Active Directory PowerView
Active Directory PowerView
As discussed in the Active Directory LDAP module, in-depth enumeration is arguably the
most important phase of any security assessment. Attackers are continuing to find new (and
old) techniques and methodologies for abusing and attacking AD. In AD, this phase helps us
to get a "lay of the land" and understand the design of the internal network, including the
number of OUs, users, groups, computers, ACLs, and other AD objects and the hundreds
and thousands of relationships that make up an AD environment. Our job is to untangle
these often very complex relationships by gathering relevant data in various formats and
organizing in a way that helps us uncover the flaws and misconfigurations hiding inside the
network.
The Active Directory LDAP module provided an overview of Active Directory, introduced a
variety of built-in tools that can be extremely useful when performing AD enumeration, and
perhaps the most important, covered LDAP and AD search filters which, when combined
with these built-in tools, provide us with a powerful arsenal to drill down into the intricacies of
AD and discover nuanced, but serious, misconfigurations before the attackers do. While it is
important for us to be able to "live off the land" when performing assessments, it is equally
important to understand the wide variety of third-party open-source tools available to us for
enumerating and attacking AD. Each of the tools that we will cover in this module performs
AD enumeration in slightly different ways. We often need to gather, analyze, and interpret
data from many of them iteratively throughout and assessment. The knowledge of and ability
to use built-in tools and third-party tools effectively is what can set us apart from other
assessors.
https://t.me/offenciveSec
Tool Description
BloodHound Used to visually map out AD relationships and help plan attack paths
that may otherwise go unnoticed. Uses the SharpHound PowerShell
or C# ingestor to gather data to later be imported into the BloodHound
JavaScript (Electron) application with a Neo4j database for graphical
analysis of the AD environment.
BloodHound.py A Python-based BloodHound ingestor based on the Impacket toolkit. It
supports most BloodHound collection methods and can be run from a
non-domain joined attack box. The output can be ingested into
BloodHound 3.0 for analysis.
PowerView/ A PowerShell tool and a .NET port of the same used to gain situational
SharpView awareness in AD. These tools can be used as replacements for
various Windows net* commands and more. PowerView and
SharpView can help us gather much of the data that BloodHound
does, but it requires more work to make meaningful relationships
among all of the data points. These tools are great for checking what
additional access we may have with a new set of credentials, targeting
specific users or computers, or finding some "quick wins" such as
users that can be attacked via Kerberoasting or ASREPRoasting
CrackMapExec CME is an enumeration, attack, and post-exploitation toolkit which can
(CME) help us greatly in enumeration and performing attacks with the data
we gather. CME attempts to "live off the land" and abuse built-in AD
features and protocols such as SMB, WMI, WinRM, and more.
PingCastle Used for auditing the security level of an AD environment based on a
risk assessment and maturity framework (based on CMMI adapted to
AD security).
PowerUpSQL This tool is used for SQL Server discovery, configuration auditing,
privilege escalation, and post-exploitation.
Snaffler Useful for finding information (such as credentials) in Active Directory
on computers with accessible file shares.
Group3r Group3r is useful for auditing and finding security misconfigurations in
AD Group Policy Objects (GPO)
MailSniper A tool for searching through email inboxes in a Microsoft Exchange
environment for specific keywords/terms that may be used to
enumerate sensitive data (such as credentials) which could be used
for lateral movement and privilege escalation. It can search a user's
individual mailbox or by a user with Exchange Administrator privileges
to enumerate all mailboxes in a domain. It can also be used for
password spraying, enumerating domain users/domains, checking
mailbox permissions, and gathering the Global Address List (GAL)
from Outlook Web Access (OWA) and Exchange Web Services (EWS).
windapsearch A Python script used to enumerate AD users, groups, and computers
using LDAP queries. Useful for automating custom LDAP queries.
https://t.me/offenciveSec
Tool Description
ADRecon A tool used to extract various data from a target AD environment. The
data can be output in Microsoft Excel format with summary views and
analysis to assist with analysis and paint a picture of the
environment's overall security state.
Active Directory Active Directory Explorer (AD Explorer) is an AD viewer and editor. It
Explorer can be used to navigate an AD database and view object properties
and attributes. It can also be used to save a snapshot of an AD
database for off-line analysis. When an AD snapshot is loaded, it can
be explored as a live version of the database. It can also be used to
compare two AD database snapshots to see changes in objects,
attributes, and security permissions.
This module will focus on the PowerView and SharpView tools to cover various AD
enumeration techniques. As penetration testers, it is important to have a wide range of tools
available to us and understand how they work to troubleshoot if we are not getting expected
results. While we may not use every one of these tools on an engagement, it is important to
understand how they work, complement each other, and can be combined to provide the
deepest possible coverage of the target AD environment, based on the goals of the
assessment. The tools listed above will be covered in other modules.
Next Steps
During this module, we will target a fictional company called INLANEFREIGHT with the
internal domain INLANEFREIGHT.LOCAL . The module sections will build on each other,
culminating in a mock penetration testing skills assessment to showcase our skills before
moving on to the next module in this series. For all exercises, we will assume that the target
company Inlanefreight has hired us to perform an in-depth penetration test with a heavy
focus on AD security, where stealth and bypassing stringent security controls are not a
requirement.
Module Exercises
Throughout this module, you will connect to various target hosts via the Remote Desktop
Protocol (RDP) to complete the exercises. Any necessary credentials will be provided with
each exercise, and the RDP connection can be made via xfreerdp from the Pwnbox as
follows:
https://t.me/offenciveSec
Any necessary tools can be found in the c:\tools directory after logging in to the target
host.
SharpView is a .NET port of PowerView, one of many tools contained within the now
deprecated PowerSploit offensive PowerShell toolkit. This Read the Docs page explains the
function naming schema and provides information about the various parameters that can be
passed to each function.
Note: Since writing this module, we noticed that BC-Security has started pushing updates to
PowerView as part of their Empire project. This course still uses the Development
PowerView module out of PowerSploit's GitHub, but by the end of the year, we plan to
migrate this to the version that Empire uses.
In the past, PowerShell was the scripting language of choice for offensive tools, but it has
become more security transparent, with better detection optics available for both consumer
and enterprise-level endpoint protection products. For this reason, offensive security
practitioners have evolved their tradecraft to mitigate improved security monitoring
capabilities and have ported their tooling to C# inline, which is less security transparent.
While PowerView is no longer officially maintained, it is still an extremely powerful AD
enumeration tool and can be useful when performing engagements where stealth is not a
requirement. It also remains useful for defenders who are looking to gain a better
understanding of their AD environment. We will cover the history and general usage of
PowerView , but this module (and related modules) will focus on SharpView in line with
current .NET tradecraft to be more applicable to real-life, modern engagements. We will
cover general PowerView and SharpView usage in this module because both still have their
uses, depending on the situation.
Both tools can perform enumeration, gain situational awareness, and perform attacks within
a Windows domain. PowerView utilizes PowerShell AD hooks and Win32 API functions,
and, among other functions, replaces a variety of net commands called by the built-in
Windows tools. SharpView is a .NET port that provides all of the PowerView functions and
arguments in a .NET assembly. One major difference between PowerView and SharpView
is the ability to pipe commands. SharpView uses strings instead of PowerShell objects.
Therefore we cannot specify properties using Select or Select-Object , to parse the
output or select specific AD objects as easily.
https://t.me/offenciveSec
Minimum password length: 7
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.
Here we can see that a command similar to net accounts can be performed with the
PowerView or SharpView command Get-DomainPolicy .
PS C:\htb> Get-DomainPolicy
Unicode : @{Unicode=yes}
SystemAccess : @{MinimumPasswordAge=1; MaximumPasswordAge=-1;
MinimumPasswordLength=7; PasswordComplexity=0;
PasswordHistorySize=24; LockoutBadCount=0;
RequireLogonToChangePassword=0;
ForceLogoffWhenHourExpire=0; ClearTextPassword=0;
LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600;
MaxClockSkew=5; TicketValidateClient=1}
Version : @{signature="$CHICAGO$"; Revision=1}
RegistryValues :
@{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]}
Path :
\\INLANEFREIGHT.LOCAL\sysvol\INLANEFREIGHT.LOCAL\Policies\{31B2F340-016D-
11D2-945F-00C04FB984F9}\MACHI
NE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policy
The functionality of both tools can be grouped into different "buckets". While we will not
cover every single function in this section, we will cover some of the most important ones
under each. Both tools use the same functions and arguments, but the output can differ. This
Read the Docs documentation provides an in-depth description of each function and
command syntax and various examples for how the functions can be used.
