2.6 KiB
2.6 KiB
Active Directory Enumeration
-
Consists of
- Domain Controller
- Organizational Units
- Users
- Groups
- Trusts
- AD Domains
- AD Forest
- Policies
-
Administrative accounts are
- Domain Admin
- Enterprise Admin
- Schema Admin
- Server Operator
- Account Operator
Domain Controller
- AD Domain Services data store
- Authentication and authorization
- Update replication / sync with other domain controllers in the forest
- Administration of domain resources
AD DS Store
- Database of directory info such as users, groups and services
ntdis.dit
contains the information, including password hashesSystemRoot%\NTDS
Forest
- Trees, hierarchy of domains in the AD Domain Services
- Domains, groups of objects
- Organizational Units (OU), containers of objects such as groups, users, printers and other resources
- Trusts, allows users to access resources in a different domain
- Objects users, groups, printers, computers or shares
- Domain Services, DNS, LLMNR, SMB
- Domain Schema, Rules for object creation
Users
- Domain Admin, DC access
- Server Accounts, service maintenance, may have admin permissions
- Local Admin, administrative persmission on an object but not the DC
- Domain Users, average user account on a local machine which may have admin permissions
Policies
- Rule sets
- Apply to a domain
- Enable or disables services on a domain basis, like antivirus and malware scanning
- Disable Windows Defender
- Communication signing, e.g. SMB
Domain Services
- LDAP
- Certificates handling for services, CRL
- DNS, LLMNR, NBT-NS
Authentication
- NTLM, ticket granting service
- Kerberos, challenge/response via hashes
Usage
-
Cmdlets on Domain Controller
-
Get some help,
Get-Help Get-Command -Examples
,Get-Command Get-*
-
From
ActiveDirectory
module
Import-Module Active-Directory
Get-ADDomain | Select-Object NetBIOSName,DNSRoot,InfrastructureMaster
Get-ADForest | Select-Object Domains
Get-ADTrust -Filter * | Select-Object Direction,Source,Target
systeminfo | findstr Domain
Get-ADUser -filter *
- Use found CN and DC and specify
Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"
Powerview Module
Import-Module .\PowerView.ps1
Get-NetDomain
Get-NetDomainController
Get-NetForest
Get-NetDomainTrust
DNS
- Check ip via
ipconfig
nslookup
, thenserver <LocalIP>
and zone transfer via
ls -d <Domain>