mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 21:03:07 +00:00
Add files via upload
This commit is contained in:
parent
6844389cc2
commit
394a6629aa
7 changed files with 437 additions and 0 deletions
21
Active Directory/Domain Enumeration/Domain enumeration.md
Normal file
21
Active Directory/Domain Enumeration/Domain enumeration.md
Normal file
|
@ -0,0 +1,21 @@
|
|||
# Domain Enumeration - Bloodhound
|
||||
|
||||
Bloodhound is useful for gathering AD entities , relationships , it uses graph theory for providing the capability of mapping shortest path for interesting thing , it can find interesting things like `Domain Admins` , it has built-in queries.
|
||||
|
||||
https://github.com/BloodHoundAD/BloodHound
|
||||
|
||||
## Sharphound
|
||||
|
||||
https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
|
||||
|
||||
### Generate archive
|
||||
|
||||
```
|
||||
Invoke-BloodHound -CollectionMethod All
|
||||
```
|
||||
|
||||
### Avoiding detection form Advanced Threat Analytics (ATA)
|
||||
```
|
||||
Invoke-BloodHound -CollectionMethod All -ExcludeDC
|
||||
```
|
||||
|
180
Active Directory/Enumeration/1-Doman,Group,Users.md
Normal file
180
Active Directory/Enumeration/1-Doman,Group,Users.md
Normal file
|
@ -0,0 +1,180 @@
|
|||
# Domain Enumeration
|
||||
|
||||
`$ADClass=[System.DirectoryServices.ActiveDirectoy.Domain]`
|
||||
|
||||
`$ADClass::GetCurrentDomain()`
|
||||
|
||||
We can use modules like `PowerView` or `ADModule`
|
||||
|
||||
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
|
||||
|
||||
https://github.com/samratashok/ADModule
|
||||
|
||||
|
||||
## PowerView Commands
|
||||
|
||||
### Get current domain
|
||||
|
||||
`Get-NetDomain`
|
||||
|
||||
### Get Object of another domain
|
||||
|
||||
`Get-NetDomain -Domain <domainname>`
|
||||
|
||||
### Get Domain SID for current domain
|
||||
|
||||
`Get-DomainSID`
|
||||
|
||||
### Get Domain Controller for current domain
|
||||
`Get-NetDomainController`
|
||||
|
||||
### Get Domain Controllers for another domain
|
||||
|
||||
`Get=NetDomainController -Domain <domain_name>`
|
||||
|
||||
### Get Domain Policy for current domain
|
||||
|
||||
```
|
||||
Get-DomainPolicy`
|
||||
(Get-DomainPolicy)."system access"
|
||||
(Get-DomainPolicy)."Kerberos Policy"
|
||||
```
|
||||
|
||||
### Get Domain Policy for another domain
|
||||
|
||||
`(Get-DomainPolicy -domain <domainname>). "system access"`
|
||||
|
||||
### Get a list of users in the current domain
|
||||
|
||||
```
|
||||
Get-NetUser
|
||||
Get-NetUser -Username <user>
|
||||
Get-NetUser | select cn
|
||||
```
|
||||
|
||||
### Get list of all properites for users in current domain
|
||||
|
||||
```
|
||||
Get-UserProperty
|
||||
Get-UserProperty -Properties pwdlastset
|
||||
Get-UserProperty -Properties logoncount (user is either not active or it's just a decoy user so we should avoid enumerating these users)
|
||||
```
|
||||
|
||||
### Search for a particular string in a user's attribute
|
||||
|
||||
`Find-UserField -SearchField Description -SearchTerm "built"`
|
||||
|
||||
### Get list of computers in current domain
|
||||
|
||||
```
|
||||
Get-NetComputer
|
||||
Get-NetComputer -OperatingSystem "*Server 2016"
|
||||
Get-NetComputer -Ping
|
||||
Get-NetComputer -FullData
|
||||
```
|
||||
|
||||
### Get all groups in current domain
|
