Methodology
  • 😃Welcome
    • Bullet Proof Strategy
    • 👁️Enumeration
      • 👁️‍🗨️👁🗨 Enumeration Cheatsheet
      • SNMP Enumeration
      • IRC Enumeration
      • LDAP Enumeration
      • RPC Enumeration
      • DNS Enumeration
      • Rsync Enumeration
      • IDENT Enumeration
      • SMB Enumeration
        • Copy of SMBPass Change
      • Web Enumeration
        • Methodology
        • Enumerating Patterns Trick
      • Kerberos Enumeration
    • 👺Exploitation
      • Passwords Attacks
        • Decrypting VNC passwords
        • Decrypting Jenkins passwords
        • MongoDB Decryption
      • Web Applications
        • My little cheatsheet
        • Login Portal Strat
        • SQL injection
        • Local File Inclusion
        • WebDav
        • Wordpress
        • phpmyadmin
        • Bypassing Proxies
        • Node.Js Command Injection
        • Weak Cookies and Parameters
        • PHP Web Shells
        • Code Injection
        • Werkzeug
        • Collection of Vulnerable Apps
          • RaspAP 2.5 Authenticated RCE
          • ZenPhoto 1.4.1.4 RCE
          • Sonatype Nexus 3.21.1
          • Argus Surveillance DVR 4.0
          • SmarterMail + .Net Remote
          • H2 Web Console
          • Exhibitor for Zookeper (Exhibitor Web)
          • Subrion 4.2.1
          • RestStack API 3100
          • Kibana 5.6.15 < 6.6.1
          • Authenticated NodeBB Plugin Emoji 3.2.1
        • Discovering Hidden Parameters
        • 🕴️Jenkins
      • Vulnerable Services
        • Authenticated MSSQL Shell
        • Authenticated PostgresSQL
        • Authenticated MongoDB
        • ClamAV - Milter 0.91.2
        • Unreal Tournament 99
        • MS17-10 Eternal Blue
        • REDIS Exploitation
        • OpenSMTPD < 6.6.2
        • James Adminitrator Remoting 2.3.2
      • Client Side Attacks
        • .ODT File Macros
      • Evil-WinRM
      • Methodology
      • Reversing
        • .net binaries
      • Enumerating Firewall
    • 👽Privilege Escalation
      • Windows
        • Enumeration
        • Enumerate Permissions on Folders and Binaries
          • Insecure File Permissions
          • Modifiable Binary Path
          • Unquoted Service Path
        • Meterpreter Session Injection /Migration
        • ⏲️Scheduled Apps (CronJobs)
        • 🥔Impersonation Attacks
        • 🗒️DLL Hijacking
        • Passwords
          • Runas
            • Runas but Powershell
          • Autologon Credentials
        • AlwaysInstallElevated
        • Windows XP SP0/SP1
        • W10 Version 1803
        • Windows Vista x86 SP1
        • 👻SMB Ghost
        • Local Service / Network Service Users
        • Dangerous Privileges
          • SeLoadDriver Privilege
          • SeRestore Privilege
          • 🥔SeImpersonatePrivilege
          • SeBackUp Privilege
        • Bypassing AV
        • Port Forwarding to access Internal services
        • Start Up Apps
        • Other Users
        • Resources
        • M16-032
        • Upgrading Powershell to Meterpreter
      • Linux
        • Enumerating SUID binaries
          • Find SUID
          • CP SUID
          • dosbox SUID
          • start-stop-daemon SUID
          • gcore SUID
        • Fail2Ban Group
        • Upgrading TTY Shells
        • Git Repository
        • Escaping RBASH
        • Docker
        • Init, Init.d , systemd
        • Shared Objects .so Hijacking
        • Sudo Version - CVE 2021-4034
        • Tar Wilcard Injection
        • Tips to become root
        • Python based applications escalation
        • Internal Services
          • mySQL
            • MySQL User Defined Function
        • Writable Passwd
        • Exiftool Priv Esc
        • Glusterd + Docker Container Breakout
        • choom
        • Slack
      • File Transfer Methods
        • Windows
        • Linux
      • Pivoting
    • 💀Elevated Post Exploitation
    • 🟦Active Directory
      • Attack Vectors
        • LLMNR Poisoning
        • ASREPRoast
        • Spraying
          • SMBPass Change
        • Building Userbase
        • NTLM Relay Attack
        • IPv6 Takeover
      • Post Exploitation - Enumeration
        • Bloodhound
        • Enumeration - Powerview
      • Exploitation
        • Kerberoasting
        • GMSA Password Read
        • Account Operators
        • WriteDACL over DCSync
        • GenericWrite GPO
        • PS-Remoting
        • LAPS Password Read
        • Abusing ACLs
          • GenericWrite/GenericAll/AllExtendedRights over Users
        • Groups.xml
        • Azure AD Sync Dump
        • AD Recycle Bin Group
        • Get-ChangesAll
        • WriteOwner Over Domain Admins
        • Allowed to Delegate To:
        • Force Change Password
      • Resources
    • 😎Walkthroughs
      • 🪨Proving Grounds
      • 📗Hack The Box
        • Windows
        • Linux
    • Cert Pictures :)
    • 🐍Python Lessons
      • Jenkins Script Groovy Console Exploit in Python
      • Kerbrute Automation
    • 🐚Bash Lessons
    • C# Programming
      • Process Injection Code
Powered by GitBook
On this page
  • User Enumeration
  • Enumerating Groups
  • Enumerating Group Policy Objects
  • Enumerating ACLs
  • Enumerating Computers
  1. Welcome
  2. Active Directory
  3. Post Exploitation - Enumeration

Enumeration - Powerview

This is after loading Poweview into the machine.

Some terms so you dont forget:

GPO: A Group Policy Object (GPO) is a group of settings that are created using the Microsoft Management Console (MMC) Group Policy Editor. GPOs can be associated with a single or numerous Active Directory containers, including sites, domains, or organizational units (OUs). The MMC allows users to create GPOs that define registry-based policies, security options, software installation and much more.

OU: organizational units so basically groups that belong to an organization.

ACLs: In Active Directory, access control lists are tables, or simple lists, that define the trustees who have access to the object in question, and also what type of access they have.

User Enumeration

get-netuser
commands | select <parameter>

Enumerating samaccount names 

get-netuser | select -expandproperty samaccountname

Enumerating Descriptions

find-userfield -SearchField description "password"
find-userfield -SearchField description "pass"

This could be passwords or tasks.

Enumerating Groups

net-group

Look for weird ones in the bottom.

If we want to look specifically for a certain user and what part of a group that person is in.

get-netgroup -UserName "<user we want to enumerate>"

Enumerating Group Itself

get-netgroup -GroupName "Group Name" -FullData

Enumerating Group Policy Objects

get-netgpo

Look to see exploitable ones.

Enumerating ACLs

get-objectacl -SamAccountName "group name" -ResolveGUIDs

Look for GENERIC WRITE and Generic ALL for weird ones.

Take a look at this, you see how the mayorsec\Sales group has complete GenericALL on the ACL that affects the Engineering group. This means that if we are indeed part of the sales group, we could do multiple things to abuse those ACLs.

net group sales /domain

We see the memners of this said group who has write access to the Engineering Group.

Now notice that this user was able to add and delete users from that group.

So we could possibly abuse this to add ourselves to groups who have higher access than ours.

Enumerating Computers

get-netcomputer
PreviousBloodhoundNextExploitation

Last updated 2 years ago

😃
🟦