Misc Functions
The misc functions offer various useful tools such as converting UAC values, SID
conversion, user impersonation, Kerberoasting, and more. The entire list of functions with
explanations from the tool documentation is as follows:
https://t.me/offenciveSec
Export-PowerViewCSV - thread-safe CSV append
Resolve-IPAddress - resolves a hostname to an IP
ConvertTo-SID - converts a given user/group name to a
security identifier (SID)
Convert-ADName - converts object names between a
variety of formats
ConvertFrom-UACValue - converts a UAC int value to human
readable form
Add-RemoteConnection - pseudo "mounts" a connection to a
remote path using the specified credential object
Remove-RemoteConnection - destroys a connection created by New-
RemoteConnection
Invoke-UserImpersonation - creates a new "runas /netonly" type
logon and impersonates the token
Invoke-RevertToSelf - reverts any token impersonation
Get-DomainSPNTicket - request the kerberos ticket for a
specified service principal name (SPN)
Invoke-Kerberoast - requests service tickets for
kerberoast-able accounts and returns extracted ticket hashes
Get-PathAcl - get the ACLs for a local/remote file
path with optional group recursion
S-1-5-21-2974783224-3764228556-2640795941-1724
And vice-versa:
INLANEFREIGHT\sally.jones
When we enumerate UAC values using the useraccountcontrol value, the values are
displayed back to us as numerical values, not in a human-readable format. We can use the
ConvertFrom-UACValue function. If we add the -showall property, all common UAC
values are shown, and the ones that are set for the user are marked with a + . This can be
saved as a reference on a cheat sheet for future engagements.
https://t.me/offenciveSec
Name Value
---- -----
SCRIPT 1
ACCOUNTDISABLE 2
HOMEDIR_REQUIRED 8
LOCKOUT 16
PASSWD_NOTREQD 32+
PASSWD_CANT_CHANGE 64
ENCRYPTED_TEXT_PWD_ALLOWED 128
TEMP_DUPLICATE_ACCOUNT 256
NORMAL_ACCOUNT 512+
INTERDOMAIN_TRUST_ACCOUNT 2048
WORKSTATION_TRUST_ACCOUNT 4096
SERVER_TRUST_ACCOUNT 8192
DONT_EXPIRE_PASSWORD 65536+
MNS_LOGON_ACCOUNT 131072
SMARTCARD_REQUIRED 262144
TRUSTED_FOR_DELEGATION 524288
NOT_DELEGATED 1048576
USE_DES_KEY_ONLY 2097152
DONT_REQ_PREAUTH 4194304
PASSWORD_EXPIRED 8388608
TRUSTED_TO_AUTH_FOR_DELEGATION 16777216
PARTIAL_SECRETS_ACCOUNT 67108864
Domain/LDAP Functions
Get-DomainDNSZone - enumerates the Active Directory DNS
zones for a given domain
Get-DomainDNSRecord - enumerates the Active Directory DNS
records for a given zone
Get-Domain - returns the domain object for the
current (or specified) domain
Get-DomainController - return the domain controllers for the
current (or specified) domain
Get-Forest - returns the forest object for the
current (or specified) forest
Get-ForestDomain - return all domains for the current (or
specified) forest
Get-ForestGlobalCatalog - return all global catalogs for the
current (or specified) forest
Find-DomainObjectPropertyOutlier- inds user/group/computer objects in AD
that have 'outlier' properties set
Get-DomainUser - return all users or specific user
objects in AD
https://t.me/offenciveSec
New-DomainUser - creates a new domain user (assuming
appropriate permissions) and returns the user object
Set-DomainUserPassword - sets the password for a given user
identity and returns the user object
Get-DomainUserEvent - enumerates account logon events (ID
4624) and Logon with explicit credential events
Get-DomainComputer - returns all computers or specific
computer objects in AD
Get-DomainObject - returns all (or specified) domain
objects in AD
Set-DomainObject - modifies a given property for a
specified active directory object
Get-DomainObjectAcl - returns the ACLs associated with a
specific active directory object
Add-DomainObjectAcl - adds an ACL for a specific active
directory object
Find-InterestingDomainAcl - finds object ACLs in the current (or
specified) domain with modification rights set to non-built in objects
Get-DomainOU - search for all organization units
(OUs) or specific OU objects in AD
Get-DomainSite - search for all sites or specific site
objects in AD
Get-DomainSubnet - search for all subnets or specific
subnets objects in AD
Get-DomainSID - returns the SID for the current domain
or the specified domain
Get-DomainGroup - return all groups or specific group
objects in AD
New-DomainGroup - creates a new domain group (assuming
appropriate permissions) and returns the group object
Get-DomainManagedSecurityGroup - returns all security groups in the
current (or target) domain that have a manager set
Get-DomainGroupMember - return the members of a specific
domain group
Add-DomainGroupMember - adds a domain user (or group) to an
existing domain group, assuming appropriate permissions to do so
Get-DomainFileServer - returns a list of servers likely
functioning as file servers
Get-DomainDFSShare - returns a list of all fault-tolerant
distributed file systems for the current (or specified) domain
The LDAP functions provide us with a wealth of useful commands. The Get-Domain
function will provide us with information about the domain, such as the name, any child
domains, a list of domain controllers, domain controller roles, and more.
https://t.me/offenciveSec
Forest : INLANEFREIGHT.LOCAL
DomainControllers : {DC01.INLANEFREIGHT.LOCAL}
Children : {LOGISTICS.INLANEFREIGHT.LOCAL}
DomainMode : Unknown
DomainModeLevel : 7
PdcRoleOwner : DC01.INLANEFREIGHT.LOCAL
RidRoleOwner : DC01.INLANEFREIGHT.LOCAL
InfrastructureRoleOwner : DC01.INLANEFREIGHT.LOCAL
Name : INLANEFREIGHT.LOCAL
We can begin to get the lay of the land with the Get-DomainOU function and return the
names of all Organizational Units (OUs), which can help us map out the domain structure.
We can enumerate these names with SharpView .
https://t.me/offenciveSec
name : Privileged Access
name : Mail Room
name : Freight
name : Finance
name : Contractors
name : Vendors
name : Microsoft Exchange Security Groups
We can gather information about domain users with the Get-DomainUser function and
specify properties such as PreauthNotRequired to try planning out attacks.
<SNIP>
We can also begin gathering information about individual hosts using the Get-
DomainComputer function.
dnshostname
useraccountcontrol
----------- -------
-----------
DC01.INLANEFREIGHT.LOCAL SERVER_TRUST_ACCOUNT,
TRUSTED_FOR_DELEGATION
EXCHG01.INLANEFREIGHT.LOCAL
WORKSTATION_TRUST_ACCOUNT
SQL01.INLANEFREIGHT.LOCAL WORKSTATION_TRUST_ACCOUNT,
TRUSTED_TO_AUTH_FOR_DELEGATION
WS01.INLANEFREIGHT.LOCAL
WORKSTATION_TRUST_ACCOUNT
DC02.INLANEFREIGHT.LOCAL ACCOUNTDISABLE,
WORKSTATION_TRUST_ACCOUNT
GPO functions
Get-DomainGPO - returns all GPOs or specific
GPO objects in AD
Get-DomainGPOLocalGroup - returns all GPOs in a domain
that modify local group memberships through 'Restricted Groups' or Group
Policy preferences
Get-DomainGPOUserLocalGroupMapping - enumerates the machines where
a specific domain user/group is a member of a specific local group, all
through GPO correlation
Get-DomainGPOComputerLocalGroupMapping - takes a computer (or GPO)
https://t.me/offenciveSec
object and determines what users/groups are in the specified local group
for the machine through GPO correlation
Get-DomainPolicy - returns the default domain
policy or the domain controller policy for the current domain or a
specified domain/domain controller
Moving on to GPO functions, we can use Get-DomainGPO to return all Group Policy Objects
(GPOs) names.
