πͺCredentialed Enumeration from Windows
π Overview
After gaining valid domain credentials, enumeration from a Windows attack host provides access to powerful native tools and specialized AD enumeration frameworks. Windows-based enumeration offers deeper integration with AD infrastructure, access to PowerShell modules, and the ability to leverage tools that can provide comprehensive domain intelligence and attack path visualization.
π― Strategic Context
πͺ Windows vs Linux Enumeration Advantages
Native Integration: Direct access to AD PowerShell modules and cmdlets
Stealth Operations: Blend in with legitimate administrative activities
Comprehensive Data: More detailed attribute and permission enumeration
Visual Analysis: Advanced attack path visualization with BloodHound GUI
π οΈ Key Tools & Techniques
ActiveDirectory PowerShell Module: Native Microsoft AD administration cmdlets
PowerView: Advanced AD reconnaissance and analysis framework
SharpView: .NET port of PowerView for modern environments
Snaffler: Automated sensitive file discovery across domain shares
BloodHound: Attack path visualization and relationship analysis
π§ ActiveDirectory PowerShell Module
π Overview
The ActiveDirectory PowerShell module contains 147+ cmdlets for comprehensive AD administration and enumeration. When available on domain-joined hosts (especially admin workstations), it provides native, stealth-friendly enumeration capabilities.
π Module Discovery and Loading
# Check available modules
Get-Module
# Import ActiveDirectory module
Import-Module ActiveDirectory
# Verify module is loaded
Get-Module | Where-Object {$_.Name -eq "ActiveDirectory"}Example Discovery Output:
PS C:\htb> Get-Module
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable...}
Script 2.0.0 PSReadline {Get-PSReadLineKeyHandler, Get-PSReadLineOption...}
PS C:\htb> Import-Module ActiveDirectory
PS C:\htb> Get-Module
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Manifest 1.0.1.0 ActiveDirectory {Add-ADCentralAccessPolicyMember, Add-ADComputerServiceAcc...}
Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable...}
Script 2.0.0 PSReadline {Get-PSReadLineKeyHandler, Get-PSReadLineOption...}π° Domain Information Gathering
# Get comprehensive domain information
Get-ADDomainKey Information Retrieved:
PS C:\htb> Get-ADDomain
AllowedDNSSuffixes : {}
ChildDomains : {LOGISTICS.INLANEFREIGHT.LOCAL}
ComputersContainer : CN=Computers,DC=INLANEFREIGHT,DC=LOCAL
DeletedObjectsContainer : CN=Deleted Objects,DC=INLANEFREIGHT,DC=LOCAL
DistinguishedName : DC=INLANEFREIGHT,DC=LOCAL
DNSRoot : INLANEFREIGHT.LOCAL
DomainControllersContainer : OU=Domain Controllers,DC=INLANEFREIGHT,DC=LOCAL
DomainMode : Windows2016Domain
DomainSID : S-1-5-21-3842939050-3880317879-2865463114
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=INLANEFREIGHT,DC=LOCAL
Forest : INLANEFREIGHT.LOCAL
InfrastructureMaster : ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
PDCEmulator : ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
RIDMaster : ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
