    • 88 - Kerberos
    • 80, 443 - HTTP/S
    • 110, 995 - POP
    • 111 - NFS/RPC
    • 135, 593 - MSRPC
    • 139, 445 - SMB
    • 143, 993 - IMAP
    • 161 - SNMP
    • 389, 636, 3268, 3269 - LDAP
    • 3306 - Mysql
    • 5432 - Postgres
    • 27017 - MongoDB
  • Web Application Attacks
    • SQL Injection
    • File Inclusion Vulnerabilty
    • Command Injection
    • Client-Side Attacks
  • Brute Forcing
  • Privilege Escalation
    • Manual Enumeration
      • Windows Enumeration
      • Linux Enumeration
    • Windows Privesc
    • Linux Privesc
  • Active Directory
    • AD Manual Enumeration
    • AD Automatic Enumeration
    • AD Authentication
    • AD Lateral Movement
    • AD Attacking Kerberos
    • Hash Cracking Techniques
  • Transfer Files
    • Windows Downloads
    • Windows Uploads
  • Shells
    • Reverse/Bind Shells
    • Web Shells
Powered by GitBook
On this page
  • Users / Groups / Computers
  • Nested Groups
  • Logged-in users and active user sessions
  • Service Principal Names (AD Service Accounts)

Was this helpful?

Edit on GitHub
  1. Active Directory

AD Manual Enumeration

Users / Groups / Computers

  • Look for users with high-privs across the domain e.g. Domain Admins or Derivative Local Admins

  • Look for custom groups.

# get a list of all users in the domain
cmd> net user /domain
PS > Get-NetUser | select cn # Using PowerView.ps1

# get details about a specific user 
cmd> net user [username] /domain # more than 10 group memberships, cmd will fail
PS > Get-ADUser -Identity <username> -Server asd.domain.com -Properties * # Powershell

# get list of all groups in the domain
cmd> net group /domain
PS > Get-ADUser -Filter 'Name -like "*lorenzo"' -Server asd.domain.com | Format-Table Name,SamAccountName -A
PS > Get-NetGroup -GroupName * # Using PowerView.ps1

# enumerate AD groups
PS > Get-ADGroup -Identity Administrators -Server asd.domain.com

# get details such as membership to a group
cmd> net group [groupname] /domain
PS > Get-ADGroupMember -Identity Administrators -Server domain.com # Powershell

# get the password policy of the domain
cmd> net accounts /domain

# get all AD objects that were changed after a specific date
PS > $ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
PS > Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server asd.domain.com

# enumerate accounts that have a badPwdCount that is greater than 0
# useful to avoid these accounts in our bruteforce attacks
PS > Get-ADObject -Filter 'badPwdCount -gt 0' -Server domain.com

# get additional information about the specific domain
PS> Get-ADDomain -Server asd.domain.com

# get all computers in domain
cmd> net view
cmd> net view /domain

# get resources/shares of specified computer
cmd> net view \\[computer_name] /domain

# get a list of all operating systems on the domain 
PS > Get-NetComputer -fulldata | select operatingsystem # Using PowerView.ps1

Domain Controller hostname (PdcRoleOwner)**

PS> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

This PowerShell script will collect all users along with their attributes:

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop
    }
    Write-Host "------------------------"
}

In the filter property, we can set any attribute of the object type we desire. For example, we can use the name property to create a filter for the Jeff_Admin user as shown below:

$Searcher.filter="name=Jeff_Admin"

Nested Groups

Locate all groups in the domain and print their names:

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="(objectClass=)"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
    $obj.Properties.name
}

List the members of a group by setting an appropriate filter on the name property. In addition, we will only display the member attribute to obtain the group members.

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="(name=)"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
    $obj.Properties.
}

Logged-in users and active user sessions

PS> Set-ExecutionPolicy Unrestricted
PS> Import-Module .\PowerView.ps1
PS> Get-NetLoggedon -ComputerName [computer_name]    # enum logged-in users
PS> Get-NetSession -ComputerName [domain_controller] # enum active user sessions

Service Principal Names (AD Service Accounts)

  • A SPN is a unique name for a service on a host, used to associate with an Active Directory service account.

  • Enum SPNs to obtain the IP address and port number of apps running on servers integrated with Active Directory.

  • Query the Domain Controller in search of SPNs.

  • SPN Examples

    • CIFS/MYCOMPUTER$ - file share access.

    • LDAP/MYCOMPUTER$ - querying AD info via. LDAP.

    • HTTP/MYCOMPUTER$ - Web services such as IIS.

    • MSSQLSvc/MYCOMPUTER$ - MSSQL.

For example, let's update our PowerShell enumeration script to filter the serviceprincipalname property for the string *http*, indicating the presence of a registered web server:

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="serviceprincipalname=*http*"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop
    }
}

  • Perform nslookup of the service hostname -> see if there is an entrypoint here.

  • Automated SPN enum scripts:

# Kerberoast: https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.ps1
PS> .\GetUserSPNs.ps1

# Powershell Empire: https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1
PS> .\Get-SPN.ps1
PreviousActive DirectoryNextAD Automatic Enumeration

Last updated 2 years ago

Was this helpful?

More powerview commands

https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters/powerview