Practice
  • 🛤️TryHackMe Rooms
    • HackersVsHackers
    • Vulnnet - The End Game
    • Surfer
    • Corridor
    • Mustacchio
    • Wordpress: CVE-2021-29447
    • Bounty Hacker
    • Simple CTF
    • Agent Sudo
    • Lazy Admin
    • Ignite
    • Brooklynn 99
    • c4ptur3th3fl4g
    • Lian_Yu
    • Rabbit
    • Gallery
    • Overpass
    • Team
    • Easy Peasy
    • CmesS
    • Ultratech
    • Wonderland
    • Anonymous
    • GamingServer
    • Tomghost
    • ConvertMyVideo
    • DogCat
    • Blog
    • Git Happens
    • 0day
    • Road
    • Inferno
    • Opacity
    • Market Place
    • Valley CTF
    • Weasel
    • SafeZone
    • Blueprint
    • Fusion Corp
    • Quotient
    • Unbaked Pie
    • Kenobi
    • Steel Mountain
    • Alfred
    • Hack Park
    • Game Zone
    • Daily Bugle
    • Retro
    • Corp
    • Attacktive Directory
    • Vulnnet - Roasted
    • Vulnnet - Active
    • Vulnnet - Internal
    • Enterprise - Hard
    • Iron Corp - Hard
    • Ra - Hard
    • For Business Reasons
  • 📦HackTheBox
    • Linux Boxes
      • Lame
      • Shocker
      • Nibbles
      • Beep
      • Cronos
      • Nineveh
      • Sense
      • Solidstate
      • Node
      • Valentine
      • Poison
      • Sunday
      • Irked
      • FriendZone
      • Networked
      • Jarvis
      • Tabby
      • Mirai
      • Popcorn
    • Windows Boxes
      • Active
      • Forest
      • ChatterBox
      • Resolute
      • Intelligence
  • 🤖CTF's
    • CloudSEK CTFs
    • ACM Cyber - UCLA
  • ¯\_(ツ)_/¯
    • Interview Topics
  • 🪣BOF - OSCP
    • Basics
    • Spiking
    • FUZZing
    • Finding the Offset
    • Overwriting the EIP
    • Finding BAD Characters
    • Finding RIGHT Module
    • Generating Shellcode
  • 📛Active Directory
    • Basics
      • Managing AD Users
      • Managing AD Computers
      • Group Policies
      • Authentication Methods
      • Trees, Forests and Trusts
    • Enumeration Techniques
    • Initial Attack Vectors
    • Post Compromise Enumeration
    • Post Compromise Attacks
      • Token Impersonation - LM
      • Kerberoasting
      • cPassword / GPP Attack
      • URL File Attacks
      • PrintNightmare
      • Golden Ticket Attacks
      • ZeroLogon Attacks
    • Lateral Movement and Pivoting
      • File Transfers
      • Spawning Processes Remotely
      • Moving Laterally with WMI
      • Alternate Authentication Material
      • Abusing User's Behaviour
      • Port Forwarding
      • Maintaing Access
      • Pivoting
      • Cleaning Up
    • Other Resources
  • 🛡️Powershell Basics
    • Getting Started
      • Functions
  • 😁Others
    • API Security
    • Cloud Security
  • Enumeration
    • Local PrivEsc
    • Remoting
    • Persistence
    • Kerberos
Powered by GitBook
On this page
  • Basic Enumeration
  • GPO Enumeration
  • ACL Enumeration
  • Trusts Enumeration
  • Trust Types
  • User Hunting
  • BloodHound Enumeration

Enumeration

Basic Enumeration

Get-NetDomain
Get-NetDomain -Domain <domain>

Get-DomainSID

Get-DomainPolicy
(Get-DomainPolicy)."systemaccess","kerberospolicy"

Get-NetDomainController

Get-NetUser
Get-NetUser -Username akash


Get-UserProperty
Get-UserProperty -Properties pwdlastset,logoncount,badpwdcount
Get-UserProperty -Properties logoncount
Get-UserProperty -Properties badpwdcount

