Active Directory Domain Enumeration Part 2

4 minute read

Active Directory domain enumeration without leveraging PowerView or the Active Directory PowerShell module, will be continuously adding to this.

adsisearcher

[adsisearcher] is a Windows PowerShell type accelerator for seaching Active Directory Domain Services, allowing PowerShell to access the system.directoryservices.directorysearcher .NET class with ease.

The DirectorySearcher class as described in the Microsoft documentation:

Use a DirectorySearcher object to search and perform queries against an Active Directory Domain Services hierarchy using Lightweight Directory Access Protocol (LDAP). LDAP is the only system-supplied Active Directory Service Interfaces (ADSI) provider that supports directory searching. An administrator can make, alter, and delete objects that are found in the hierarchy.

List All Users


([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties.samaccountname

List Admins


([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname

List Info of Specific User


([adsisearcher]"(&(objectClass=User)(samaccountname=<username>))").FindAll().Properties

View Users with Description Field


([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description } 

Get Users


$ADSISearcher = [ADSISearcher]'(objectclass=user)'
$ADSISearcher.SearchRoot = [ADSI]"LDAP://OU=,OU=,DC=,DC="
$ADSISearcher.FindAll()

Search Single User

([adsisearcher]'samaccountname=nigel').FindOne()

[adsi]'LDAP://CN=nigel,OU=Users,DC=domain,DC=local'
(New-Object adsisearcher((New-Object adsi("LDAP://example.com","domain\username","password")),"(info=*pass*)")).FindAll()

Search for Keyword


([adsisearcher]"(info=*pass*)").FindAll()
([adsisearcher]"(info=*pass*)").FindAll() | %{ $_.GetDirectoryEntry() } | Select-Object sAMAccountName, info


DNS

Get DC Info

nslookup can be used to get basic information from a DC like the hostname and IP address:

C:\>nslookup 
nslookup 
DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  172.16.249.200

> set type=all
> _ldap._tcp.dc._msdcs.htb.local
Server:  UnKnown
Address:  172.16.249.200

_ldap._tcp.dc._msdcs.htb.local  SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = DC.htb.local
DC.htb.local    internet address = 172.16.249.200

The domain is appended to the end of the _ldap._tcp.dc._msdcs. string. e.g. In this case the domain is htb.local so as one line you can use the following command and get the same output as shown above:

C:\> nslookup -querytype=all _ldap._tcp.dc._msdcs.htb.local


dsquery

Queries the directory by using search criteria that you specify. Each of the dsquery commands finds objects of a specific object type, with the exception of dsquery *, which can query for any type of object

For more information click here

Get Users


> dsquery user -name *
"CN=Administrator,CN=Users,DC=MEGACORP,DC=LOCAL"
"CN=Guest,CN=Users,DC=MEGACORP,DC=LOCAL"
"CN=DefaultAccount,CN=Users,DC=MEGACORP,DC=LOCAL"
...

Get User Group Memberships


> dsquery user -samid "nigel" | dsget user -memberof -expand
"CN=Remote Management Users,CN=Builtin,DC=MEGACORP,DC=LOCAL"
"CN=Domain Users,CN=Users,DC=MEGACORP,DC=LOCAL"
"CN=Users,CN=Builtin,DC=MEGACORP,DC=LOCAL"

Get Trusted Domains


> dsquery * -filter "(objectClass=trustedDomain)" -attr *
objectClass: top
objectClass: leaf
objectClass: trustedDomain
cn: <REDACTED>
distinguishedName: <REDACTED>
instanceType: 4
whenCreated: 01/05/2020 16:27:58
whenChanged: 03/06/2020 13:34:11
uSNCreated: 21252
uSNChanged: 131946
showInAdvancedViewOnly: TRUE
name: <REDACTED>
objectGUID: <REDACTED>
securityIdentifier: <REDACTED> 
trustDirection: 2
trustPartner: <REDACTED>
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: <REDACTED>
objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,<REDACTED>
isCriticalSystemObject: TRUE
dSCorePropagationData: 01/01/1601 00:00:00
msDS-TrustForestTrustInfo: <REDACTED>
ADsPath: <REDACTED>

Find DCs in Forest


> dsquery server -Forest

Find Users with Sensitive Descriptions


This is an interesting parameter to play with as some users/administrators will configure accounts with the password in the description because as far as they’re aware the description is not visible to anyone.

