more info and cleanup
This commit is contained in:
parent
d69f8dc1bb
commit
57f80bd460
|
|
@ -29,57 +29,111 @@ dir \\%HOSTNAME%\SYSVOL\
|
|||
* `Win` + `r` -> `MMC` -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click `Active Directory Sites and Services` -> `Change Forest` -> Add root domain -> right click `Active Directory Users and Computers` -> Change Domain -> enter root domain -> right click `Active Directory Users and Computers ` -> View -> Advanced Features
|
||||
* Start enumerating via click on the domain object in the tree on the left
|
||||
* Take a look at `People` directory -> right click on them to see properties
|
||||
* Change or create user or change groups
|
||||
* Also use `MMC` to enumerate
|
||||
* Change or create user or change groups
|
||||
* Also use `MMC` to enumerate
|
||||
|
||||
## CMD enumeration
|
||||
|
||||
Execute from domain joined machine
|
||||
Execute the following commands from any domain joined machine after inital access has been done.
|
||||
|
||||
Specific user
|
||||
|
||||
* Users
|
||||
```sh
|
||||
net user /domain
|
||||
```
|
||||
* Specific user
|
||||
```sh
|
||||
net user <username> /domain
|
||||
```
|
||||
* Groups
|
||||
|
||||
Accounts & Groups
|
||||
|
||||
```sh
|
||||
net user /domain
|
||||
net group /domain
|
||||
```
|
||||
* Specific group
|
||||
|
||||
Specific groups like admins
|
||||
|
||||
```sh
|
||||
net group <groupname> /domain
|
||||
net group "Domain Admins" /domain
|
||||
net group "Enterprise Admins" /domain
|
||||
```
|
||||
* Password Policy via accounts
|
||||
|
||||
For local admin accounts:
|
||||
|
||||
```sh
|
||||
net localgroup administrators
|
||||
```
|
||||
|
||||
Password Policy via accounts
|
||||
|
||||
```sh
|
||||
net accounts /domain
|
||||
```
|
||||
|
||||
Machines on the network:
|
||||
|
||||
```sh
|
||||
net view
|
||||
```
|
||||
|
||||
Shares on specific remote systems:
|
||||
|
||||
```sh
|
||||
net view \$SERVER_NAME /all
|
||||
```
|
||||
|
||||
Domain/Trust, which is domain controllers in the current env first and further
|
||||
trusted domains:
|
||||
|
||||
```sh
|
||||
nltest /dclist:domain
|
||||
nltest /domain_trust
|
||||
```
|
||||
|
||||
## Powershell Cmdlets
|
||||
|
||||
* User details via
|
||||
User details via:
|
||||
|
||||
```sh
|
||||
Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *
|
||||
Get-ADUser -Filter *
|
||||
Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *
|
||||
```
|
||||
* Groups
|
||||
|
||||
Groups:
|
||||
|
||||
```sh
|
||||
Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties *
|
||||
Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties *
|
||||
```
|
||||
* Group membership
|
||||
|
||||
Group membership:
|
||||
|
||||
```sh
|
||||
Get-ADGroupMember -Identity Administrators -Server exampleDC.com
|
||||
```
|
||||
* Generic AD objects
|
||||
|
||||
Admin group members:
|
||||
|
||||
```sh
|
||||
Get-ADObject -Filter <filterstuff> -includeDeletedObjects -Server exampleDC.com
|
||||
Get-ADGroupMember "Domain Admins"
|
||||
```
|
||||
|
||||
Generic AD objects:
|
||||
|
||||
```sh
|
||||
Get-ADObject -Filter <filterstuff> -includeDeletedObjects -Server exampleDC.com
|
||||
Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com
|
||||
```
|
||||
* Domains
|
||||
|
||||
Domains:
|
||||
|
||||
```sh
|
||||
Get-ADDomain -Server exampleDC.com
|
||||
```
|
||||
```
|
||||
|
||||
All Computer accounts which joined the domain:
|
||||
|
||||
```sh
|
||||
Get-ADComputer -Filter *
|
||||
```
|
||||
|
||||
## Sharphound and Bloodhound
|
||||
|
||||
|
|
@ -89,7 +143,7 @@ Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com
|
|||
* Sharphound.ps1
|
||||
* sharphound.exe
|
||||
* Azurehound.ps1
|
||||
|
||||
|
||||
* For example
|
||||
```sh
|
||||
Sharphound.exe --CollectionMethods <Default/Session/All> --Domain example.com --ExcludeDCs
|
||||
|
|
@ -112,7 +166,7 @@ bloodhound --no-sandbox
|
|||
|
||||
## LDAP
|
||||
|
||||
## PowerView
|
||||
## PowerView
|
||||
|
||||
Registered Machines in the domain
|
||||
|
||||
|
|
|
|||
|
|
@ -80,6 +80,8 @@ The `Logon ID` is the session identifier.
|
|||
* **4624**: Successful logon/login, Session created on target resource
|
||||
* **4625**: Failed logon/login
|
||||
* **4634** and **4647**: Logoff
|
||||
* **4648**: Login Using Explicit Credentials (e.g. from another user through
|
||||
`net use /user:`)
|
||||
* **4779**: Session disconnect
|
||||
|
||||
### Active Directory Objects
|
||||
|
|
@ -92,10 +94,10 @@ The `Logon ID` is the session identifier.
|
|||
### Logon Types
|
||||
|
||||
* **2**: Interactive
|
||||
* **3**: Network
|
||||
* **3**: Network (e.g. SMB, PsExec)
|
||||
* **4**: Batch
|
||||
* **5**: Service
|
||||
* **7**: Unlock
|
||||
* **7**: Unlock, when Session is already established in some other way
|
||||
* **10**: RDP
|
||||
|
||||
### Scheduled Tasks
|
||||
|
|
@ -111,6 +113,7 @@ The `Logon ID` is the session identifier.
|
|||
### System
|
||||
|
||||
* **7045**: Service installation
|
||||
* **17**: Service creates named pipes for stdin, stdout and stderr
|
||||
|
||||
### Security
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue