Enumeration through PowerShell
PowerShell
PowerShell is the upgrade of Command Prompt. Microsoft first released it in 2006. While PowerShell has all the standard functionality Command Prompt provides, it also provides access to cmdlets (pronounced command-lets), which are .NET classes to perform specific functions. While we can write our own cmdlets, like the creators of PowerView did, we can already get very far using the built-in ones.
Since we installed the AD-RSAT tooling in Task 3, it automatically installed the associated cmdlets for us. There are 50+ cmdlets installed. We will be looking at some of these, but refer to this list for the complete list of cmdlets.
Using our SSH terminal, we can upgrade it to a PowerShell terminal using the following command: powershell
Users
We can use the Get-ADUser cmdlet to enumerate AD users:
PS C:\> Get-ADUser -Identity gordon.stevens -Server za.tryhackme.com -Properties *
AccountExpirationDate :
accountExpires : 9223372036854775807
AccountLockoutTime :
[...]
Deleted :
Department : Consulting
Description :
DisplayName : Gordon Stevens
DistinguishedName : CN=gordon.stevens,OU=Consulting,OU=People,DC=za,DC=tryhackme,DC=com
[...]The parameters are used for the following:
- -Identity - The account name that we are enumerating
- -Properties - Which properties associated with the account will be shown, * will show all properties
- -Server - Since we are not domain-joined, we have to use this parameter to point it to our domain controller
For most of these cmdlets, we can also use the -Filter parameter that allows more control over enumeration and use the Format-Table cmdlet to display the results such as the following neatly:
PS C:\> Get-ADUser -Filter 'Name -like "*stevens"' -Server za.tryhackme.com | Format-Table Name,SamAccountName -A
Name SamAccountName
---- --------------
chloe.stevens chloe.stevens
samantha.stevens samantha.stevens
[...]
janice.stevens janice.stevens
gordon.stevens gordon.stevensGroups
We can use the Get-ADGroup cmdlet to enumerate AD groups:
PS C:\> Get-ADGroup -Identity Administrators -Server za.tryhackme.com
DistinguishedName : CN=Administrators,CN=Builtin,DC=za,DC=tryhackme,DC=com
GroupCategory : Security
GroupScope : DomainLocal
Name : Administrators
ObjectClass : group
ObjectGUID : f4d1cbcd-4a6f-4531-8550-0394c3273c4f
SamAccountName : Administrators
SID : S-1-5-32-544We can also enumerate group membership using the Get-ADGroupMember cmdlet:
PS C:\> Get-ADGroupMember -Identity Administrators -Server za.tryhackme.com
distinguishedName : CN=Domain Admins,CN=Users,DC=za,DC=tryhackme,DC=com
name : Domain Admins
objectClass : group
objectGUID : 8a6186e5-e20f-4f13-b1b0-067f3326f67c
SamAccountName : Domain Admins
SID : S-1-5-21-3330634377-1326264276-632209373-512
[...]
distinguishedName : CN=Administrator,CN=Users,DC=za,DC=tryhackme,DC=com name : Administrator
objectClass : user
objectGUID : b10fe384-bcce-450b-85c8-218e3c79b30f
SamAccountName : Administrator
SID : S-1-5-21-3330634377-1326264276-632209373-500AD Objects
A more generic search for any AD objects can be performed using the Get-ADObject cmdlet. For example, if we are looking for all AD objects that were changed after a specific date:
PS C:\> $ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
PS C:\> Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server za.tryhackme.com
Deleted :
DistinguishedName : DC=za,DC=tryhackme,DC=com
Name : za
ObjectClass : domainDNS
ObjectGUID : 518ee1e7-f427-4e91-a081-bb75e655ce7a
Deleted :
DistinguishedName : CN=Administrator,CN=Users,DC=za,DC=tryhackme,DC=com
Name : Administrator
ObjectClass : user
ObjectGUID : b10fe384-bcce-450b-85c8-218e3c79b30fIf we wanted to, for example, perform a password spraying attack without locking out accounts, we can use this to enumerate accounts that have a badPwdCount that is greater than 0, to avoid these accounts in our attack:
PS C:\> Get-ADObject -Filter 'badPwdCount -gt 0' -Server za.tryhackme.com
PS C:\>This will only show results if one of the users in the network mistyped their password a couple of times.
Domains
We can use Get-ADDomain to retrieve additional information about the specific domain:
PS C:\> Get-ADDomain -Server za.tryhackme.com
AllowedDNSSuffixes : {}
ChildDomains : {}
ComputersContainer : CN=Computers,DC=za,DC=tryhackme,DC=com
DeletedObjectsContainer : CN=Deleted Objects,DC=za,DC=tryhackme,DC=com
DistinguishedName : DC=za,DC=tryhackme,DC=com
DNSRoot : za.tryhackme.com
DomainControllersContainer : OU=Domain Controllers,DC=za,DC=tryhackme,DC=com
[...]
UsersContainer : CN=Users,DC=za,DC=tryhackme,DC=comAltering AD Objects
The great thing about the AD-RSAT cmdlets is that some even allow you to create new or alter existing AD objects. However, our focus for this network is on enumeration. Creating new objects or altering existing ones would be considered AD exploitation, which is covered later in the AD module.
However, we will show an example of this by force changing the password of our AD user by using the Set-ADAccountPassword cmdlet:
PS C:\> Set-ADAccountPassword -Identity gordon.stevens -Server za.tryhackme.com -OldPassword (ConvertTo-SecureString -AsPlaintext "old" -force) -NewPassword (ConvertTo-SecureString -AsPlainText "new" -Force)Remember to change the identity value and password for the account you were provided with for enumeration on the distributor webpage in Task 1.
Benefits
- The PowerShell cmdlets can enumerate significantly more information than the net commands from Command Prompt.
- We can specify the server and domain to execute these commands using runas from a non-domain-joined machine.
- We can create our own cmdlets to enumerate specific information.
- We can use the AD-RSAT cmdlets to directly change AD objects, such as resetting passwords or adding a user to a specific group.
Drawbacks
- PowerShell is often monitored more by the blue teams than Command Prompt.
- We have to install the AD-RSAT tooling or use other, potentially detectable, scripts for PowerShell enumeration.
No comments to display
No comments to display