Find-UserField -SearchField Description -SearchTerm "built"

Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData

Get-NetGroup
Get-NetGroup -Domain <domain>
Get-NetGroup -FullData
Get-NetComputer -Domain
Get-NetGroup *admin*
Get-NetGroup -GroupName *admin*
Get-NetGroup *admin* -FullData
Get-NetGroup -GroupName *admin* -Doamin akash.local
Get-NetGroup -UserName "akash"

Get-NetGroupMember -GroupName "Domain Admins" -Recurse

Get-NetLocalGroup -ComputerName <servername> -ListGroups
Get-NetLocalGroup -ComputerName <servername> -Recurse

Get-NetLoggedon -ComputerName <servername> 

Get-LoggedonLocal -ComputerName <servername> 

Get-LastLoggedon -ComputerName <servername>

Invoke-ShareFinder -Verbose     // Finds shares
Invoke-FileFinder -Verbose     // Finds sensitive files
Get-NetFileServer             // Gets all the file-servers

GPO Enumeration

GPO's are specific settings applied to the OU's, they can differ within them

Allows configurations of

  • security settings

  • Registry-based policy settings

  • GPP - like startup, shutdown, log-on/off

  • Software installation

Get-NetGPO
Get-NetGPO -ComputerName <servername>
Get-GPO -All (GroupPolicy module)
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html (Provides RSoP)
gpresult /R /V (GroupPolicy Results of current machine)

Get-NetGPOGroup        # groups.xml

Find-GPOComputerAdmin -ComputerName <servername>

Get-NetOU -FullData

Get-NetGPO -GPOname "{AB306569-220D-43FF-BO3B-83E8F4EF8081}"
Get-GPO -Guid AB306569-220D-43FF-B03B-83E8F4EF8081 (GroupPolicy module) 

Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')}
Get-NetGPO -GPOName '{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}'

ACL Enumeration

ACLs help control who can access different parts of the network, like files or folders, and what they can do with them

  • Access Tokens - Identity and Privs

  • Security Descriptors - SID owner, DACL and SACL

DACL tells who has the permission to access, and SACL contains the audit log, loggin and logging off - when a sysadmin monitors

Get-ObjectAcl -SamAccountName akash -ResolveGUIDs
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose
Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose

Invoke-ACLScanner -ResolveGUIDs
Get-PathAcl -Path "\\dc.hydra.local\sysvol"

Trusts Enumeration

  • allows user of a domain or forest to access resources in another domain or forest

  • two-way trust exists between domains, even in forests too

  • trust relationships need to be created between forests

One-Way Trust

A => B

  • if A is the printer we are trying to access, then the trust relationship will be from A to B

Two-Way Trust

A <=> B

  • users in both domains can access each other’s resources

Transitive Trust

A <=> B <=> C

  • relationships that are extended with other domains, parent-child

Trust Types

Domain Trusts

Parent-child trust is created automatically between new domain and existing domain

Forest Trusts

Established between root domains of forests, can be one-way or two-way

Get-NetDomainTrust
Get-NetDomainTrust -Domain <domain>

Get-NetForest
Get-NetForest -Forest <forest>

Get-NetForestDomain
Get-NetForestDomain -Forest <forest>

Get-NetForestCatalog
Get-NetForestCatalog -Forest <forest>

User Hunting

Find-LocalAdminAccess -Verbose

Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -CheckAccess
Invoke-UserHunter -Stealth

Get-DomainForeingUser 
Get-DomainForeignGroupMember

BloodHound Enumeration

. .\SharpHound.ps1

Invoke-BloodHound -CollectionMethod All,LoggedOn
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
Invoke-BloodHound -CollectionMethod All -ExcludeDC    # To avoid ATA detection
PreviousCloud SecurityNextLocal PrivEsc

Last updated 1 year ago