SubordinateReferences : {DC=LOGISTICS,DC=INLANEFREIGHT,DC=LOCAL,
DC=ForestDnsZones,DC=INLANEFREIGHT,DC=LOCAL,
DC=DomainDnsZones,DC=INLANEFREIGHT,DC=LOCAL}π₯ User Enumeration
# Find users with Service Principal Names (Kerberoastable)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# Get specific user details
Get-ADUser -Identity username -Properties *
# Find users with specific attributes
Get-ADUser -Filter {AdminCount -eq 1} -Properties AdminCountExample Kerberoastable User Output:
DistinguishedName : CN=adfs,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Enabled : True
GivenName : Sharepoint
Name : adfs
ObjectClass : user
ObjectGUID : 49b53bea-4bc4-4a68-b694-b806d9809e95
SamAccountName : adfs
ServicePrincipalName : {adfsconnect/azure01.inlanefreight.local}
SID : S-1-5-21-3842939050-3880317879-2865463114-5244
Surname : Admin
UserPrincipalName :
DistinguishedName : CN=BACKUPAGENT,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Enabled : True
GivenName : Jessica
Name : BACKUPAGENT
ObjectClass : user
ObjectGUID : 2ec53e98-3a64-4706-be23-1d824ff61bed
SamAccountName : backupagent
ServicePrincipalName : {backupjob/veam001.inlanefreight.local}
SID : S-1-5-21-3842939050-3880317879-2865463114-5220π Trust Relationship Enumeration
# Enumerate all domain trusts
Get-ADTrust -Filter *Example Trust Output:
Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=LOGISTICS.INLANEFREIGHT.LOCAL,CN=System,DC=INLANEFREIGHT,DC=LOCAL
ForestTransitive : False
IntraForest : True
IsTreeParent : False
IsTreeRoot : False
Name : LOGISTICS.INLANEFREIGHT.LOCAL
ObjectClass : trustedDomain
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=INLANEFREIGHT,DC=LOCAL
Target : LOGISTICS.INLANEFREIGHT.LOCAL
TGTDelegation : False
TrustAttributes : 32
TrustType : Uplevel
Direction : BiDirectional
ForestTransitive : True
IntraForest : False
Name : FREIGHTLOGISTICS.LOCAL
TrustAttributes : 8
TrustType : Uplevelπ·οΈ Group Management
# Enumerate all groups
Get-ADGroup -Filter * | Select-Object name
# Get detailed group information
Get-ADGroup -Identity "Backup Operators"
# Get group membership
Get-ADGroupMember -Identity "Backup Operators"Example Group Analysis:
PS C:\htb> Get-ADGroup -Identity "Backup Operators"
DistinguishedName : CN=Backup Operators,CN=Builtin,DC=INLANEFREIGHT,DC=LOCAL
GroupCategory : Security
GroupScope : DomainLocal
Name : Backup Operators
ObjectClass : group
ObjectGUID : 6276d85d-9c39-4b7c-8449-cad37e8abc38
SamAccountName : Backup Operators
SID : S-1-5-32-551
PS C:\htb> Get-ADGroupMember -Identity "Backup Operators"
distinguishedName : CN=BACKUPAGENT,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
name : BACKUPAGENT
objectClass : user
objectGUID : 2ec53e98-3a64-4706-be23-1d824ff61bed
SamAccountName : backupagent
SID : S-1-5-21-3842939050-3880317879-2865463114-5220β‘ PowerView
π Overview
PowerView is an advanced PowerShell framework for AD reconnaissance and situational awareness. It provides comprehensive enumeration capabilities, relationship analysis, and attack path identification through extensive cmdlet collections.