displayname
-----------
LAPS
Default Domain Policy
https://t.me/offenciveSec
Computer Enumeration Functions
Get-NetLocalGroup - enumerates the local groups on the
local (or remote) machine
Get-NetLocalGroupMember - enumerates members of a specific
local group on the local (or remote) machine
Get-NetShare - returns open shares on the local
(or a remote) machine
Get-NetLoggedon - returns users logged on the local
(or a remote) machine
Get-NetSession - returns session information for
the local (or a remote) machine
Get-RegLoggedOn - returns who is logged onto the
local (or a remote) machine through enumeration of remote registry keys
Get-NetRDPSession - returns remote desktop/session
information for the local (or a remote) machine
Test-AdminAccess - rests if the current user has
administrative access to the local (or a remote) machine
Get-NetComputerSiteName - returns the AD site where the
local (or a remote) machine resides
Get-WMIRegProxy - enumerates the proxy server and
WPAD contents for the current user
Get-WMIRegLastLoggedOn - returns the last user who logged
onto the local (or a remote) machine
Get-WMIRegCachedRDPConnection - returns information about RDP
connections outgoing from the local (or remote) machine
Get-WMIRegMountedDrive - returns information about saved
network mounted drives for the local (or remote) machine
Get-WMIProcess - returns a list of processes and
their owners on the local or remote machine
Find-InterestingFile - searches for files on the given
path that match a series of specified criteria
The computer enumeration functions can gather information about user sessions, test for
local admin access, search for file shares and interesting files, and more. The Test-
AdminAccess function can check if our current user has local admin rights on any remote
hosts.
ComputerName IsAdmin
------------ -------
SQL01 True
https://t.me/offenciveSec
We can use the Net-Share function to enumerate open shares on a remote computer.
Shares can hold a wealth of information, and the importance of enumerating file shares
should not be overlooked.
Name : ADMIN$
Type : 2147483648
Remark : Remote Admin
ComputerName : DC01
Name : C$
Type : 2147483648
Remark : Default share
ComputerName : DC01
Threaded 'Meta'-Functions
Find-DomainUserLocation - finds domain machines where
specific users are logged into
Find-DomainProcess - finds domain machines where
specific processes are currently running
Find-DomainUserEvent - finds logon events on the current
(or remote domain) for the specified users
Find-DomainShare - finds reachable shares on domain
machines
Find-InterestingDomainShareFile - searches for files matching
specific criteria on readable shares in the domain
Find-LocalAdminAccess - finds machines on the local domain
where the current user has local administrator access
Find-DomainLocalGroupMember - enumerates the members of
specified local group on machines in the domain
The 'meta' functions can be used to find where domain users are logged in, look for specific
processes on remote hosts, find domain shares, find files on domain shares, and test where
our current user has local admin rights. We can use the Find-DomainUserLocation
function to find domain machines that users are logged into.
https://t.me/offenciveSec
PS C:\htb> Find-DomainUserLocation
UserDomain : INLANEFREIGHT
UserName : Administrator
ComputerName : DC01.INLANEFREIGHT.LOCAL
IPAddress : 172.16.1.3
SessionFrom :
SessionFromName :
LocalAdmin :
UserDomain : INLANEFREIGHT
UserName : harry.jones
ComputerName : SQL01.INLANEFREIGHT.LOCAL
IPAddress : 172.16.1.30
SessionFrom :
SessionFromName :
LocalAdmin :
UserDomain : INLANEFREIGHT
UserName : cliff.moore
ComputerName : WS01.INLANEFREIGHT.LOCAL
IPAddress : 172.16.1.40
SessionFrom :
SessionFromName :
LocalAdmin :
The domain trust functions provide us with the tools we need to enumerate information that
can be used to mount cross-trust attacks. The most basic of these commands, Get-
DomainTrust will return all domain trusts for our current domain.
https://t.me/offenciveSec
PS C:\htb> Get-DomainTrust
SourceName : INLANEFREIGHT.LOCAL
TargetName : LOGISTICS.INLANEFREIGHT.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 7/27/2020 2:06:07 AM
WhenChanged : 7/27/2020 2:06:07 AM
SourceName : INLANEFREIGHT.LOCAL
TargetName : freightlogistics.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 7/28/2020 4:46:40 PM
WhenChanged : 7/28/2020 4:46:40 PM
Closing Thoughts
PowerView / SharpView can also be used to perform Kerberoasting and ASREPRoasting
attacks and abuse Kerberos delegation, which will be covered in later modules.
Note: If trying to remain stealthy, invoking the user impersonation does generate a logon
event which could generate an alert if using a sensitive account with administrative level or
equivalent privileges.
https://t.me/offenciveSec
Note: When spawning your target, we ask you to wait for 3-5 minutes until the whole Active
Directory lab spawns and all services start before attempting to connect via RDP.
Enumerating AD Users
When starting enumeration in an AD environment, arguably, the most important objects are
domain users. Users have access to computers and are assigned permissions to perform a
variety of functions throughout the domain. We need to control user accounts to move
laterally and vertically within a network to reach the assessment goal.
PS C:\htb> (Get-DomainUser).count
1038
Next, let's explore the Get-DomainUser function. If we provide the -Help flag to any
`SharpView function, we can see all of the parameters that the function accepts.
https://t.me/offenciveSec
ReturnOne <Boolean> -Credential <NetworkCredential> -Raw <Boolean> -
UACFilter <UACEnum>
Below are some of the most important properties to gather about domain users. Let's take a
look at the harry.jones user.
It is useful to enumerate these properties for ALL domain users and export them to a CSV
file for offline processing.
https://t.me/offenciveSec
Once we have gathered information on all users, we can begin to perform more specific user
enumeration by obtaining a list of users that do not require Kerberos pre-authentication and
can be subjected to an ASREPRoast attack.
Let's also gather information about users with Kerberos constrained delegation.
https://t.me/offenciveSec
While we're at it, we can look for users that allow unconstrained delegation.
https://t.me/offenciveSec
We can also check for any domain users with sensitive data such as a password stored in
the description field.
samaccountname description
-------------- -----------
Administrator Built-in account for administering the computer/domain
Guest Built-in account for guest access to the computer/domain
DefaultAccount A user account managed by the system.
krbtgt Key Distribution Center Service Account
svc-sccm **Do not change password** 03/04/2015 N3ssu$_svc2014!
Next, let's enumerate any users with Service Principal Names (SPNs) that could be
subjected to a Kerberoasting attack.
samaccountname : adam.jones
ServicePrincipalName : IIS_dev/inlanefreight.local:80
samaccountname : krbtgt
memberof : {CN=Denied RODC Password Replication
Group,CN=Users,DC=INLANEFREIGHT,DC=LOCAL}
ServicePrincipalName : kadmin/changepw
samaccountname : sqlqa
memberof : {CN=Domain
Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL}
ServicePrincipalName : MSSQL_svc_qa/inlanefreight.local:1443
samaccountname : sql-test
ServicePrincipalName : MSSQL_svc_test/inlanefreight.local:1443
samaccountname : sqlprod
https://t.me/offenciveSec
memberof : {CN=Protected
Users,CN=Users,DC=INLANEFREIGHT,DC=LOCAL}
ServicePrincipalName : MSSQLSvc/sql01:1433
Finally, we can enumerate any users from other (foreign) domains with group membership
within any groups in our current domain. We can see that the user harry.jones from the
FREIGHTLOGISTICS.LOCAL domain is in our current domain's administrators group. If we
compromise the current domain, we may obtain credentials for this user from the NTDS
database and authenticate into the FREIGHTLOGISTICS.LOCAL domain.