||||
|
||||
```
|
||||
Get-NetGroup
|
||||
Get-NetGroup -Domain <targetdomain>
|
||||
Get-NetGroup -FullData
|
||||
|
||||
```
|
||||
|
||||
### Get all group containing the word "admin"
|
||||
```
|
||||
Get-NetGroup "admin"
|
||||
Get-NetGroup "admin" -Domain <domainname>
|
||||
```
|
||||
|
||||
### Get all members of Domain Admins group for current domain
|
||||
|
||||
```
|
||||
Get-NetGroupMember -GroupName "Enterprise Admins"
|
||||
Get-NetGroupMember -GroupName "Domain Admins"
|
||||
Get-NetGroupMember -GroupName "Administartors"
|
||||
```
|
||||
|
||||
### Get all members of Domain Admins group for all domains
|
||||
```
|
||||
Get-NetGroupMember -GroupName "Administartors" -Recurse
|
||||
```
|
||||
|
||||
|
||||
### Get the group membership of a user
|
||||
|
||||
```
|
||||
Get-NetGroup -Username "<username>"
|
||||
```
|
||||
|
||||
|
||||
## AD Module
|
||||
|
||||
Use the psd1 file for AD module
|
||||
|
||||
### Get current domain
|
||||
|
||||
`Get-ADDomain`
|
||||
|
||||
### Get Object of another domain
|
||||
|
||||
`Get-ADDomain -Identity <domainname>`
|
||||
|
||||
### Get Domain SID for current domain
|
||||
|
||||
`(Get-ADDomain).DomainSID`
|
||||
|
||||
### Get Domain Controller for current domain
|
||||
`Get-ADDomainController`
|
||||
|
||||
### Get Domain Controllers for another domain
|
||||
|
||||
`Get-ADDomainController -DomainName <domainname> -Discover`
|
||||
|
||||
### Get a list of users in the current domain
|
||||
`Get-ADUser -Filter * -Properties *`
|
||||
`Get-ADUser -Identity <user> -Properties *`
|
||||
|
||||
### Get list of all properties for users in the current domain
|
||||
`Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType * Property | select Name`
|
||||
|
||||
`Get-ADUser -Filter * -Properties * | select name ,@(expression*`
|
||||
|
||||
### Search for a particular string in a user's attribute
|
||||
|
||||
`Get-ADUser-Filter 'Description' -like "*built"' -Properties Description | select name,Description`
|
||||
|
||||
### Get list of computers in current domain
|
||||
|
||||
`Get-ADComputer -Filter * | select Name`
|
||||
|
||||
`Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name,OperatingSystem`
|
||||
|
||||
`Get-ADComputer -Filter * -Properties DNSHostName | %{Test - Connection -Count 1 -ComputerNmae $_ DNSHostName)`
|
||||
|
||||
`Get-ADComputer -Filter * -Properties *`
|
||||
|
||||
### Get all groups in current domain
|
||||
|
||||
```
|
||||
Get-ADGroup -Filter * | select Name
|
||||
Get-ADGroup -Filter * -Properties
|
||||
```
|
||||
|
||||
### Get all groups containing word "admin" in group name
|
||||
```
|
||||
Get-ADGroup -Filter 'Name -like "*admin" | select Name
|
||||
```
|
||||
|
||||
### Get all members of Domain Admins group
|
||||
|
||||
```
|
||||
Get-ADGroupMember - Identity "Domain Admins" -Recursive
|
||||
```
|
||||
|
||||
### Get the group membership of a user
|
||||
|
||||
```
|
||||
Get-ADPrincipalGroupMembership -Identity <username>
|
||||
```
|
21
Active Directory/Enumeration/2- File servers , shares.md
Normal file
21
Active Directory/Enumeration/2- File servers , shares.md
Normal file
|
@ -0,0 +1,21 @@
|
|||
# Domain Enumeration finding file servers and shares on hosts
|
||||
|
||||
## PowerView commands
|
||||
|
||||
### Find shares on hosts in current domain
|
||||
|
||||
```
|
||||