π Core PowerView Functions
Category
Key Functions
Purpose
Domain/LDAP
Get-Domain, Get-DomainController, Get-DomainUser
Core domain enumeration
Groups
Get-DomainGroup, Get-DomainGroupMember
Group and membership analysis
Computers
Get-DomainComputer, Get-NetShare, Get-NetSession
Host and share enumeration
GPO
Get-DomainGPO, Get-DomainPolicy
Group Policy analysis
ACL
Find-InterestingDomainAcl
Permission and ACL enumeration
Trust
Get-DomainTrust, Get-ForestTrust
Trust relationship mapping
Meta
Find-DomainUserLocation, Find-LocalAdminAccess
Advanced discovery functions
π€ User Enumeration and Analysis
# Get detailed user information
Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrolExample Detailed User Output:
name : Matthew Morgan
samaccountname : mmorgan
description :
memberof : {CN=VPN Users,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL,
CN=Shared Calendar Read,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL,
CN=Printer Access,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL}
whencreated : 10/27/2021 5:37:06 PM
pwdlastset : 11/18/2021 10:02:57 AM
lastlogontimestamp : 2/27/2022 6:34:25 PM
accountexpires : NEVER
admincount : 1
userprincipalname : mmorgan@inlanefreight.local
serviceprincipalname :
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTHπ Recursive Group Membership Analysis
# Analyze nested group memberships
Get-DomainGroupMember -Identity "Domain Admins" -RecurseExample Recursive Output:
GroupDomain : INLANEFREIGHT.LOCAL
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : svc_qualys
MemberDistinguishedName : CN=svc_qualys,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-3842939050-3880317879-2865463114-5613
GroupDomain : INLANEFREIGHT.LOCAL
GroupName : Secadmins
GroupDistinguishedName : CN=Secadmins,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : spong1990
MemberDistinguishedName : CN=Maggie Jablonski,OU=Operations,OU=Logistics-HK,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-3842939050-3880317879-2865463114-1965π Trust Relationship Mapping
# Map all domain trusts
Get-DomainTrustMappingExample Trust Mapping:
SourceName : INLANEFREIGHT.LOCAL
TargetName : LOGISTICS.INLANEFREIGHT.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 11/1/2021 6:20:22 PM
WhenChanged : 2/26/2022 11:55:55 PM
SourceName : INLANEFREIGHT.LOCAL
TargetName : FREIGHTLOGISTICS.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 11/1/2021 8:07:09 PM
WhenChanged : 2/27/2022 12:02:39 AMπ Administrative Access Testing
# Test local admin access on specific hosts
Test-AdminAccess -ComputerName ACADEMY-EA-MS01
# Find hosts where current user has local admin
Find-LocalAdminAccessExample Admin Access Output:
PS C:\htb> Test-AdminAccess -ComputerName ACADEMY-EA-MS01
ComputerName IsAdmin
------------ -------
ACADEMY-EA-MS01 Trueπ« Kerberoastable Account Discovery
# Find users with SPNs set (Kerberoastable)
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalNameExample SPN Output:
serviceprincipalname samaccountname
-------------------- --------------
adfsconnect/azure01.inlanefreight.local adfs
backupjob/veam001.inlanefreight.local backupagent
d0wngrade/kerberoast.inlanefreight.local d0wngrade
kadmin/changepw krbtgt
MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433 sqldev
MSSQLSvc/SPSJDB.inlanefreight.local:1433 sqlprod
MSSQLSvc/SQL-CL01-01inlanefreight.local:49351 sqlqa
sts/inlanefreight.local solarwindsmonitor
testspn/kerberoast.inlanefreight.local testspn
testspn2/kerberoast.inlanefreight.local testspn2π¨ SharpView
π Overview
SharpView is a .NET port of PowerView, providing similar functionality while avoiding PowerShell detection mechanisms. It's particularly useful in environments with PowerShell restrictions or advanced monitoring.