PS C:\htb> Find-ForeignGroup
GroupDomain : INLANEFREIGHT.LOCAL
GroupName : Administrators
GroupDistinguishedName :
CN=Administrators,CN=Builtin,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : S-1-5-21-888139820-103978830-333442103-1602
MemberDistinguishedName : CN=S-1-5-21-888139820-103978830-333442103-
1602,CN=ForeignSecurityPrincipals,DC=INLANEFREIGHT,
DC=LOCAL
FREIGHTLOGISTIC\harry.jones
Another useful command is checking for users with Service Principal Names (SPNs) set in
other domains that we can authenticate into via inbound or bi-directional trust relationships
with forest-wide authentication allowing all users to authenticate across a trust or selective-
authentication set up which allows specific users to authenticate. Here we can see one
account in the FREIGHTLOGISTICS.LOCAL domain, which could be leveraged to Kerberoast
across the forest trust.
samaccountname : krbtgt
memberof : CN=Denied RODC Password Replication
Group,CN=Users,DC=freightlogistics,DC=local
serviceprincipalname : kadmin/changepw
samaccountname : svc_azure
memberof : CN=Account
https://t.me/offenciveSec
Operators,CN=Builtin,DC=freightlogistics,DC=local
serviceprincipalname : freightlogistics/azureconnect:443
If you see a several passwords set at the same time , this indicates they were set
by the Help Desk and may be the same. Because of Password Lockout Policies, you
may not be able to exceed four failed passwords in fifteen minutes. However, if you
think the password is the same across 20 accounts, for one user, you can guess
passwords along the line of "Password2020" for a different use, you can use the
company name like "Freight2020!".
Additionally, if you see the password was set in July of 2019; then you can normally
exclude "2020" from your password guessing and probably shouldn't guess variations
that wouldn't make sense, such as "Winter2019."
If you see an old password that was set 2 years ago , chances are this password
is weak and also one of the first accounts I would recommend guessing the password
to before launching a large Password Spray.
In most organizations, administrators have multiple accounts. If you see the
administrator changing his "user account" around the same time as his "Administrator
Account", they are highly likely to use the same password for both accounts.
Blue team tip: Whenever you deal with a compromise or complete a Penetration Test. It is
always a good idea to use the above command to verify all passwords have been rotated!
https://t.me/offenciveSec
You should never have passwords older than a year in your Active Directory.
Next Steps
Now that we have gathered a wealth of information about domain users let's look at group
memberships to map out the domain further.
Enumerating AD Groups
Armed with the domain user information, it is next important to gather AD group information
to see what privileges members of a group may have and even find nested groups or issues
with group membership that could lead to unintended rights.
Domain Groups
A quick check shows that our target domain, INLANEFREIGHT.LOCAL has 72 groups.
name
----
Administrators
Users
Guests
Print Operators
Backup Operators
Replicator
Remote Desktop Users
Network Configuration Operators
Performance Monitor Users
Performance Log Users
Distributed COM Users
IIS_IUSRS
Cryptographic Operators
Event Log Readers
Certificate Service DCOM Access
RDS Remote Access Servers
RDS Endpoint Servers
RDS Management Servers
Hyper-V Administrators
Access Control Assistance Operators
https://t.me/offenciveSec
Remote Management Users
System Managed Accounts Group
Storage Replica Administrators
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Cert Publishers
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
RAS and IAS Servers
Server Operators
Account Operators
Pre-Windows 2000 Compatible Access
Incoming Forest Trust Builders
Windows Authorization Access Group
Terminal Server License Servers
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Read-only Domain Controllers
Enterprise Read-only Domain Controllers
Cloneable Domain Controllers
Protected Users
Key Admins
Enterprise Key Admins
DnsAdmins
DnsUpdateProxy
LAPS Admins
Security Operations
Organization Management
Recipient Management
View-Only Organization Management
Public Folder Management
UM Management
Help Desk
Records Management
Discovery Management
Server Management
Delegated Setup
Hygiene Management
Compliance Management
Security Reader
Security Administrator
Exchange Servers
Exchange Trusted Subsystem
Managed Availability Servers
Exchange Windows Permissions
ExchangeLegacyInterop
https://t.me/offenciveSec
Exchange Install Domain Servers
Network Team
Let's grab a full listing of the group names. Many of these are built-in, standard AD groups.
The presence of some group shows us that Microsoft Exchange is present in the
environment. An Exchange installation adds several groups to AD, some of which such as
Exchange Trusted Subsystem and Exchange Windows Permissions are considered high-
value targets due to the permissions that membership in these groups grants a user or
computer. Other groups such as Protected Users , LAPS Admins , Help Desk , and
Security Operations should be noted down for review.
A quick examination of the Help Desk group shows us that there are two members.
https://t.me/offenciveSec
LDAP://DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL
[Get-DomainObject] Extracted domain 'INLANEFREIGHT.LOCAL' from 'CN=Amber
Smith,OU=Contractors,OU=Employees,DC=INLANEFREI
GHT,DC=LOCAL'
[Get-DomainSearcher] search base:
LDAP://DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL
[Get-DomainObject] Get-DomainComputer filter string: (&(|
(distinguishedname=CN=Amber Smith,OU=Contractors,OU=Employees,D
C=INLANEFREIGHT,DC=LOCAL)))
GroupDomain : INLANEFREIGHT,LOCAL
GroupName : Help Desk
GroupDistinguishedName : CN=Help Desk,OU=Microsoft Exchange
Security Groups,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : harry.jones
MemberDistinguishedName : CN=Harry Jones,OU=Network
Ops,OU=IT,OU=Employees,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-2974783224-3764228556-
2640795941-2040
GroupDomain : INLANEFREIGHT,LOCAL
GroupName : Help Desk
GroupDistinguishedName : CN=Help Desk,OU=Microsoft Exchange
Security Groups,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : amber.smith
MemberDistinguishedName : CN=Amber
Smith,OU=Contractors,OU=Employees,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-2974783224-3764228556-
2640795941-1859
Protected Groups
Next, we can look for all AD groups with the AdminCount attribute set to 1, signifying that
this is a protected group.
https://t.me/offenciveSec
grouptype : CREATED_BY_SYSTEM, DOMAIN_LOCAL_SCOPE,
SECURITY
samaccounttype : ALIAS_OBJECT
objectguid : 4f86f787-7173-4a34-a317-3f69e2263f0d
name : Administrators
distinguishedname :
CN=Administrators,CN=Builtin,DC=INLANEFREIGHT,DC=LOCAL
whencreated : 7/26/2020 8:13:52 PM
whenchanged : 8/23/2020 4:28:44 AM
samaccountname : Administrators
member : {CN=S-1-5-21-888139820-103978830-
333442103-1602,CN=ForeignSecurityPrincipals,D
REIGHT,DC=LOCAL, CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL,
CN=Enterprise Admins,CN=Users,DC=INLANEFR
LOCAL, CN=Administrator,CN=Users,DC=INLANEFREIGHT,DC=LOCAL}
cn : {Administrators}
objectclass : {top, group}
objectcategory :
CN=Group,CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
usnchanged : 124889
description : Administrators have complete and
unrestricted access to the computer/domain
instancetype : 4
usncreated : 8200
admincount : 1
iscriticalsystemobject : True
systemflags : -1946157056
dscorepropagationdata : {7/30/2020 3:52:30 AM, 7/30/2020 3:09:16
AM, 7/30/2020 3:09:16 AM, 7/28/2020 1
, 1/1/1601 12:00:00 AM}
objectsid : {S-1-5-32-550}
grouptype : CREATED_BY_SYSTEM, DOMAIN_LOCAL_SCOPE,
SECURITY
samaccounttype : ALIAS_OBJECT
objectguid : ae974502-7850-44ab-9518-f909f9526daa
name : Print Operators
distinguishedname : CN=Print
Operators,CN=Builtin,DC=INLANEFREIGHT,DC=LOCAL
whencreated : 7/26/2020 8:13:52 PM
whenchanged : 7/30/2020 3:52:30 AM
samaccountname : Print Operators
cn : {Print Operators}
objectclass : {top, group}
iscriticalsystemobject : True
usnchanged : 61476
instancetype : 4
usncreated : 8212
objectcategory :
CN=Group,CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
https://t.me/offenciveSec
admincount : 1
description : Members can administer printers installed
on domain controllers
systemflags : -1946157056
dscorepropagationdata : {7/30/2020 3:52:30 AM, 7/30/2020 3:09:16
AM, 7/30/2020 3:09:16 AM, 7/28/2020 1
, 1/1/1601 12:00:00 AM}
<...SNIP...>
Another important check is to look for any managed security groups. These groups have
delegated non-administrators the right to add members to AD security groups and
distribution groups and is set by modifying the managedBy attribute. This check looks to see
if a group has a manager set and if the user can add users to the group. This could be useful
for lateral movement by gaining us access to additional resources. First, let's take a look at
the list of managed security groups.