Invoke-ShareFinder -verbose
|
||||
```
|
||||
|
||||
### Find sensitive files on computers in the domain
|
||||
|
||||
```
|
||||
Invoke-FileFinder -Verbose
|
||||
```
|
||||
|
||||
### Get all fileservers of the domain
|
||||
```
|
||||
Get-NetFileServer
|
||||
```
|
||||
|
63
Active Directory/Enumeration/3-GPO.md
Normal file
63
Active Directory/Enumeration/3-GPO.md
Normal file
|
@ -0,0 +1,63 @@
|
|||
# Domain Enumeration Group Policy Objects
|
||||
|
||||
## PowerView commands
|
||||
|
||||
### Get list of GPO in current domain
|
||||
|
||||
```
|
||||
Get-NetGPO
|
||||
Get-NetGPO -ComputerName computername.domainname
|
||||
|
||||
```
|
||||
### Get GPO(s) which use restricted groups or groups.xml for interesting users
|
||||
|
||||
```
|
||||
Get-NetGPOGroup
|
||||
```
|
||||
|
||||
### Get users which are in a local group of a machine using GPO
|
||||
|
||||
```
|
||||
Find-GPOComputerAdmin -Computername computername.domainname
|
||||
```
|
||||
|
||||
### Get machines where the given user is member of a specific group
|
||||
|
||||
```
|
||||
Find-GPOLocation -Username username -Verbose
|
||||
```
|
||||
|
||||
### Get OUs in a domain
|
||||
```
|
||||
Get-NetOU -FullData
|
||||
```
|
||||
|
||||
### Get GPO applied on an OU . Read GPOname from gplink attribute
|
||||
|
||||
```
|
||||
Get-NetGPO -GPOname "{guid_string}"
|
||||
```
|
||||
|
||||
## Group Policy Module commands
|
||||
|
||||
### Get list of GPO in current domain
|
||||
|
||||
```
|
||||
Get-GPO -All
|
||||
|
||||
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html
|
||||
```
|
||||
|
||||
### Get GPO applied on an OU . Read GPOname from gplink attribute
|
||||
```
|
||||
Get-GPO -Guid guid_string
|
||||
```
|
||||
|
||||
|
||||
## AD Module
|
||||
|
||||
### Get OUs in a domain
|
||||
```
|
||||
Get-ADOrganizationalUnit -Filter * -Properties *
|
||||
```
|
||||
|
3
Active Directory/Enumeration/4-ACL.md
Normal file
3
Active Directory/Enumeration/4-ACL.md
Normal file
|
@ -0,0 +1,3 @@
|
|||
# Domain Enumeration - Access Control List
|
||||
|
||||
##
|
102
Active Directory/Enumeration/5-Trusts.md
Normal file
102
Active Directory/Enumeration/5-Trusts.md
Normal file
|
@ -0,0 +1,102 @@
|
|||
# Domain Enumeration - Trusts
|
||||
|
||||
In AD , trust is a relationship b/w domains or forest that allows user of one domain or forest to access resources in other domain or forest, trust can be automatic (parent-child).
|
||||
TDOs (Trusted Domain Objects) represent the trust relationship in a domain
|
||||
|
||||
## One way trust
|
||||
It's an undirectional trust in which users in trusted domain can access resources in trusting domain (resource) but cannot be done in reverse
|
||||
|
||||
## Two way trust (bi directional)
|
||||
Users of both domains can access resources in the other domain
|
||||
|
||||
## Trust Transitivity
|
||||
Trust can be extended to establish trust relationships with othe domains
|
||||
|
||||
### Transitive
|
||||
All default intra-forest trust relationships (tree-root, parent-child) between domains within a same forest are transitive two-way trust
|
||||
|
||||
### Non-transitive
|
||||
Cannot be extended to other domains in forest , can be two-way or one-way, this is the default trust (called external trust) between two domains in different forest do not have a trust realtionship.