π Basic Usage
# Get help for specific functions
.\SharpView.exe Get-DomainUser -Help
# Enumerate specific user
.\SharpView.exe Get-DomainUser -Identity forendExample SharpView Help Output:
PS C:\htb> .\SharpView.exe Get-DomainUser -Help
Get_DomainUser -Identity <String[]> -DistinguishedName <String[]> -SamAccountName <String[]> -Name <String[]> -MemberDistinguishedName <String[]> -MemberName <String[]> -SPN <Boolean> -AdminCount <Boolean> -AllowDelegation <Boolean> -DisallowDelegation <Boolean> -TrustedToAuth <Boolean> -PreauthNotRequired <Boolean> -KerberosPreauthNotRequired <Boolean> -NoPreauth <Boolean> -Domain <String> -LDAPFilter <String> -Filter <String> -Properties <String[]> -SearchBase <String> -ADSPath <String> -Server <String> -DomainController <String> -SearchScope <SearchScope> -ResultPageSize <Int32> -ServerTimeLimit <Nullable`1> -SecurityMasks <Nullable`1> -Tombstone <Boolean> -FindOne <Boolean> -ReturnOne <Boolean> -Credential <NetworkCredential> -Raw <Boolean> -UACFilter <UACEnum>Example User Enumeration:
PS C:\htb> .\SharpView.exe Get-DomainUser -Identity forend
[Get-DomainSearcher] search base: LDAP://ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL
[Get-DomainUser] filter string: (&(samAccountType=805306368)(|(samAccountName=forend)))
objectsid : {S-1-5-21-3842939050-3880317879-2865463114-5614}
samaccounttype : USER_OBJECT
objectguid : 53264142-082a-4cb8-8714-8158b4974f3b
useraccountcontrol : NORMAL_ACCOUNT
accountexpires : 12/31/1600 4:00:00 PM
lastlogon : 4/18/2022 1:01:21 PM
lastlogontimestamp : 4/9/2022 1:33:21 PM
pwdlastset : 2/28/2022 12:03:45 PM
name : forend
distinguishedname : CN=forend,OU=IT Admins,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
samaccountname : forend
memberof : {CN=VPN Users,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL,
CN=Shared Calendar Read,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL}π Snaffler
π Overview
Snaffler automates the discovery of sensitive files across domain shares by enumerating hosts, shares, and readable directories, then hunting for files that could enhance our position in the assessment.
π Basic Execution
# Basic Snaffler execution with output to console and log
Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v dataCommand Breakdown:
-s: Print results to console-d: Specify domain to search-o: Write results to log file-v data: Verbosity level (data = only display results)
π Example Snaffler Output
PS C:\htb> .\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data
.::::::.:::. :::. :::. .-:::::'.-:::::'::: .,:::::: :::::::..
;;;` ``;;;;, `;;; ;;`;; ;;;'''' ;;;'''' ;;; ;;;;'''' ;;;;``;;;;
'[==/[[[[, [[[[[. '[[ ,[[ '[[, [[[,,== [[[,,== [[[ [[cccc [[[,/[[['
''' $ $$$ 'Y$c$$c$$$cc$$$c`$$$'`` `$$$'`` $$' $$"" $$$$$$c
88b dP 888 Y88 888 888,888 888 o88oo,.__888oo,__ 888b '88bo,
'YMmMY' MMM YM YMM ''` 'MM, 'MM, ''''YUMMM''''YUMMMMMMM 'W'
by l0ss and Sh3r4 - github.com/SnaffCon/Snaffler
2022-03-31 12:16:54 -07:00 [Share] {Black}(\\ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL\ADMIN$)
2022-03-31 12:16:54 -07:00 [Share] {Black}(\\ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL\C$)
2022-03-31 12:16:54 -07:00 [Share] {Green}(\\ACADEMY-EA-MX01.INLANEFREIGHT.LOCAL\address)
2022-03-31 12:16:54 -07:00 [Share] {Green}(\\ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL\Department Shares)
2022-03-31 12:16:54 -07:00 [Share] {Green}(\\ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL\User Shares)
2022-03-31 12:16:54 -07:00 [Share] {Green}(\\ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL\ZZZ_archive)
2022-03-31 12:17:18 -07:00 [Share] {Green}(\\ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL\CertEnroll)
