Other tools
- Remote Server Administration Tools (RSAT) Tools
With GUI (RDP or physical) Access we can use the following RSAT Tools to map the domain:
dsa.msc (Active Directory Users and Computers)
runas /netonly /user:<DOMAIN>\<user> cmd.exe
dsa.msc
AD Explorer
dssite.msc (Active Directory Sites and Services)
domain.msc (Active Directory Domains and Trusts)
dsac.exe (Active Directory Administrative Center)
gpmc.msc (Group Policy Management)
dnsmgmt.msc (DNS Manager)
Server Manager
- Seatbelt (https://github.com/GhostPack/Seatbelt)
To collect enumeration data for a host (Notice if there's a web proxy in place):
Seatbelt.exe -group=system
To enumerate the configurations and defences of a target before jumping to it:
execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe OSInfo -ComputerName=web
To enumerate privileges for privesc:
Seatbelt.exe TokenPrivileges
To enumerate a user's vaults (Credential Manager):
run vaultcmd /list
run vaultcmd /listcreds:"Windows Credentials" /all
Get-ChildItem C:\Users\User\AppData\Local\Microsoft\Credentials\ -force
execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault
execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsCredentialFiles
To enumerate certificates on a machine:
execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe Certificates
- ADSearch (https://github.com/tomcarver16/ADSearch)
ADSearch allow us to specify custom Lightweight Directory Access Protocol (LDAP) searches. These can be used to identify entries in the directory that match a given criteria.
--json
parameter can be used to format the output in JSON.
To search for all objects whose category is "user" (i.e. domain users):
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "objectCategory=user"
To search for groups which end in the word "admins".
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admins))"
To find users who have an SPN set (Kerberoasting):
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName
To find users who does not have Kerberos pre-authentication enabled (ASREP Roasting):
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname
To identify all computers that are permitted for unconstrained delegation:
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname
To identify all computers and users configured for constrained delegation:
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json
To see trust attributes beteween our current domain and a target domain:
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(objectCategory=trustedDomain)" --domain {target domain} --attributes distinguishedName,name,flatName,trustDirection
- o365recon
https://github.com/nyxgeek/o365recon/blob/master/o365recon.ps1
Script to retrieve information via O365 and AzureAD with a valid cred.
- ms-exchange-version-nse
To identify the version of an identyfied owa exchange:
https://github.com/righel/ms-exchange-version-nse/tree/main
add --script-args=showcves
- Wadcoms (command checklist)
- Commands for Network Level Recon
To discover other networks:
route print
Discover server’s range. Nslookup on the domain will return DCs:
nslookup DOMAIN
Rreturn all the DCs:
nslookup %USERDOMAIN%
List DCs including RODC and PDC. PDC may be in a more critical subnet:
nltest /dclist:DOMAIN
List currently established connection:
netstat –an | netstat –a
Gather information about the networking interface. You may find a VPN tunnel already established to their sensitive network:
ipconfig /all
To locate printers:
Get-WmiObject -class Win32_printer | ft name,location
wmi printer get name, location
- Browser Homepage and Bookmark Dump
Last updated