|
||||
|
||||
## Domain Trusts
|
||||
|
||||
### Default/Automatic Trusts
|
||||
|
||||
- Parent-child trust , it's created automatically b/w new domain and domain that preceeds it in the namespace hierarrchy , whenever a new domain is added in a tree , for example `dollarcorp.moenycorp.local` is a child of `moneycorp.local`, trust will always be bi-directional
|
||||
- Tree-root trust , it's created automatically whenever a new domain tree is added to a forest root , this trust is bi-directional as well
|
||||
|
||||
### Shortcut Trusts
|
||||
Used to reduce access time in complex trust scenarios , can be one way or two way transitive
|
||||
|
||||
### External Trust
|
||||
External trust b/w two domains in different forests when forests do not have a trust relationship , can be one way or two way
|
||||
|
||||
# Domain Trust mapping
|
||||
|
||||
## Powerview commands
|
||||
|
||||
### Get list of all domain trusts for current domain
|
||||
|
||||
```
|
||||
Get-NetDomainTrust
|
||||
Get-NetDomainTrust -Domain domain_name
|
||||
```
|
||||
|
||||
## AD Module
|
||||
|
||||
### Get list of all domain trusts for current domain
|
||||
|
||||
```
|
||||
Get-ADTrust
|
||||
Get-ADTrust- Identity domain_name
|
||||
```
|
||||
|
||||
# Forest Mapping
|
||||
## Power View
|
||||
|
||||
### Get details about current forest
|
||||
|
||||
```
|
||||
Get-NetForest
|
||||
Get-NetForest -Forest name
|
||||
```
|
||||
|
||||
### Get all domains in current forest
|
||||
|
||||
```
|
||||
Get-NetForestDomain
|
||||
Get-NetForestDomain -Forest name
|
||||
```
|
||||
|
||||
### Get all global catalogs for current forest
|
||||
```
|
||||
Get-NetForestCatalog
|
||||
Get-NetForestCatalog -Forest name
|
||||
```
|
||||
### Map trusts of a forest
|
||||
```
|
||||
Get-NetForestTrust
|
||||
Get-NetForestTrust -Forest name
|
||||
```
|
||||
|
||||
## AD Module
|
||||
|
||||
### Get details about current forest
|
||||
```
|
||||
Get-ADForest
|
||||
Get-ADForest -Identity name
|
||||
```
|
||||
|
||||
### Get all domains in current forest
|
||||
```
|
||||
(Get-ADForest).Domain
|
||||
```
|
||||
|
||||
### Get all global catalogs for current forest
|
||||
```
|
||||
Get-ADForest | select -ExpandPropery GlobalCatalogs
|
||||
```
|
||||
### Map trusts of a forest
|
||||
```
|
||||
Get-ADTrust -Filter 'msDS0TrustForestTrustInfo -ne "$null$"'
|
||||
```
|
47
Active Directory/Enumeration/6-User Hunting.md
Normal file
47
Active Directory/Enumeration/6-User Hunting.md
Normal file
|
@ -0,0 +1,47 @@
|
|||
# Domain Enumeration - User Hunting
|
||||
|
||||
## Power View commands
|
||||
|
||||
### Find all machines on current domain where the current user has local admin access
|
||||
|
||||
```
|
||||
Find-LocalAdminAccess -verbose
|
||||
Invoke-CheckLocalAdminAccess
|
||||
```
|
||||
|
||||
If `find-localadminaccess` is blocked because it sends `Get-NetComputer` to DC , so we can try to use `Find-WMILocalAdminAccess.ps1`
|
||||
|
||||
Save the results of `Get-NetComputer` in a text file then run
|
||||
|
||||
```
|
||||
. .\Find-WMILocalAdminAccess.ps1 -ComputerFile computer.txt -verbose
|
||||
```
|
||||
|
||||
### Find local admins on all machines of the domain (needs administrator on non-dc machines )
|
||||
```
|
||||
Invoke-EnumerateLocalAdmin -Verbose
|
||||
```
|
||||
|
||||
this function queries DC of current or provided domain for a list of compters (`Get-NetComputer`) and then use multi-threaded `Get-NetLocalGroup` on each machine.
|
||||
|
||||
### Find computers where a domain admin (or specified user/group) has sessions
|
||||
```
|
||||
Invoke-UserHunter
|
||||
Invoke-UserHunter -GroupName "RDPUsers"
|
||||
```
|
||||
|
||||
this function queries DC of current or provided domain for members of the given group (Domain Admins bt default) using `Get-NetGroupMember` , gets a list of computers (`Get-NetComputer`) and list sessions and logged on users (`Get-NetSession/Get-NetLoggedon`)
|
||||
|
||||
### To confirm admin access
|
||||
|
||||
```
|
||||
Invoke-UserHunter -CheckAccess
|
||||
```
|
||||
|
||||
### Find computers where a domain admin is logged in
|
||||
|
||||
```
|
||||
Invoke-UserHunter -Stealth
|
||||
```
|
||||
|
||||
This option queries DC of current or provided domain for members of given group (Domain Admins by default) using `Get-NetGroupMember` , gets a list_only of high traffic servers (DC , file servers and Distributed file servers ) for less traffic generation and list sessions and logged on users (`Get-NetSession/Get-NetLoggedon`) from each machine
|
Loading…
Reference in a new issue