Manual Information Gathering

User information (cmd)

net user /domain # list all domain users
net user <USER> /domain # get information about a specific user in the domain
net group /domain # list all groups in the domain
net group <GROUP> /domain # get information about a specific group in the domain
net accounts # obtain account policy

Custom PowerShell scripts

You can write your own powershell scripts using LDAP to query the Active Directory.

Sample script to obtain the full LDAP path required for enumeration::

# Connection
$PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName 
$LDAP = "LDAP://$PDC/$DN"
$LDAP # Print LDAP Path

# Get Objects
$direntry = New-Object System.DirectoryServices.DirectoryEntry($LDAP)

$dirsearcher = New-Object System.DirectoryServices.DirectorySearcher($direntry)
$dirsearcher.FindAll()

User / Object information

Most enumeration in this chapter require powerview module.

See more PowerView commands: https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview

Import PowerView:

powershell -ep bypass
Import-Module .\PowerView.ps1

Basic Info

Get-NetDomain # get basic info about the domain
Get-NetUser # get AD user list
Get-NetUser | select cn # get only names of AD users
Get-NetGroups | select cn # get only names of AD groups
Get-DomainGroupMember <GROUP> | select MemberName # list users in group

Operating systems information

Get-NetComputer # enumerate computer objects in the domain
Get-NetComputer | select operatingsystem,dnshostname # basic info

OS, User combination

In some cases you can enumerate users which are logged in on other hosts.

Find-LocalAdminAccess # find computers in the domain to which we have admin acces right
Get-NetSession -ComputerName <COMPUTER_NAME> -Verbose # see logged in users on the machine (SrvsvcSessionInfo registry needed)
PsLoggedon.exe \\<MACHINE> # see logged in users on older windows systems (Remote Registry service needed)

Service Accounts

Programs that are run by system are launched in the context of Service Account.

(LocalSystem, LocalService, and NetworkService)

Applications such as Exchange, MS SQL, or IIS use SPN (Service Principial Name) to link it to the specific Service Account in AD.

List the SPN in the domain:

Get-NetUser -SPN | select samaccountname,serviceprincipalname # PowerView
setspn -L <service_user> # setspn.exe

Object Permissions enumeration

In AD there are ACE (Access Control Entries) which are included in ACL (Access Control List).

Key AD Permissions:

GenericAll # Full permissions on object
GenericWrite # Edit certain attributes on the object
WriteOwner # Change ownership of the object
WriteDACL # Edit ACE's applied to object
AllExtendedRights # Change password, reset password, etc.
ForceChangePassword # Password change for object
Self (Self-Membership) # Add ourselves to for example a group

ACE enumeration with PowerView:

Get-ObjectAcl -Identity <user> # see ActiveDirectoryRights, SecurityIdentifier

We can convert SID which we got to readable data:

Convert-SidToName <SID

Search for GenericAll Permission:

Get-ObjectAcl -Identity "<GROUP>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

Domain shares enumeration

Find domain shares with PowerView:

Find-DomainShare # add -CheckShareAccess for available shares only

Interesting shares:

SYSVOL # can contain files and folders which resides on DC

PreviousInformation Gathering NextAutomated Information Gathering

Last updated 1 year ago