Other tools / Commands
Last updated
Last updated
With GUI (RDP or physical) Access we can use the following RSAT Tools to map the domain:
dsa.msc (Active Directory Users and Computers)
runas /netonly /user:<DOMAIN>\<user> cmd.exe
dsa.msc
AD Explorer
dssite.msc (Active Directory Sites and Services)
domain.msc (Active Directory Domains and Trusts)
dsac.exe (Active Directory Administrative Center)
gpmc.msc (Group Policy Management)
dnsmgmt.msc (DNS Manager)
Server Manager
To collect enumeration data for a host (Notice if there's a web proxy in place):
Seatbelt.exe -group=system
To enumerate the configurations and defences of a target before jumping to it:
execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe OSInfo -ComputerName=web
To enumerate privileges for privesc:
Seatbelt.exe TokenPrivileges
To enumerate a user's vaults (Credential Manager):
run vaultcmd /list
run vaultcmd /listcreds:"Windows Credentials" /all
Get-ChildItem C:\Users\User\AppData\Local\Microsoft\Credentials\ -force
execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault
execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsCredentialFiles
To enumerate certificates on a machine:
execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe Certificates
ADSearch allow us to specify custom Lightweight Directory Access Protocol (LDAP) searches. These can be used to identify entries in the directory that match a given criteria.
--json
parameter can be used to format the output in JSON.
To search for all objects whose category is "user" (i.e. domain users):
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "objectCategory=user"
To search for groups which end in the word "admins".
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admins))"
To find users who have an SPN set (Kerberoasting):
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName
To find users who does not have Kerberos pre-authentication enabled (ASREP Roasting):
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname
To identify all computers that are permitted for unconstrained delegation:
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname
To identify all computers and users configured for constrained delegation:
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json
To see trust attributes beteween our current domain and a target domain:
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(objectCategory=trustedDomain)" --domain {target domain} --attributes distinguishedName,name,flatName,trustDirection
List currently established connection:
netstat –an | netstat –a
To gather information about the networking interface (we may find a VPN tunnel already established to a sensitive network):
ipconfig /all
netsh interface ip show addresses
To discover other networks by printing the routing table:
route print
To list ARP Cache and potentially discover new hosts:
arp -a
To query the current DNS Domain:
echo %userdnsdomain%
Write-Output $env:userdnsdomain
Discover server’s range. Nslookup on the domain will return DCs:
nslookup DOMAIN
Rreturn all the DCs:
nslookup %USERDOMAIN%
To query all hosts within a subnt, firs. get all IP addresses using ipconfig or netsh:
ipconfig /all
netsh interface ip show addresses
Then, perform nslookup for the range 1 to 255:
1..255 | ForEach-Object { nslookup "192.168.4.$_" }
net group "Domain Computers" /domain | Tee-Object domain-computers.txt
Then, in bash:
iconv -f UTF-16LE -t UTF-8 domain-computers.txt > domain-computers_utf8.txt
tr -s ' \t\r\n' '\n' < domain-computers_utf8.txt | grep -v '^\s*$' | sort | uniq > domain-computers-ordered.txt
sed 's/\$$//' domain-computers-ordered.txt > domain-computers-ordered-no-dollar.txt
Then, to get their IPs:
Get-Content .\domain-computers-ordered-no-dollar.txt | ForEach-Object { [PSCustomObject]@{ ComputerName = $_; IPAddress = ([System.Net.Dns]::GetHostAddresses($_) | Where-Object { $_.AddressFamily -eq "InterNetwork" }).IPAddressToString } } | Tee-Object computers-ips.txt
or
Get-Content .\domain-computers-ordered-no-dollar.txt | ForEach-Object { $ip="Timeout"; try { $ip = ([System.Net.Dns]::GetHostAddresses($_) | Where-Object { $_.AddressFamily -eq "InterNetwork" } | Select-Object -First 1).IPAddressToString } catch { $ip = "Unresponsive" } ; [PSCustomObject]@{ComputerName=$_; IPAddress=$ip} } | Tee-Object computers-ips.txt
or
Get-Content .\domain-computers-ordered-no-dollar.txt | ForEach-Object { $ip="Timeout"; try { $ip = ([System.Net.Dns]::GetHostAddresses($_) | Where-Object { $_.AddressFamily -eq "InterNetwork" } | Select-Object -First 1).IPAddressToString } catch { $ip = "Unresponsive" } ; [PSCustomObject]@{ComputerName=$_; IPAddress=$ip} } | Export-Csv -Path computers-ips.csv -NoTypeInformation
or
./GetIPs.ps1:
To enumerate all Domain Controllers (DCs) within the domain, including Read-Only Domain Controllers (RODC) and the Primary Domain Controller (PDC), which may reside in more critical subnets, use the following command. This query is performed through RPC (Remote Procedure Call) via the NetLogon service:
nltest.exe /dclist:<EXAMPLE.DOMAIN.COM>
nltest.exe /dsgetdc:<domain>
To query the Active Directory "Domain Controllers" group and list all domain controllers within the domain, use the following command:
net group /domain "Domain Controllers"
To enumerate the DCs via nslookup:
nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>
nslookup -type=SRV _kerberos._tcp.dc._msdcs.<domain>
nslookup -type=SRV _kerberos._udp.dc._msdcs.<domain>
To locate printers:
Get-WmiObject -class Win32_printer | ft name,location
wmi printer get name, location