Secondary Categories: 02 - Information Gathering Links: Search Tag:π
Domain Reconnaissance
Basic
If you have a host on the newtwork you can also run the host command with the domain name or even the nslookup command to get the domain controllers
PowerView
PowerView is the defacto tool for domain enumeration and it onyl uses powershell to query the domain. The benefit is that you can make very powerful queries and chain them to get the exact info that you need. Also in Powershell if you import it you can use the tab auto-complete
To import the powershell module you need to run the following command:
Import-Module C:\Tools\PowerSploit\Recon\Powerview.ps1Or if you are using Cobalt Strike you can us a similar command:
powershell-import C:\Tools\PowerSploit\Recon\Powerview.ps1Get-Domain
beacon> powershell Get-Domain
Forest : cyberbotic.io
DomainControllers : {dc-2.dev.cyberbotic.io}
Children : {}
DomainMode : Unknown
DomainModeLevel : 7
Parent : cyberbotic.io
PdcRoleOwner : dc-2.dev.cyberbotic.io
RidRoleOwner : dc-2.dev.cyberbotic.io
InfrastructureRoleOwner : dc-2.dev.cyberbotic.io
Name : dev.cyberbotic.ioGet-DomainController
beacon> powershell Get-DomainController | select Forest, Name, OSVersion | fl
Forest : cyberbotic.io
Name : dc-2.dev.cyberbotic.io
OSVersion : Windows Server 2022 DatacenterGet-ForestDomain
beacon> powershell Get-ForestDomain
Forest : cyberbotic.io
DomainControllers : {dc-1.cyberbotic.io}
Children : {dev.cyberbotic.io}
DomainMode : Unknown
DomainModeLevel : 7
Parent :
PdcRoleOwner : dc-1.cyberbotic.io
RidRoleOwner : dc-1.cyberbotic.io
InfrastructureRoleOwner : dc-1.cyberbotic.io
Name : cyberbotic.io
Forest : cyberbotic.io
DomainControllers : {dc-2.dev.cyberbotic.io}
Children : {}
DomainMode : Unknown
DomainModeLevel : 7
Parent : cyberbotic.io
PdcRoleOwner : dc-2.dev.cyberbotic.io
RidRoleOwner : dc-2.dev.cyberbotic.io
InfrastructureRoleOwner : dc-2.dev.cyberbotic.ioGet-DomainPolicyData
beacon> powershell Get-DomainPolicyData | select -expand SystemAccess
MinimumPasswordAge : 1
MaximumPasswordAge : 42
MinimumPasswordLength : 7
PasswordComplexity : 1
PasswordHistorySize : 24
LockoutBadCount : 0
RequireLogonToChangePassword : 0
ForceLogoffWhenHourExpire : 0
ClearTextPassword : 0
LSAAnonymousNameLookup : 0Get-DomainUser
Return all (or specific) user(s). To only return specific properties, use -Properties. By default, all user objects for the current domain are returned, use -Identity to return a specific user.
