Other tools / Commands

PreviousPowerView NextBloodHound

Last updated 5 months ago

Other tools / Commands

- Remote Server Administration Tools (RSAT) Tools

With GUI (RDP or physical) Access we can use the following RSAT Tools to map the domain:

dsa.msc (Active Directory Users and Computers)
- runas /netonly /user:<DOMAIN>\<user> cmd.exe
- dsa.msc
AD Explorer
dssite.msc (Active Directory Sites and Services)
domain.msc (Active Directory Domains and Trusts)
dsac.exe (Active Directory Administrative Center)
gpmc.msc (Group Policy Management)
dnsmgmt.msc (DNS Manager)
Server Manager

- Seatbelt ()

To collect enumeration data for a host (Notice if there's a web proxy in place):

Seatbelt.exe -group=system

To enumerate the configurations and defences of a target before jumping to it:

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe OSInfo -ComputerName=web

To enumerate privileges for privesc:

Seatbelt.exe TokenPrivileges

To enumerate a user's vaults (Credential Manager):

run vaultcmd /list

run vaultcmd /listcreds:"Windows Credentials" /all

Get-ChildItem C:\Users\User\AppData\Local\Microsoft\Credentials\ -force

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsCredentialFiles

To enumerate certificates on a machine:

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe Certificates

ADSearch allow us to specify custom Lightweight Directory Access Protocol (LDAP) searches. These can be used to identify entries in the directory that match a given criteria.

--json parameter can be used to format the output in JSON.

To search for all objects whose category is "user" (i.e. domain users):

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "objectCategory=user"

To search for groups which end in the word "admins".

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admins))"

To find users who have an SPN set (Kerberoasting):

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName

To find users who does not have Kerberos pre-authentication enabled (ASREP Roasting):

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname

To identify all computers that are permitted for unconstrained delegation:

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname

To identify all computers and users configured for constrained delegation:

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

To see trust attributes beteween our current domain and a target domain:

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(objectCategory=trustedDomain)" --domain {target domain} --attributes distinguishedName,name,flatName,trustDirection

- Wadcoms (command checklist)

- Active Network Connections and Port Monitoring

List currently established connection:

netstat –an | netstat –a

- Network interface and routing table

To gather information about the networking interface (we may find a VPN tunnel already established to a sensitive network):

ipconfig /all

netsh interface ip show addresses

To discover other networks by printing the routing table:

route print

- ARP Cache

To list ARP Cache and potentially discover new hosts:

arp -a

- DNS Enumeration

To query the current DNS Domain:

echo %userdnsdomain%

Write-Output $env:userdnsdomain

Discover server’s range. Nslookup on the domain will return DCs:

nslookup DOMAIN

Rreturn all the DCs:

nslookup %USERDOMAIN%

To query all hosts within a subnt, firs. get all IP addresses using ipconfig or netsh:

ipconfig /all

netsh interface ip show addresses

Then, perform nslookup for the range 1 to 255:

1..255 | ForEach-Object { nslookup "192.168.4.$_" }

- Computer Enumeration via net

net group "Domain Computers" /domain | Tee-Object domain-computers.txt

Then, in bash:

iconv -f UTF-16LE -t UTF-8 domain-computers.txt > domain-computers_utf8.txt

tr -s ' \t\r\n' '\n' < domain-computers_utf8.txt | grep -v '^\s*$' | sort | uniq > domain-computers-ordered.txt

sed 's/\$$//' domain-computers-ordered.txt > domain-computers-ordered-no-dollar.txt

Then, to get their IPs:

Get-Content .\domain-computers-ordered-no-dollar.txt | ForEach-Object { [PSCustomObject]@{ ComputerName = $_; IPAddress = ([System.Net.Dns]::GetHostAddresses($_) | Where-Object { $_.AddressFamily -eq "InterNetwork" }).IPAddressToString } } | Tee-Object computers-ips.txt

Get-Content .\domain-computers-ordered-no-dollar.txt | ForEach-Object { $ip="Timeout"; try { $ip = ([System.Net.Dns]::GetHostAddresses($_) | Where-Object { $_.AddressFamily -eq "InterNetwork" } | Select-Object -First 1).IPAddressToString } catch { $ip = "Unresponsive" } ; [PSCustomObject]@{ComputerName=$_; IPAddress=$ip} } | Tee-Object computers-ips.txt