GroupName
---------
Security Operations
Organization Management
Recipient Management
View-Only Organization Management
Public Folder Management
UM Management
Help Desk
Records Management
Discovery Management
Server Management
Delegated Setup
Hygiene Management
Compliance Management
Security Reader
Security Administrator
Next, let's look at the Security Operations group and see if the group has a manager set.
We can see that the user joe.evans is set as the group manager.
PS C:\htb> Get-DomainManagedSecurityGroup
https://t.me/offenciveSec
ManagerName : joe.evans
ManagerDistinguishedName : CN=Joe
Evans,OU=Security,OU=IT,OU=Employees,DC=INLANEFREIGHT,DC=LOCAL
ManagerType : User
ManagerCanWrite : UNKNOWN
<...SNIP...>
Enumerating the ACLs set on this group, we can see that this user has GenericWrite
privileges meaning that this user can modify group membership (add or remove users). If we
gain control of this user account, we can add this account or any other account that we
control to the group and inherit any privileges that it has in the domain.
S-1-5-21-2974783224-3764228556-2640795941-1238
https://t.me/offenciveSec
PS C:\htb> $sid = ConvertTo-SID joe.evans
PS C:\htb> Get-DomainObjectAcl -Identity 'Security Operations' | ?{
$_.SecurityIdentifier -eq $sid}
ObjectDN : CN=Security
Operations,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
ObjectSID : S-1-5-21-2974783224-3764228556-2640795941-2127
ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
BinaryLength : 36
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131132
SecurityIdentifier : S-1-5-21-2974783224-3764228556-2640795941-1238
AceType : AccessAllowed
AceFlags : ContainerInherit
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
AuditFlags : None
Local Groups
It is also important to check local group membership. Is our current user local admin or part
of local groups on any hosts? We can get a list of the local groups on a host using Get-
NetLocalGroup .
GroupName
---------
Access Control Assistance Operators
Administrators
Backup Operators
Certificate Service DCOM Access
Cryptographic Operators
Distributed COM Users
Event Log Readers
Guests
Hyper-V Administrators
IIS_IUSRS
Network Configuration Operators
Performance Log Users
Performance Monitor Users
https://t.me/offenciveSec
Power Users
Print Operators
RDS Endpoint Servers
RDS Management Servers
RDS Remote Access Servers
Remote Desktop Users
Remote Management Users
Replicator
Storage Replica Administrators
System Managed Accounts Group
Users
We can also enumerate the local group members on any given host using the Get-
NetLocalGroupMember function.
ComputerName : WS01
GroupName : Administrators
MemberName : WS01\Administrator
SID : S-1-5-21-3098764391-2955872655-
3533479253-500
IsGroup : False
IsDomain : false
ComputerName : WS01
GroupName : Administrators
MemberName : INLANEFREIGHT\
SID : S-1-5-21-2974783224-3764228556-
2640795941-512
IsGroup : False
IsDomain : true
ComputerName : WS01
GroupName : Administrators
MemberName : INLANEFREIGHT\
SID : S-1-5-21-2974783224-3764228556-
2640795941-2040
IsGroup : False
IsDomain : true
ComputerName : WS01
GroupName : Administrators
MemberName : INLANEFREIGHT\
SID : S-1-5-21-2974783224-3764228556-
2640795941-513
IsGroup : False
https://t.me/offenciveSec
IsDomain : true
We see one non-RID 500 user in the local administrators group and use the Convert-
SidToName function to convert the SID and reveal the harry.jones user.
INLANEFREIGHT\harry.jones
We use this same function to check all the hosts that a given user has local admin access,
though this can be done much quicker with another PowerView / SharpView function that
we will cover later in this module.
ComputerName : WS01.INLANEFREIGHT.LOCAL
GroupName : Administrators
MemberName : INLANEFREIGHT\harry.jones
SID : S-1-5-21-2974783224-3764228556-2640795941-2040
IsGroup : False
IsDomain : True
The module we generally use to pull this information is called Get-ADGroupMemberDate and
can be downloaded here. Load this module up the same way you would PowerView .
https://t.me/offenciveSec
Then run Get-ADGroupMemberDate -Group "Help Desk" -DomainController
DC01.INLANEFREIGHT.LOCAL , if there is a specific user you want to pull, we recommend
running Get-ADGroupMemberDate -Group "Help Desk" -DomainController
DC01.INLANEFREIGHT.LOCAL | ? { ($_.Username -match 'harry.jones') -And
($_.State -NotMatch 'ABSENT') }
Continuing on
We have now covered AD users and groups. Let's start piecing things together and take a
look at some key enumeration techniques around domain computers.
Enumerating AD Computers
Now that we have gathered user and group information, we need to find out information
about the various hosts our target users can log in to, and if gaining SYSTEM access on any
given host will open up different attack paths.
Some of the most useful information we can gather is the hostname, operating system, and
User Account Control (UAC) attributes.
https://t.me/offenciveSec
PS C:\htb>.\SharpView.exe Get-DomainComputer -Properties
dnshostname,operatingsystem,lastlogontimestamp,useraccountcontrol
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT
lastlogontimestamp : 8/15/2020 9:49:12 PM
dnshostname : EXCHG01.INLANEFREIGHT.LOCAL
operatingsystem : Windows Server 2016 Standard
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT,
TRUSTED_TO_AUTH_FOR_DELEGATION
lastlogontimestamp : 8/15/2020 7:42:00 PM
dnshostname : SQL01.INLANEFREIGHT.LOCAL
operatingsystem : Windows Server 2016 Standard
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT
lastlogontimestamp : 8/15/2020 5:55:24 PM
dnshostname : WS01.INLANEFREIGHT.LOCAL
operatingsystem : Windows Server 2016 Standard
Let's save this data to a CSV for our records using PowerView .
https://t.me/offenciveSec
out, and it may become uncommon to find in organizations that have regular penetration
tests performed. The following flags can be combined to help come up with attacks:
LastLogonTimeStamp : This field exists to let administrators find stale machines. If this
field is 90 days old for a machine, it has not been turned on and is missing both
operating system and application patches. Due to this, administrators may want to
automatically disable machines upon this field hitting 90 days of age. Attackers can use
this field in combination with other fields such as Operating System or When Created
to identify targets.
OperatingSystem : This lists the Operating System. The obvious attack path is to find a
Windows 7 box that is still active (LastLogonTimeStamp) and try attacks like Eternal
Blue. Even if Eternal Blue is not applicable, older versions of Windows are ideal spots
to work from as there are fewer logging/antivirus capabilities on older Windows. It's also
important to know the differences between flavors of Windows. For example, Windows
10 Enterprise is the only version that comes with "Credential Guard" (Prevents
Mimikatz from Stealing Passwords) Enabled by default. If you see Administrators
logging into Windows 10 Professional and Windows 10 Enterprise, the Professional box
should be targeted.
WhenCreated : This field is created when a machine joins Active Directory. The older
the box is, the more likely it is to deviate from the "Standard Build." Old workstations
could have weaker local administration passwords, more local admins, vulnerable
software, more data, etc.
Computer Attacks
We can see if any computers in the domain are configured to allow unconstrained delegation
and find one, the domain controller, which is standard.
https://t.me/offenciveSec
Finally, we can check for any hosts set up to allow for constrained delegation.
dnshostname
useraccountcontrol
----------- -------
-----------
EXCHG01.INLANEFREIGHT.LOCAL
WORKSTATION_TRUST_ACCOUNT
SQL01.INLANEFREIGHT.LOCAL WORKSTATION_TRUST_ACCOUNT,
TRUSTED_TO_AUTH_FOR_DELEGATION
ACL Description
Discretionary Access Control This defines which security principals are granted
List (DACL) or denied access to an object.
System Access Control Lists These allow administrators to log access attempts
(SACL) made to secured objects.