beacon> powershell Get-DomainUser -Identity jking -Properties DisplayName, MemberOf | fl
displayname : John King
memberof : {CN=Internet Users,CN=Users,DC=dev,DC=cyberbotic,DC=io, CN=Support
Engineers,CN=Users,DC=dev,DC=cyberbotic,DC=io}Get-DomainComputer
beacon> powershell Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
dnshostname
-----------
dc-2.dev.cyberbotic.io
fs.dev.cyberbotic.io
sql-2.dev.cyberbotic.io
web.dev.cyberbotic.io
wkstn-1.dev.cyberbotic.io
wkstn-2.dev.cyberbotic.ioGet-DomainOU
beacon> powershell Get-DomainOU -Properties Name | sort -Property Name
name
----
Domain Controllers
File Servers
Servers Β Β Β Β Β
SQL Servers Β Β Β
Web Servers Β Β Β
WorkstationsGet-DomainGroup
beacon> powershell Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName
samaccountname
--------------
Domain Admins
Key Admins Β Β
DnsAdmins Β Β
MS SQL Admins
Studio AdminsGet-DomainGPO
beacon> powershell Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
displayname
-----------
Computer Certificates
Default Domain Controllers Policy
Default Domain Policy
LAPS
Proxy Settings
Server Admins
Vulnerable GPO
Windows Defender
Windows Firewall
Workstation AdminsGet-DomainGPOLocalGroup
beacon> powershell Get-DomainGPOLocalGroup | select GPODisplayName, GroupName
GPODisplayName GroupName
-------------- ---------
Workstation Admins DEV\Support Engineers
Server Admins DEV\Support EngineersGet-DomainGPOUserLocalGroupMapping
beacon> powershell Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl
ObjectName : Support Engineers
GPODisplayName : Server Admins
ContainerName : {OU=Servers,DC=dev,DC=cyberbotic,DC=io}
ComputerName : {web.dev.cyberbotic.io, sql-2.dev.cyberbotic.io, fs.dev.cyberbotic.io}
ObjectName : Support Engineers
GPODisplayName : Workstation Admins
ContainerName : {OU=Workstations,DC=dev,DC=cyberbotic,DC=io}
ComputerName : {wkstn-1.dev.cyberbotic.io, wkstn-2.dev.cyberbotic.io}Get-DomainTrust
beacon> powershell Get-DomainTrust
SourceName : dev.cyberbotic.io
TargetName : cyberbotic.io
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 8/15/2022 4:00:00 PM
WhenChanged : 8/15/2022 4:00:00 PM
SourceName : dev.cyberbotic.io
TargetName : dev-studio.com
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes :
TrustDirection : Inbound
WhenCreated : 8/16/2022 9:52:37 AM
WhenChanged : 8/16/2022 9:52:37 AMSharpView
SharpView was designed to be a C# port of PowerView and therefore has much the same functionality. Β However, one downside is that it doesnβt have the same piping ability as PowerShell.
beacon> execute-assembly C:\Tools\SharpView\SharpView\bin\Release\SharpView.exe Get-Domain
Forest : cyberbotic.io
DomainControllers : {dc-2.dev.cyberbotic.io}
Children : {}
DomainMode : Unknown
DomainModeLevel : 7
Parent : cyberbotic.io
PdcRoleOwner : dc-2.dev.cyberbotic.io
RidRoleOwner : dc-2.dev.cyberbotic.io
InfrastructureRoleOwner : dc-2.dev.cyberbotic.io
Name : dev.cyberbotic.ioADSearch
ADSearch allows you to perform much of the same actions as SharpView and PowerView, but you can also specify it to use LDAP queries.
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "objectCategory=user"
[*] No domain supplied. This PC's domain will be used instead
[*] LDAP://DC=dev,DC=cyberbotic,DC=io
[*] CUSTOM SEARCH:
[*] TOTAL NUMBER OF SEARCH RESULTS: 10
[+] cn : Administrator
[+] cn : Guest
[+] cn : krbtgt
[+] cn : CYBER$
[+] cn : Bob Farmer
[+] cn : John King
[+] cn : Nina Lamb
[+] cn : MS SQL Service
[+] cn : Squid Proxy
[+] cn : STUDIO$You can also use filters to limit the search results further. For instance, searching for all domain groups which end with the word βadminsβ:
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admins))"
[*] No domain supplied. This PC's domain will be used instead
[*] LDAP://DC=dev,DC=cyberbotic,DC=io
[*] CUSTOM SEARCH:
[*] TOTAL NUMBER OF SEARCH RESULTS: 5
[+] cn : Domain Admins
[+] cn : Key Admins
[+] cn : DnsAdmins
[+] cn : MS SQL Admins
[+] cn : Studio AdminsYou can also use the --attributes parameter to get specific values that you may need or you can use the --full flag in the command:
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=MS SQL Admins))" --attributes cn,member
[*] TOTAL NUMBER OF SEARCH RESULTS: 1
[+] cn : MS SQL Admins
[+] member : CN=Developers,CN=Users,DC=dev,DC=cyberbotic,DC=ioResources:
| Title | URL |
|---|---|
| PowerView | https://github.com/PowerShellMafia/PowerSploit |
| ADSearch | https://github.com/tomcarver16/ADSearch |
| SharpView | https://github.com/tevora-threat/SharpView |
Created Date: November 8th 2022 20:21
Last Modified Date: November 8th 2022 20:21