12.Credentialed Enumeration - from Windows

1. Active Directory PowerShell Module

Function: Administers Active Directory from the command line.

Key Cmdlets:

  • Get-Module: Lists available modules.

  • Import-Module ActiveDirectory: Loads the module.

  • Get-ADDomain: Retrieves domain information.

  • Get-ADUser: Retrieves user information.

  • Get-ADTrust: Retrieves domain trust relationships.

  • Get-ADGroup: Retrieves group information.

  • Get-ADGroupMember: Retrieves group membership.

Commands:

Get-Module
Import-Module ActiveDirectory
Get-ADDomain
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Get-ADTrust -Filter *
Get-ADGroup -Filter * | select name
Get-ADGroup -Identity "Backup Operators"
Get-ADGroupMember -Identity "Backup Operators"

Significance: Built-in and stealthy enumeration.

2. PowerView/SharpView

Function: Gains situational awareness within an AD environment.

Key Functions (PowerView):

  • Get-DomainUser: Retrieves user information.

  • Get-DomainGroupMember: Retrieves group membership.

  • Get-DomainTrustMapping: Retrieves domain trust mappings.

  • Test-AdminAccess: Tests for local admin access.

  • Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName: Finds users with SPN.

  • Get-DomainGPO: Enumerates Group Policy Objects.

  • Get-DomainUser -TrustedToAuth: Finds users with unconstrained delegation.

Key Functions (SharpView):

  • Get-DomainUser: Retrieves user information.

PowerView Commands:

Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainTrustMapping
Test-AdminAccess -ComputerName ACADEMY-EA-MS01
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
Get-DomainGPO
Get-DomainUser -TrustedToAuth

SharpView Commands:

.\SharpView.exe Get-DomainUser -Identity forend
.\SharpView.exe Get-DomainUser -Help

Significance: Comprehensive enumeration and relationship mapping.

3. Snaffler

Function: Acquires credentials and sensitive data from file shares.

Commands:

Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data
Snaffler.exe -s \\fileserver\shared -o snaffler.log -v data

Significance: Efficient sensitive data discovery.

Key Takeaways:

  • Windows-based enumeration provides access to powerful tools.

  • The ActiveDirectory PowerShell module offers stealthy built-in capabilities.

  • PowerView/SharpView excels at relationship mapping and situational awareness.

  • Snaffler quickly finds sensitive data within file shares.

  • Always use the -help flag to learn available options.

Additional Considerations:

  1. PowerShell's Get-Help:

    Get-Help Get-ADUser -Full

    • Similar to Linux man pages, PowerShell has built-in help.

  2. PowerShell Module Discovery:

    Get-Command -Module ActiveDirectory

    • This helps in discovering available cmdlets.

  3. PowerView Loading:

    Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
Import-Module .\PowerView.ps1

    • Required since PowerView is not a built-in module and may need an execution policy bypass.

  4. Snaffler Output Handling:

    Select-String -Path snaffler.log -Pattern "password|creds|admin"

    • Filters results for sensitive keywords.

  5. Checking Active Directory Replication Metadata:

    Get-ADReplicationMetadata -Object "CN=Administrator,CN=Users,DC=domain,DC=com" -Server DC01

    • Useful for investigating AD replication.

Previous11. Credentialed Enumeration - from LinuxNext13. Living Off the Land

Last updated