ACL (mis)-configurations may allow for chained object-to-object control. We can visualize
unrolled membership of target groups, so-called derivative admins , who can derive
admin rights from exploiting an AD attack chain.
https://t.me/offenciveSec
AD Attack chains may include the following components:
Below is an example of just some of the ACLs that can be set on a user object.
ACL Abuse
Why do we care about ACLs? ACL abuse is a powerful attack vector for us as penetration
testers. These types of misconfigurations often go unnoticed in corporate environments
because they can be difficult to monitor and control. An organization may be unaware of
overly permissive ACL settings for years before (hopefully) we discover them. Below are
some of the example Active Directory object security permissions (supported by
BloodHound and abusable with SharpView / PowerView ):
https://t.me/offenciveSec
AllExtendedRights abused with Set-DomainUserPassword or Add-
DomainGroupMember
ActiveDirectoryRights : ExtendedRight
InheritanceType : All
ObjectType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AccessControlType : Allow
IdentityReference : INLANEFREIGHT\cliff.moore
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
We can drill down further on this user to find all users with WriteProperty or GenericAll
rights over the target user.
IdentityReference
ActiveDirectoryRights
https://t.me/offenciveSec
-----------------
---------------------
BUILTIN\Administrators CreateChild, DeleteChild,
Self, WriteProperty, ExtendedRight, Delete, GenericRead,
WriteDacl, WriteOwner
INLANEFREIGHT\Domain Admins CreateChild, DeleteChild,
Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl,
WriteOwner
INLANEFREIGHT\Enterprise Admins CreateChild, DeleteChild,
Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl,
WriteOwner
INLANEFREIGHT\cliff.moore
ReadProperty, WriteProperty, GenericExecute
NT AUTHORITY\SELF
ReadProperty, WriteProperty, ExtendedRight
BUILTIN\Terminal Server License Servers
ReadProperty, WriteProperty
INLANEFREIGHT\Cert Publishers
ReadProperty, WriteProperty
INLANEFREIGHT\Organization Management
WriteProperty
INLANEFREIGHT\Exchange Servers
WriteProperty
INLANEFREIGHT\Exchange Servers CreateChild,
DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject
INLANEFREIGHT\Exchange Servers
ReadProperty, WriteProperty, ListObject, Delete
INLANEFREIGHT\Exchange Trusted Subsystem CreateChild,
DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject
INLANEFREIGHT\Exchange Trusted Subsystem
WriteProperty
AceQualifier : AccessAllowed
ObjectDN : CN=Harry Jones,OU=Network
https://t.me/offenciveSec
Ops,OU=IT,OU=Employees,DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren
ObjectAceType : ms-Exch-Active-Sync-Devices
ObjectSID : S-1-5-21-2974783224-3764228556-2640795941-2040
InheritanceFlags : ContainerInherit
BinaryLength : 72
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent,
InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-21-2974783224-3764228556-2640795941-2615
AccessMask : 7
AuditFlags : None
IsInherited : False
AceFlags : ContainerInherit, InheritOnly
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0
AceQualifier : AccessAllowed
ObjectDN : CN=Harry Jones,OU=Network
Ops,OU=IT,OU=Employees,DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren
ObjectAceType : ms-Exch-Active-Sync-Devices
ObjectSID : S-1-5-21-2974783224-3764228556-2640795941-2040
InheritanceFlags : ContainerInherit
BinaryLength : 72
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent,
InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-21-2974783224-3764228556-2640795941-2615
AccessMask : 7
AuditFlags : None
IsInherited : False
AceFlags : ContainerInherit, InheritOnly
InheritedObjectAceType : User
OpaqueLength : 0
<...SNIP...>
We can seek out ACLs on specific users and filter out results using the various AD filters
covered in the Active Directory LDAP module. We can use the Find-
InterestingDomainAcl to search out objects in the domain with modification rights over
non-built-in objects. This command, too, produces a large amount of data and can either be
filtered on for information about specific objects or saved to be examined offline.
https://t.me/offenciveSec
PS C:\htb> Find-InterestingDomainAcl -Domain inlanefreight.local -
ResolveGUIDs
ObjectDN : DC=INLANEFREIGHT,DC=LOCAL
AceQualifier : AccessAllowed
ActiveDirectoryRights : ExtendedRight
ObjectAceType : User-Change-Password
AceFlags : ContainerInherit
AceType : AccessAllowedObject
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2974783224-3764228556-2640795941-2618
IdentityReferenceName : Exchange Windows Permissions
IdentityReferenceDomain : INLANEFREIGHT.LOCAL
IdentityReferenceDN : CN=Exchange Windows Permissions,OU=Microsoft
Exchange Security
Groups,DC=INLANEFREIGHT,DC=LOCAL
IdentityReferenceClass : group
ObjectDN : DC=INLANEFREIGHT,DC=LOCAL
AceQualifier : AccessAllowed
ActiveDirectoryRights : ExtendedRight
ObjectAceType : User-Force-Change-Password
AceFlags : ContainerInherit
AceType : AccessAllowedObject
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2974783224-3764228556-2640795941-2618
IdentityReferenceName : Exchange Windows Permissions
IdentityReferenceDomain : INLANEFREIGHT.LOCAL
IdentityReferenceDN : CN=Exchange Windows Permissions,OU=Microsoft
Exchange Security
Groups,DC=INLANEFREIGHT,DC=LOCAL
IdentityReferenceClass : group
ObjectDN : DC=INLANEFREIGHT,DC=LOCAL
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren
ObjectAceType : ms-Exch-Active-Sync-Devices
AceFlags : ContainerInherit, InheritOnly
AceType : AccessAllowedObject
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2974783224-3764228556-2640795941-2615
IdentityReferenceName : Exchange Servers
IdentityReferenceDomain : INLANEFREIGHT.LOCAL
IdentityReferenceDN : CN=Exchange Servers,OU=Microsoft Exchange
Security Groups,DC=INLANEFREIGHT,DC=LOCAL
IdentityReferenceClass : group
https://t.me/offenciveSec
<...SNIP...>
Aside from users and computers, we should also look at the ACLs set on file shares. This
could provide us with information about which users can access a specific share or
permissions are set too loosely on a specific share, which could lead to sensitive data
disclosure or other attacks.
Path : \\SQL01\DB_backups
FileSystemRights : Read
IdentityReference : Local System
IdentitySID : S-1-5-18
AccessControlType : Allow
Path : \\SQL01\DB_backups
FileSystemRights : Read
IdentityReference : BUILTIN\Administrators
IdentitySID : S-1-5-32-544
AccessControlType : Allow
Path : \\SQL01\DB_backups
FileSystemRights : Read
IdentityReference : BUILTIN\Users
IdentitySID : S-1-5-32-545
AccessControlType : Allow
Path : \\SQL01\DB_backups
FileSystemRights : AppendData/AddSubdirectory
IdentityReference : BUILTIN\Users
IdentitySID : S-1-5-32-545
AccessControlType : Allow
Path : \\SQL01\DB_backups
FileSystemRights : WriteData/AddFile
IdentityReference : BUILTIN\Users
https://t.me/offenciveSec
IdentitySID : S-1-5-32-545
AccessControlType : Allow
Path : \\SQL01\DB_backups
FileSystemRights : GenericAll
IdentityReference : Creator Owner
IdentitySID : S-1-3-0
AccessControlType : Allow
Aside from ACLs of specific users and computers that may allow us to fully control or grant
us other permissions, we should also check the ACL of the domain object. A common attack
called DCSync requires a user to be delegated a combination of the following three rights:
We can use the Get-ObjectACL function to search for all users that have these rights.
SecurityIdentifier
------------------
S-1-5-18
S-1-5-21-2974783224-3764228556-2640795941-1883
S-1-5-21-2974783224-3764228556-2640795941-2601
S-1-5-21-2974783224-3764228556-2640795941-2616
S-1-5-21-2974783224-3764228556-2640795941-498
S-1-5-21-2974783224-3764228556-2640795941-516
S-1-5-21-2974783224-3764228556-2640795941-519
S-1-5-32-544
S-1-5-9
Once we have the SIDs we can convert the SID back to the user to see which accounts
have these rights and determine whether or not this is intended and/or if we can abuse these
rights.
https://t.me/offenciveSec
INLANEFREIGHT\frederick.walton
This can be done quickly to enumerate all users with this right.