./GetIPs.ps1:

# Load the list of computer names
$computerList = Get-Content .\domain-computers-ordered-no-dollar.txt
$totalComputers = $computerList.Count
$currentCount = 0

# Process each computer and track progress
$computerList | ForEach-Object {
    $ComputerName = $_
    $currentCount++

    # Display progress
    Write-Progress -Activity "Resolving IP Addresses" `
                   -Status "Processing $ComputerName" `
                   -PercentComplete (($currentCount / $totalComputers) * 100)

    $job = Start-Job -ScriptBlock {
        param($CompName)
        try {
            $IP = ([System.Net.Dns]::GetHostAddresses($CompName) | Where-Object { $_.AddressFamily -eq "InterNetwork" }).IPAddressToString
            if (-not $IP) { throw "No IPv4 address found" }
            return $IP
        } catch {
            return $null
        }
    } -ArgumentList $ComputerName

    $timeoutSeconds = 5
    Wait-Job $job -Timeout $timeoutSeconds | Out-Null
    $ipAddress = Receive-Job -Job $job
    Remove-Job -Job $job

    if ($ipAddress -eq $null) {
        $ipAddress = "Unresponsive"
    }

    # Save each result immediately
    [PSCustomObject]@{
        ComputerName = $ComputerName
        IPAddress = $ipAddress
    } | Export-Csv -Path .\computers-ips.csv -Append -NoTypeInformation -Force
}

# Optional: Confirm completion
Write-Output "IP resolution completed and saved to computers-ips.csv."

- DC Enumeration via nltest and net

To enumerate all Domain Controllers (DCs) within the domain, including Read-Only Domain Controllers (RODC) and the Primary Domain Controller (PDC), which may reside in more critical subnets, use the following command. This query is performed through RPC (Remote Procedure Call) via the NetLogon service:

nltest.exe /dclist:<EXAMPLE.DOMAIN.COM>

nltest.exe /dsgetdc:<domain>

To query the Active Directory "Domain Controllers" group and list all domain controllers within the domain, use the following command:

net group /domain "Domain Controllers"

- DC Enumeration via nslookup

To enumerate the DCs via nslookup:

nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>

nslookup -type=SRV _kerberos._tcp.dc._msdcs.<domain>

nslookup -type=SRV _kerberos._udp.dc._msdcs.<domain>

- Printer Enumeration

To locate printers:

Get-WmiObject -class Win32_printer | ft name,location

wmi printer get name, location

- Browser Homepage and Bookmark Dump

PreviousPowerView NextBloodHound

Last updated 5 months ago

- Remote Server Administration Tools (RSAT) Tools

With GUI (RDP or physical) Access we can use the following RSAT Tools to map the domain:

dsa.msc (Active Directory Users and Computers)
- runas /netonly /user:<DOMAIN>\<user> cmd.exe
- dsa.msc
AD Explorer
dssite.msc (Active Directory Sites and Services)
domain.msc (Active Directory Domains and Trusts)
dsac.exe (Active Directory Administrative Center)
gpmc.msc (Group Policy Management)
dnsmgmt.msc (DNS Manager)
Server Manager

- Seatbelt ()

To collect enumeration data for a host (Notice if there's a web proxy in place):

Seatbelt.exe -group=system

To enumerate the configurations and defences of a target before jumping to it:

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe OSInfo -ComputerName=web

To enumerate privileges for privesc:

Seatbelt.exe TokenPrivileges

To enumerate a user's vaults (Credential Manager):

run vaultcmd /list

run vaultcmd /listcreds:"Windows Credentials" /all

Get-ChildItem C:\Users\User\AppData\Local\Microsoft\Credentials\ -force

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsCredentialFiles

To enumerate certificates on a machine:

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe Certificates

- ADSearch ()

ADSearch allow us to specify custom Lightweight Directory Access Protocol (LDAP) searches. These can be used to identify entries in the directory that match a given criteria.

--json parameter can be used to format the output in JSON.

