Living of The Land Enumeration
This section covers how to perform AD enumeration when it is not possible to import or upload tools on a domain-joined host (example if we do not have any Internet access) or when no attack box is available within the domain. In these cases, the tester has to rely on the native Windows tools. The advantage of this approach is that it is a way more stealthier than having a to pull out tools on a domain-joined host.
Basic enumeration - CMD Prompt
Some commands to perform basic enumeration. All these information can be retrieved with the unique command systeminfo
.
Commands | Description |
---|---|
| Print PC Name |
| Patches and hotfixes |
| OS version |
| Check for the domain controller |
| Display the domain name |
Basic Enumeration - Powershell
Commands | Description |
---|---|
| List all availables modules |
| Get the Execution policy for all scopes |
| Change the Execution Policy scope for the current process to not make permanent changes to the victim host. |
| Check Powershell history for a specified user. |
| List environment valules |
Check if we are the only one connected on the host |
It is possible to downgrade Powershell to version prior to 3.0 in order to avoid events logging. Indeed, Script Block Logging is a feature implemented on Powershell version 3.0 and above. However, downgrading to Powershell v2 can appear suspicious from the defenders perspective.
Powershell event logged can be in the following section: Applications and Services Logs
> Microsoft
> Windows
> PowerShell
> Operational
.
Checking Defenses
Firewalls check
Windows Defender Check
To check if Windows Defender is enabled.
Check for security settings and configurations
Network Enumeration
In a Black Box testing, the arp
and routes table
as well as the Windows interfaces can gives valuable information about existing subnet in the environment. The routing and arp
table are gives particularly useful information when it's time to see to what others part of the network (segment) we may be able to pivot.
Commands | Description |
---|---|
Displays all users interfaces | |
ARP table map physical MAC address with IP. Can be useful to discover the machine our host had communicated with. | |
Print the routing table. To discover new networks within the domain. |
Windows Management Instrumentation
WMI stands for Windows Management Instrumentation. It can be used to perform administrative task on a local or remote Windows host via scripting or applications. Also check this WMI cheatsheet.
Commands | Description |
---|---|
Prints patches and hotfixes | |
Perform basic host enumeration | |
| Listing of all process on host |
| Provide information about the domain and DC |
| Gives information about local users and domain users that have logged into the device |
| Information about local groups |
| Dumps information about any system accounts that are being used as service accounts. |
Net commands
Can be used to retrieve many information about the local host or the domain. Using Net commands can be easily detected by EDR solution.
Using net1
instead of net
can be used to evade detection.
Commands | Description |
---|---|
| Information about password requirements |
| Password and lockout policy |
| Information about domain groups |
| List users with domain admin privileges |
| List of PCs connected to the domain |
| List PC accounts of domains controllers |
| User that belongs to the group |
| List of domain groups |
| All available groups |
| List users that belong to the administrators group inside the domain (the group |
| Information about a group (admins) |
| Add user to administrators |
| Check current shares |
| Get information about a user within the domain |
| List all users of the domain |
| Information about the current user |
| Mount the share locally |
| Get a list of computers |
| Shares on the domains |
| List shares of a computer |
| List of PCs of the domain |
DSQuery
dsQuery is another tool that we can used to retrieve information from Active Directory. Many recent hosts with Active Directory will have the dsquery.dll by default. Dsquery can be combined with LDAP search filter.
An example of dsQuery:
dsQuery requires an elevated privileged users or the use of Powershell/CMD prompt with SYSTEM context.
The below commands will match every domain controller within the domain, but will limit the number of results to 5. Only the sAMAccountName will be displayed.
See this post from Hope Walker about DSQuery domain enumeration: here.
LDAP filtering explained
This section proposes a brief resume of how LDAP filtering works.
The following LDAP query is used as example and can be split in three section.
The first part of the query is the attribute of an object we are looking for. In the current context, we are looking for the userAccountControl attribute of an object.
The second part corresponds to the OID match strings. It is used to match bit values with attributes. Three main matching rules exist with LDAP and AD.
1.2.840.113556.1.4.803
The bit value must match perfectly the attributes (logical AND).
1.2.840.113556.1.4.804
If any of the bit value matches the attributes (logical OR).
1.2.840.113556.1.4.1941
Apply to a Distinguished Name of an object and will search through all ownership and membership entries.
The third part of the LDAP query (=8192) represents the value that an attribute can take. The decimal number represent an attributes flag. In the image below is shown some of the value that can take the UAC attributes.
LDAP Logical operators
LDAP supports logical operators such as !
(not), &
(AND) and |
(OR).
An example of LDAP query with logical operators filter:
The LDAP query above corresponds to searching for users objects that do not have the Password Can't change
attribute set.
Last updated