INLANEFREIGHT\frederick.walton
INLANEFREIGHT\Enterprise Read-only Domain Controllers
INLANEFREIGHT\Domain Controllers
INLANEFREIGHT\Organization Management
INLANEFREIGHT\Exchange Trusted Subsystem
BUILTIN\Administrators
Enterprise Domain Controllers
INLANEFREIGHT\Enterprise Admins
Local System
Leveraging ACLs
As seen in this section, various ACE entries can be set within AD. Administrators may set
some on purpose to grant fine-grained privileges over an object or set of objects. In contrast,
others may result from misconfigurations or installation of a service such as Exchange,
which makes many changes ACLs within the domain by default.
We may compromise a user with GenericWrite over a user or group and can leverage this
to force change a user's password or add our account to a specific group to further our
access. Any modifications such as these should be carefully noted down and mentioned in
the final report so the client can make sure changes are reverted if we cannot during the
assessment period. Also, a "destructive" action, such as changing a user's password, should
be used sparingly and coordinated with the client to avoid disruptions.
If we find a user, group, or computer with WriteDacl privileges over an object, we can
leverage this in several ways. For example, if we can compromise a member of an
Exchange-related group such as Exchange Trusted Subsystem we will likely have
WriteDacl privileges over the domain object itself and be able to grant an account we
control Replicating Directory Changes and Replicating Directory Change
permissions to an account that we control and perform a DCSync attack to fully compromise
the domain by mimicking a Domain Controller to retrieve user NTLM password hashes for
any account we choose.
https://t.me/offenciveSec
If we find ourselves with GenericAll / GenericWrite privileges over a target user, a less
destructive attack would be to set a fake SPN on the account and perform a targeted
Kerberoasting attack or modify the account's userAccountControl not to require
Kerberos pre-authentication and perform a targeted ASREPRoasting attack . These
examples require the account to be using a weak password that can be cracked offline using
a tool such as Hashcat with minimal effort but are much less destructive than changing a
user's password and have a higher likelihood of going unnoticed.
If you perform a destructive action such as changing a user's password and can compromise
the domain, you can DCSync , obtain the account's password history, and use Mimikatz to
reset the account to the previous password using LSADUMP::ChangeNTLM or
LSADUMP::SetNTLM .
Sometimes we will find that a user or even the entire Domain Users group has been
granted write permissions over a specific group policy object. If we find this type of
misconfiguration, and the GPO is linked to one or more users or computers, we can use a
tool such as SharpGPOAbuse to modify the target GPO to perform actions such as
provisioning additional privileges to a user (such as SeDebugPrivilege to be able to
perform targeted credential theft, or SeTakeOwnershipPrivilege to gain control over a
sensitive file or file share), add a user we control as a local admin to a target host, add a
computer startup script, and more. As discussed above, these modifications should be
performed carefully in coordination with the client and noted in the final report to minimize
disruptions.
This is a summary of the many options we have for abusing ACLs. This topic will be covered
more in-depth in later modules.
Wrap Up
ACLs are an often overlooked area of AD security, but they can provide powerful intended
and unintended rights over objects in the domain environment, as we have seen here. Even
a small AD network has thousands of ACLs, so we must be targeted with our searches to
uncover useful data. Next, we will take a look at Group Policy Objects (GPOs).
https://t.me/offenciveSec
Windows environment. A Group Policy Object (GPO) is a collection of policy settings. GPOs
include policies such as screen lock timeout, disabling USB ports, domain password policy,
push out software, manage applications, and more. GPOs can be applied to individual users
and hosts or groups by being applied directly to an Organizational Unit (OU). Gaining rights
over a GPO can lead to lateral vertical movement up to full domain compromise and can
also be used as a persistence mechanism. Like ACLs, GPOs are often overlooked, and one
misconfigured GPO can have catastrophic results.
We can use Powerview / Sharpview , BloodHound , and Group3r to enumerate Group Policy
security misconfigurations. This section will show some of the enumeration techniques we
can perform on the command line using PowerView and SharpView .
GPO Abuse
GPOs can be abused to perform attacks such as adding additional rights to a user, adding a
local admin, or creating an immediate scheduled task. There are several ways to gain
persistence via GPOs:
displayname
-----------
Default Domain Policy
Default Domain Controllers Policy
LAPS Install
LAPS
Disable LM Hash
Disable CMD.exe
https://t.me/offenciveSec
Disallow removable media
Prevent software installs
Disable guest account
Disable SMBv1
Map home drive
Disable Forced Restarts
Screensaver
Applocker
Fine-grained password policy
Restrict Control Panel
User - MS Office
User - Browser Settings
Audit Policy
PowerShell logging
displayname
-----------
LAPS
Restrict Control Panel
Applocker
Disable Forced Restarts
Prevent software installs
Disallow removable media
Disable CMD.exe
Disable LM Hash
Disable Defender
PowerShell logging
Audit Policy
User - Browser Settings
User - MS Office
Fine-grained password policy
Screensaver
Map home drive
Disable SMBv1
Disable guest account
Default Domain Policy
Analyzing the GPO names can give us an idea of some of the security configurations in the
target domain, such as LAPS, AppLocker, PowerShell Logging, cmd.exe disabled for
workstations, etc. We can check for hosts/users that these GPOs are not applied to and plan
out our attack paths for circumventing these controls.
https://t.me/offenciveSec
If we do not have tools available to us, we can use gpresult, which is a built-in tool that
determines GPOs that have been applied to a given user or computer and their settings. We
can use specific commands to see the GPOs applied to a specific user and computer,
respectively, such as:
The tool can output in HTML format with a command such as gpresult /h
gpo_report.html .
Let's use gpresult to see what GPOs are applied to a workstation in the domain.
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2016 Microsoft Corporation. All rights reserved.
COMPUTER SETTINGS
------------------
https://t.me/offenciveSec
Prevent software installs
Default Domain Policy
LAPS
Disable LM Hash
Prevent software installs
Disable guest account
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
Last time Group Policy was applied: 7/30/2020 at 3:10:28 PM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: INLANEFREIGHT
Domain Type: Windows 2008 or later
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
GPO Permissions
After reviewing all of the GPOs applied throughout the domain, it is always good to look at
GPO permissions. We can use the Get-DomainGPO and Get-ObjectAcl using the SID for
the Domain Users group to see if this group has any permissions assigned to any GPOs.
ObjectDN : CN={831DE3ED-40B1-4703-ABA7-
8EA13B2EB118},CN=Policies,CN=System,DC=INLANEFREIGHT,DC=LOCAL
ObjectSID :
ActiveDirectoryRights : CreateChild, DeleteChild, ReadProperty,
WriteProperty, GenericExecute
BinaryLength : 36
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 131127
SecurityIdentifier : S-1-5-21-2974783224-3764228556-2640795941-513
AceType : AccessAllowed
AceFlags : ContainerInherit
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
AuditFlags : None
From the result, we can see that one GPO allows all Domain Users full write access. We can
then confirm the name of the GPO using the built-in cmdlet Get-GPO .
DisplayName : Screensaver
DomainName : INLANEFREIGHT.LOCAL
Owner : INLANEFREIGHT\Domain Admins
Id : 831de3ed-40b1-4703-aba7-8ea13b2eb118
GpoStatus : AllSettingsEnabled
https://t.me/offenciveSec
Description :
CreationTime : 8/26/2020 10:46:46 PM
ModificationTime : 8/26/2020 11:11:01 PM
UserVersion : AD Version: 0, SysVol Version: 0
ComputerVersion : AD Version: 0, SysVol Version: 0
WmiFilter :
This misconfigured GPO could be exploited using a tool such as SharpGPOAbuse and the -
-AddUserRights attack to give a user unintended rights or the --AddLocalAdmin attack to
add a user as a local admin on a machine where the GPO is applied and use it to move
laterally towards our target.
