Other tools

- Remote Server Administration Tools (RSAT) Tools

With GUI (RDP or physical) Access we can use the following RSAT Tools to map the domain:

dsa.msc (Active Directory Users and Computers)
- runas /netonly /user:<DOMAIN>\<user> cmd.exe
- dsa.msc
AD Explorer
dssite.msc (Active Directory Sites and Services)
domain.msc (Active Directory Domains and Trusts)
dsac.exe (Active Directory Administrative Center)
gpmc.msc (Group Policy Management)
dnsmgmt.msc (DNS Manager)
Server Manager

- Seatbelt (https://github.com/GhostPack/Seatbelt)

To collect enumeration data for a host (Notice if there's a web proxy in place):

Seatbelt.exe -group=system

To enumerate the configurations and defences of a target before jumping to it:

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe OSInfo -ComputerName=web

To enumerate privileges for privesc:

Seatbelt.exe TokenPrivileges

To enumerate a user's vaults (Credential Manager):

run vaultcmd /list

run vaultcmd /listcreds:"Windows Credentials" /all

Get-ChildItem C:\Users\User\AppData\Local\Microsoft\Credentials\ -force

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsCredentialFiles

To enumerate certificates on a machine:

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe Certificates

- ADSearch (https://github.com/tomcarver16/ADSearch)

ADSearch allow us to specify custom Lightweight Directory Access Protocol (LDAP) searches. These can be used to identify entries in the directory that match a given criteria.

--json parameter can be used to format the output in JSON.

To search for all objects whose category is "user" (i.e. domain users):

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "objectCategory=user"

To search for groups which end in the word "admins".

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admins))"

To find users who have an SPN set (Kerberoasting):

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName

To find users who does not have Kerberos pre-authentication enabled (ASREP Roasting):

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname

To identify all computers that are permitted for unconstrained delegation:

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname

To identify all computers and users configured for constrained delegation:

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

To see trust attributes beteween our current domain and a target domain:

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(objectCategory=trustedDomain)" --domain {target domain} --attributes distinguishedName,name,flatName,trustDirection