To search for all objects whose category is "user" (i.e. domain users):

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "objectCategory=user"

To search for groups which end in the word "admins".

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admins))"

To find users who have an SPN set (Kerberoasting):

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName

To find users who does not have Kerberos pre-authentication enabled (ASREP Roasting):

To identify all computers that are permitted for unconstrained delegation:

To identify all computers and users configured for constrained delegation:

To see trust attributes beteween our current domain and a target domain:

execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(objectCategory=trustedDomain)" --domain {target domain} --attributes distinguishedName,name,flatName,trustDirection

- Wadcoms (command checklist)

- Active Network Connections and Port Monitoring

List currently established connection:

netstat –an | netstat –a

- Network interface and routing table

To gather information about the networking interface (we may find a VPN tunnel already established to a sensitive network):

ipconfig /all

netsh interface ip show addresses

To discover other networks by printing the routing table:

route print

- ARP Cache

To list ARP Cache and potentially discover new hosts:

arp -a

- DNS Enumeration

To query the current DNS Domain:

echo %userdnsdomain%

Write-Output $env:userdnsdomain

Discover server’s range. Nslookup on the domain will return DCs:

nslookup DOMAIN

Rreturn all the DCs:

nslookup %USERDOMAIN%

To query all hosts within a subnt, firs. get all IP addresses using ipconfig or netsh:

ipconfig /all

netsh interface ip show addresses

Then, perform nslookup for the range 1 to 255:

1..255 | ForEach-Object { nslookup "192.168.4.$_" }

- Computer Enumeration via net

net group "Domain Computers" /domain | Tee-Object domain-computers.txt

Then, in bash:

iconv -f UTF-16LE -t UTF-8 domain-computers.txt > domain-computers_utf8.txt

tr -s ' \t\r\n' '\n' < domain-computers_utf8.txt | grep -v '^\s*$' | sort | uniq > domain-computers-ordered.txt

sed 's/\$$//' domain-computers-ordered.txt > domain-computers-ordered-no-dollar.txt

Then, to get their IPs:

./GetIPs.ps1:

# Load the list of computer names
$computerList = Get-Content .\domain-computers-ordered-no-dollar.txt
$totalComputers = $computerList.Count
$currentCount = 0

# Process each computer and track progress
$computerList | ForEach-Object {
    $ComputerName = $_
    $currentCount++

    # Display progress
    Write-Progress -Activity "Resolving IP Addresses" `
                   -Status "Processing $ComputerName" `
                   -PercentComplete (($currentCount / $totalComputers) * 100)

    $job = Start-Job -ScriptBlock {
        param($CompName)
        try {
            $IP = ([System.Net.Dns]::GetHostAddresses($CompName) | Where-Object { $_.AddressFamily -eq "InterNetwork" }).IPAddressToString
            if (-not $IP) { throw "No IPv4 address found" }
            return $IP
        } catch {
            return $null
        }
    } -ArgumentList $ComputerName

    $timeoutSeconds = 5
    Wait-Job $job -Timeout $timeoutSeconds | Out-Null
    $ipAddress = Receive-Job -Job $job
    Remove-Job -Job $job

    if ($ipAddress -eq $null) {
        $ipAddress = "Unresponsive"
    }

    # Save each result immediately
    [PSCustomObject]@{
        ComputerName = $ComputerName
        IPAddress = $ipAddress
    } | Export-Csv -Path .\computers-ips.csv -Append -NoTypeInformation -Force
}

# Optional: Confirm completion
Write-Output "IP resolution completed and saved to computers-ips.csv."

- DC Enumeration via nltest and net

nltest.exe /dclist:<EXAMPLE.DOMAIN.COM>

nltest.exe /dsgetdc:<domain>

To query the Active Directory "Domain Controllers" group and list all domain controllers within the domain, use the following command:

net group /domain "Domain Controllers"

- DC Enumeration via nslookup

To enumerate the DCs via nslookup:

nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>

nslookup -type=SRV _kerberos._tcp.dc._msdcs.<domain>

nslookup -type=SRV _kerberos._udp.dc._msdcs.<domain>

- Printer Enumeration

To locate printers:

Get-WmiObject -class Win32_printer | ft name,location

wmi printer get name, location