However, each one of these applications is non-default, and when an Administrator googles
for a solution, their answer probably won't include the technology they use. Often, you may
find one-off configurations an administrator did to accomplish a task quickly. For example, on
multiple occasions, I have run across a "Machine/User Startup" script to collect inventory and
write it to a domain share. I have seen this policy execute both BAT and VBScript files that
were either write-able by the machine account or domain users . Whenever I dig into file
shares and see files write-able by Everyone, Authenticated Users, Domain Users, Domain
Computers, etc., containing what looks like log files, I dig into Group Policy, specifically
looking for Startup Scripts.
That is just one way an Administrators use "Code Execution via GP" legitimately. Here is a
list of the path's I know about:
https://t.me/offenciveSec
If anyone of these paths points to a file on a share, enumerate the permissions to check if
non-administrators can edit the file. Your tools will often miss this because it only looks at if
the Group Policy itself is write-able, not if the executables/scripts the group policy references
are writeable.
Next Steps
At this point, we have enumerated users, groups, computers, ACLs, and GPOs within the
target domain and uncovered many misconfigurations that we could use to move through the
domain towards our target. Now that we have seen a few ways to take over the
INLANEFREIGHT.LOCAL domain, we can look at domain trusts and see what partner
domains/forests exist and the relationships. This will help us plan our attacks to move from
our current domain and potentially compromise any trusting domains.
Enumerating AD Trusts
A transitive trust means that trust is extended to objects which the child domain trusts.
In a non-transitive trust, only the child domain itself is trusted.
In bidirectional trusts, users from both trusting domains can access resources.
In a one-way trust, only users in a trusted domain can access resources in a trusting
domain, not vice-versa. The direction of trust is opposite to the direction
of access.
Trust Description
Type
Parent- Domains within the same forest. The child domain has a two-way transitive
child trust with the parent domain.
https://t.me/offenciveSec
Trust Description
Type
Cross- A trust between child domains to speed up authentication.
link
External A non-transitive trust between two separate domains in separate forests that
are not already joined by a forest trust. This type of trust utilizes SID filtering.
Tree-root A two-way transitive trust between a forest root domain and a new tree root
domain. They are created by design when you set up a new tree root domain
within a forest.
Forest A transitive trust between two forest root domains.
Often, domain trusts are set up improperly and provide unintended attack paths. Also, trusts
set up for ease of use may not be reviewed later for potential security implications. M&A can
result in bidirectional trusts with acquired companies, unknowingly introducing risk into the
acquiring company’s environment. It is not uncommon to perform an attack such as
Kerberoasting against a domain outside the principal domain and obtain a user with
administrative access within the principal domain.
BloodHound creates a graphical view of trust relationships, which helps both attackers and
defenders understand potential trust-related vectors.
PowerView can be used to perform a domain trust mapping and provide information such as
the type of trust (parent/child, external, forest), as well as the direction of the trust (one-way
or bidirectional). All of this information is extremely useful once a foothold is obtained, and
you are planning to compromise the environment further.
We can use the function Get-DomainTrust to quickly check which trusts exist, the type, and
the direction of the trusts.
PS C:\htb> Get-DomainTrust
SourceName : INLANEFREIGHT.LOCAL
TargetName : LOGISTICS.INLANEFREIGHT.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
https://t.me/offenciveSec
WhenCreated : 7/27/2020 2:06:07 AM
WhenChanged : 7/27/2020 2:06:07 AM
SourceName : INLANEFREIGHT.LOCAL
TargetName : freightlogistics.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 7/28/2020 4:46:40 PM
WhenChanged : 7/28/2020 4:46:40 PM
We can use the function Get-DomainTrustMapping to enumerate all trusts for our current
domain and other reachable domains.
PS C:\htb> Get-DomainTrustMapping
SourceName : INLANEFREIGHT.LOCAL
TargetName : LOGISTICS.INLANEFREIGHT.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 7/27/2020 2:06:07 AM
WhenChanged : 7/27/2020 2:06:07 AM
SourceName : INLANEFREIGHT.LOCAL
TargetName : freightlogistics.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 7/28/2020 4:46:40 PM
WhenChanged : 7/28/2020 4:46:40 PM
SourceName : freightlogistics.local
TargetName : INLANEFREIGHT.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 7/28/2020 4:46:41 PM
WhenChanged : 7/28/2020 4:46:41 PM
SourceName : LOGISTICS.INLANEFREIGHT.LOCAL
TargetName : INLANEFREIGHT.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 7/27/2020 2:06:07 AM
https://t.me/offenciveSec
WhenChanged : 7/27/2020 2:06:07 AM
Depending on the trust type, there are several attacks that we may be able to perform, such
as the ExtraSids attack to compromise a parent domain once the child domain has been
compromised or cross-forest trust attacks such as Kerberoasting and ASREPRoasting
and SID History abuse. Each of these attacks will be covered in-depth in later modules.
Attacking Trusts
Organizations set up a trust for various reasons, i.e., ease of management, quickly "plugging
in" a new forest obtained through a merger & acquisition, enabling communications between
multiple branches of a company, etc. Managed service providers often set up trusts between
their domain and those of their clients to facilitate administration.
In all of these cases, Domain Trusts are set up to minimize the number of accounts required.
It is much easier to manage multiple domains when you can reference adjacent domains'
groups/users. If configured wrong, with lax permissions, etc., a trust relationship can be
attacked to further our access, compromising one or many domains in the process.
https://t.me/offenciveSec
Furthermore, if we can compromise the child domain LOGISTICS.INLANEFREIGHT.LOCAL we
will be able to compromise the parent domain using the ExtraSids attack. This is possible
because the sidHistory property is respected due to a lack of "SID Filtering" protection.
Therefore, a user in a child domain with their sidHistory set to the Enterprise Admins
group (which only exists in the parent domain) is treated as a member of this group, which
allows for administrative access to the entire forest.
Our lab environment also shows a bidirectional forest trust between the
INLANEFREIGHT.LOCAL and freightlogistics.local forests, meaning that users from
either forest can authenticate across the trust and query any AD object within the partner
forest. Aside from attacks such as Kerberoasting and ASREPRoasting , we may also be
able to abuse SID History to compromise the trusting forest.
The SID history attribute is used in migration scenarios. If a user in one domain is
migrated to another domain, a new account is created in the second domain. The original
user's SID will be added to the new user's SID history attribute, ensuring that they can still
access resources in the original domain.
SID history is intended to work across domains but can actually work in the same domain.
Using Mimikatz , it is possible to perform SID history injection and add an administrator
account to the SID History attribute of an account that they control. When logging in with this
account, all of the SIDs associated with the account are added to the user's token.
This token is used to determine what resources the account can access. If the SID of a
Domain Admin account is added to the SID History attribute of this account, this account will
be able to perform DCSync and create golden tickets for further persistence.
This can also be abused across a forest trust. If a user is migrated from one forest to another
and SID Filtering is not enabled, it becomes possible to add a SID from the other forest, and
this SID will be added to the user's token when authenticating across the trust. If the SID of
an account having administrative privileges in Forest A is added to the SID history attribute
of an account in Forest B, assuming they can authenticate across the forest, this account will
have administrative privileges when accessing resources in the partner forest.
Another common way to cross trust boundaries is by leveraging password re-use. Let's say
we compromise the INLANEFREIGHT.LOCAL forest and find a user account named
BSIMMONS_ADM that also exists in the freightlogistics.local forest. There is a good
chance that this administrator re-uses their password across environments. Also, it is always
worth checking for foreign users/foreign group membership. We may find accounts
belonging to administrative (or non-administrative) groups in Forest A that are actually part of
Forest B and can be used to gain a foothold in the partner forest.
https://t.me/offenciveSec
Wrapping Up
We have now seen how PowerView and SharpView can be used to enumerate standard
AD objects such as users, computers, and groups, as well as more complex relationships
such as ACLS. The tools can be used to inform a variety of AD attacks, enumerate
accessible file shares, find local admin access, find logged in users, and more. The skills
assessment that follows will test the application of the skills taught throughout this module.
The INLANEFREIGHT organization has contracted your firm to perform an Active Directory
security assessment. Use the PowerView and SharpView tools to perform targeted
enumeration of the client's domain environment.
Connect to the target host and perform the enumeration tasks listed below to complete this
module.
https://t.me/offenciveSec