Enumeration through Command Prompt
Command Prompt
There are times when you just need to perform a quick and dirty AD lookup, and Command Prompt has your back. Good ol' reliable CMD is handy when you perhaps don't have RDP access to a system, defenders are monitoring for PowerShell use, and you need to perform your AD Enumeration through a Remote Access Trojan (RAT). It can even be helpful to embed a couple of simple AD enumeration commands in your phishing payload to help you gain the vital information that can help you stage the final attack.
CMD has a built-in command that we can use to enumerate information about AD, namely net. The net command is a handy tool to enumerate information about the local system and AD. We will look at a couple of interesting things we can enumerate from this position, but this is not an exhaustive list.
Note: For this task you will have to use THMJMP1 and won't be able to use your own Windows VM. This will be explained in the drawbacks.
Users
We can use the net command to list all users in the AD domain by using the user sub-option:
C:\>net user /domain
The request will be processed at a domain controller for domain za.tryhackme.com
User accounts for \\THMDC
-------------------------------------------------------------------------------
aaron.conway aaron.hancock aaron.harris
aaron.johnson aaron.lewis aaron.moore
aaron.patel aaron.smith abbie.joyce
abbie.robertson abbie.taylor abbie.walker
abdul.akhtar abdul.bates abdul.holt
abdul.jones abdul.wall abdul.west
abdul.wilson abigail.cox abigail.cox1
abigail.smith abigail.ward abigail.wheeler
[....]
The command completed successfully.This will return all AD users for us and can be helpful in determining the size of the domain to stage further attacks. We can also use this sub-option to enumerate more detailed information about a single user account:
C:\>net user zoe.marshall /domain
The request will be processed at a domain controller for domain za.tryhackme.com
User name zoe.marshall
Full Name Zoe Marshall
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/24/2022 10:06:06 PM
Password expires Never
Password changeable 2/24/2022 10:06:06 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *Internet Access
The command completed successfully.Note: If the user is only part of a small number of AD groups, this command will be able to show us group memberships. However, usually, after more than ten group memberships, the command will fail to list them all.
Groups
We can use the net command to enumerate the groups of the domain by using the group sub-option:
C:\>net group /domain
The request will be processed at a domain controller for domain za.tryhackme.com
Group Accounts for \\THMDC
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
[...]
*Schema Admins
*Server Admins
*Tier 0 Admins
*Tier 1 Admins
*Tier 2 Admins
The command completed successfully.This information can help us find specific groups to target for goal execution. We could also enumerate more details such as membership to a group by specifying the group in the same command:
C:\>net group "Tier 1 Admins" /domain
The request will be processed at a domain controller for domain za.tryhackme.com
Group name Tier 1 Admins
Comment
Members
-------------------------------------------------------------------------------
t1_arthur.tyler t1_gary.moss t1_henry.miller
t1_jill.wallis t1_joel.stephenson t1_marian.yates
t1_rosie.bryant
The command completed successfully.Password Policy
We can use the net command to enumerate the password policy of the domain by using the accounts sub-option:
C:\>net accounts /domain
The request will be processed at a domain controller for domain za.tryhackme.com
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): Unlimited
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.
This will provide us with helpful information such as:
- Length of password history kept. Meaning how many unique passwords must the user provide before they can reuse an old password.
- The lockout threshold for incorrect password attempts and for how long the account will be locked.
- The minimum length of the password.
- The maximum age that passwords are allowed to reach indicating if passwords have to be rotated at a regular interval.
This information can benefit us if we want to stage additional password spraying attacks against the other user accounts that we have now enumerated. It can help us better guess what single passwords we should use in the attack and how many attacks can we run before we risk locking accounts. However, it should be noted that if we perform a blind password spraying attack, we may lock out accounts anyway since we did not check to determine how many attempts that specific account had left before being locked.
You can find the full range of options associated with the net command here. Play around with these net commands to gather information about specific users and groups.
Benefits
- No additional or external tooling is required, and these simple commands are often not monitored for by the Blue team.
- We do not need a GUI to do this enumeration.
- VBScript and other macro languages that are often used for phishing payloads support these commands natively so they can be used to enumerate initial information regarding the AD domain before more specific payloads are crafted.
Drawbacks
- The
netcommands must be executed from a domain-joined machine. If the machine is not domain-joined, it will default to the WORKGROUP domain. - The
netcommands may not show all information. For example, if a user is a member of more than ten groups, not all of these groups will be shown in the output.