In the initial attack vectors, we were able to compromise a user (Frank Castle). All this by gaining its hash through LLMNR Poisoning and then cracking the hash to get a plaintext password. Also using SMB Relay Attack to gain access to the machine along with dumping the SAM file hashes. Not only this but going through an IPv6 attack using mitm6 and ntlmrelayx, taking over DNS and capturing almost all information about the domain. Now, what can we do once we have a compromise? How can we enumerate the network using these compromises? In this article, we will talk about Post-Compromise AD Enumeration. For that, we will be using 2 tools
PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows
net * commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality. It basically helps us enumerate Domain Controllers, Policies, Users, Groups, and much more.
First, we need to get PowerView. We have access to one account (Frank Castle). Also, through SMB Relay Attack, we can get an interactive shell on that machine. Taking advantage of these, we can run PowerView from the windows machine. So, for easier demonstration, I will go through the Windows machine instead of running commands from the shell.
So, go to the windows machine and download PowerView from GitHub
In case of dropping it through the shell, an attacker can download the script to their host and then transfer it through the shell. I am running it directly on the machine because it will allow me to auto-tab completion to make things smoother.
Go to the windows machine at which you have downloaded PowerView, open the command prompt, and change the directory to Downloads.
Since this is a PowerShell script, we need to run it from PowerShell. But before running, we need to change the execution policy.
An execution policy is part of the PowerShell security strategy. Execution policies determine whether you can load configuration files, such as your PowerShell profile, or run scripts. And, whether scripts must be digitally signed before they are run.
So, for running the script, we need to bypass the execution policy. For this, run either one of the following commands in the command prompt
powershell -ep bypass OR powershell -ExecutionPolicy bypass
Now that we have set up everything, we can load the script using the following command
AD Enumeration using PowerView
The script is loaded, so we can perform AD Enumeration through its commands.
Of course, there are multiple things one can perform using this tool but we will be going through only some of them.
AD Enumeration Domain Info
- To get information about the domain, run the following command
It will give information about the domain.
- To get information about the Domain Controllers, run the following command
It will not only list what domain controllers are available but also its name, IP, OS, and other information. This can be further useful in targeting domain controllers specifically.
- To get the domain policy, use the following command
- To view the specific policy, use the following command
Checking the system access policy tells that the minimum length of the password is 7. This can be useful while doing brute forcing and so on.
AD Enumeration User Info
- To get information on all users, we can use following
This command gives a lot of input depending on the number of users.
To come around this dirty output and query only the fields of choice, it is useful to know what are user properties.
So, we can use the select command which is the same as grep in Linux to query specific property.
Get-NetUser | select cn
This command will show only the user names as below
- To view users and the time of the last password set, we can use the following
Get-UserProperties -Properties pwdlastset
This can be useful in determining the possibility of what accounts are new or old.
- To view bad password attempts to highlight the possibility of an account being attacked
Get-UserProperties -Properties badpwdcount
AD Enumeration Computer Info
- To get information about the all computers
AD Enumeration Group Info
- In order to find the groups, we can use the following command
To further get admin groups, we can use a wildcard for admin in the command
Get-NetGroup -GroupName *admin*
To get the members of a specific group, we can use the following command
Get-NetGroupMember -GroupName "Domain Admin"
AD Enumeration File Share
There is a module for finding the file shares in the network
This lists what shares are being shared and where. For example, from the above image, some shares are shared on the local machine while some are shared on the domain.
AD Enumeration Group Policy
- To view the Group Policies, we can use the following command
In order to view only specified fields, we can simply use select. For example, to list only the policy name and when it was changed, we can use the following command
Get-NetGPO | select displayname, whenchanged
This can be helpful in determining when was a policy changed and then thinking about the next attack vector.
Not the END
There is much more that can be gathered through this tool. I have shown the common surface gathering but you can dig deeper and find what you can find. In the real AD environment, there will be much more and complex things to get information about.
Enumeration is the Key
Since this is an enumeration, we are gathering every possible data about the AD environment to get a better understanding. Then use the information gathered to prioritize the users, computers, groups, or services we want to attack. The purpose is to enumerate most of what we can get so as to use it in the actual attacking phase and lateral movement.
Following are some of the useful resources for the PowerView