By leveraging wildcards you can create some interesting search queries that may present you with some low hanging fruit.

> dsquery user -desc *pass*
> dsquery user -desc *cred*
> dsquery user -desc *key*

Worth noting that the dsquery computer and server commands both support the -desc parameter.


nltest

You can use nltest to:

  • Get a list of domain controllers
  • Force remote shutdown
  • Query the status of a trust
  • Test trust relationships and the state of domain controller replication in a Windows domain
  • Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers

For full list of parameters click here.

Get Trusted Domains


> nltest /trusted_domains
List of domain trusts:
    0: <REDACTED> (NT 5) (Direct Outbound) ( Attr: foresttrans )
    1: <REDACTED> (NT 5) (Forest Tree Root) (Primary Domain) (Native)

Get Parent Domain

> nltest /parentdomain


PowerShell and .NET

Get Domain Controllers


[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers

Get Current Domain


[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Get Domain Trusts


([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() 

Get Forest


[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

Get Forest Trusts


([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships() 

Get Local SQL Server


[System.Data.Sql.SqlDataSourceEnumerator]::Instance.GetDataSources()


WMI Cmdlets

Get Local Route Table


Get-WmiObject -Class Win32_IP4RouteTable
Get-WmiObject -Class Win32_IP4RouteTable | select description, nexthop

Get Local Users


Get-WmiObject -Class Win32_UserAccount
Get-WmiObject -Class Win32_UserAccount | select caption,SID,name

Get Local Groups


Get-WmiObject -Class Win32_Group

Get Current Domain


Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select -ExpandProperty ds_dc
(Get-WmiObject -Class Win32_ComputerSystem).Domain

Get Current Domain Policy


Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select DS_lockoutDuration, DS_lockoutObservationWindows, DS_lockoutThreshold, DS_maxPwdAge, DS_minPwdAge, DS_minPwdLength, DS_pwdHistoryLength, DS_pwdProperties 

Get Domain Controller


Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where-object {$_.ds_userAccountControl -eq 532480}
Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where-object {$_.ds_userAccountControl -eq 532480} | select ds_cn 

Get Domain Users


Get-WmiObject -Class Win32_UserAccount
Get-WmiObject -Class Win32_UserAccount | select name
Get-WmiObject -Class Win32_UserAccount -Filter "Domain = 'targetdomain'"

Get Domain Groups


Get-WmiObject -Class Win32_Group
Get-WmiObject -Class Win32_GroupInDomain | fl *
Get-WmiObject -Class Win32_GroupInDomain | Foreach-Object {[wmi]$_.PartComponent}
Get-WmiObject -Class Win32_GroupInDomain | where-object {$_.GroupComponent -match “domain”} | foreach-object {[wmi]$_.PartComponent} 

Get Domain Admins Group Members


Get-WmiObject -Class Win32_GroupUser | where-object {$_.GroupComponent -match "Domain Admins"} | foreach-object {[wmi]$_.PartComponent} 
Get-WmiObject -Class Win32_GroupUser | where-object {$_.GroupComponent -match "domain" -and $_.GroupComponent -match "Domain Admins" | foreach-object {[wmi]$_.PartComponent} 

Get User Group Memberships


Get-WmiObject -Class Win32_GroupUser | where-object {$_.PartComponent -match "nigel"} | foreach-object {[wmi]$_.GroupComponent} 

Get Domain Computers


Get-WmiObject -Namespace root\directory\ldap -Class ds_computer
Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select -ExpandProperty ds_cn
(Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where-object {$_ds_cn -eq "DC-Name"}).Properties | foreach-object {If($_.value -AND $_.name -notmatch "__"){@{$($_.name) = $($_.value)}}}