2022-03-31 12:17:19 -07:00 [File] {Black}<KeepExtExactBlack|R|^\.kdb$|289B|3/31/2022 12:09:22 PM>(\\ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL\Department Shares\IT\Infosec\GroupBackup.kdb) .kdb
2022-03-31 12:17:19 -07:00 [File] {Red}<KeepExtExactRed|R|^\.key$|299B|3/31/2022 12:05:33 PM>(\\ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL\Department Shares\IT\Infosec\ShowReset.key) .key
2022-03-31 12:17:19 -07:00 [File] {Red}<KeepExtExactRed|R|^\.key$|298B|3/31/2022 12:05:10 PM>(\\ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL\Department Shares\IT\Infosec\ProtectStep.key) .key
2022-03-31 12:17:19 -07:00 [File] {Black}<KeepExtExactBlack|R|^\.ppk$|275B|3/31/2022 12:04:40 PM>(\\ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL\Department Shares\IT\Infosec\StopTrace.ppk) .ppk
2022-03-31 12:17:19 -07:00 [File] {Red}<KeepExtExactRed|R|^\.sqldump$|312B|3/31/2022 12:05:30 PM>(\\ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL\Department Shares\IT\Development\DenyRedo.sqldump) .sqldump
2022-03-31 12:17:19 -07:00 [File] {Red}<KeepExtExactRed|R|^\.keychain$|295B|3/31/2022 12:08:42 PM>(\\ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL\Department Shares\IT\Infosec\SetStep.keychain) .keychainπ― Sensitive File Categories
Color Code
Risk Level
File Types
Examples
Red
High
Keys, configs, dumps
.key, .config, .sqldump, .mdf
Black
Medium
Encrypted stores
.kdb, .kwallet, .ppk, .psafe3
Green
Low
Shares discovered
Available network shares
π©Έ BloodHound
π Overview
BloodHound provides visual analysis of AD attack paths by mapping relationships between users, computers, groups, and permissions. The SharpHound collector gathers comprehensive data for upload to the BloodHound GUI.
π§ SharpHound Data Collection
# Basic collection with all methods
.\SharpHound.exe -c All --zipfilename ILFREIGHT
# Stealth collection (DCOnly when possible)
.\SharpHound.exe --stealth --zipfilename STEALTH_COLLECT
# Specific collection methods
.\SharpHound.exe -c Session,LoggedOn,Trusts,ACL --zipfilename TARGETEDExample SharpHound Execution:
PS C:\htb> .\SharpHound.exe -c All --zipfilename ILFREIGHT
2022-04-18T13:58:22.1163680-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-04-18T13:58:22.1163680-07:00|INFORMATION|Initializing SharpHound at 1:58 PM on 4/18/2022
2022-04-18T13:58:22.6788709-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-04-18T13:58:23.0851206-07:00|INFORMATION|Beginning LDAP search for INLANEFREIGHT.LOCAL
2022-04-18T13:58:53.9132950-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 67 MB RAM
2022-04-18T13:59:15.7882419-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-04-18T13:59:45.8663528-07:00|INFORMATION|Status: 3809 objects finished (+16 46.45122)/s -- Using 110 MB RAM
2022-04-18T13:59:45.8663528-07:00|INFORMATION|Enumeration finished in 00:01:22.7919186
2022-04-18T13:59:46.3663660-07:00|INFORMATION|SharpHound Enumeration Completed at 1:59 PM on 4/18/2022! Happy Graphingπ BloodHound GUI Analysis
# Start BloodHound GUI (Windows)
bloodhound
# Default credentials if prompted:
# Username: neo4j
# Password: HTB_@cademy_stdnt!π Key BloodHound Queries
π― High-Impact Pre-built Queries
-- Find Computers with Unsupported Operating Systems
MATCH (c:Computer) WHERE c.operatingsystem =~ "(?i).*(2000|2003|2008|xp|vista|7|me).*" RETURN c
-- Find Computers where Domain Users are Local Admin
MATCH p=(m:Group)-[:AdminTo]->(c:Computer) WHERE m.name =~ "DOMAIN USERS@.*" RETURN p
-- Find Shortest Paths to Domain Admins
MATCH (m:User) WHERE NOT m.name = "ANONYMOUS LOGON" AND NOT m.name ENDS WITH "$"
MATCH (n:Group) WHERE n.name = "DOMAIN ADMINS@INLANEFREIGHT.LOCAL"
MATCH p = shortestPath((m)-[*1..]->(n)) RETURN p
-- Find All Kerberoastable Users
MATCH (u:User) WHERE u.hasspn=true RETURN uπ Advanced Custom Queries
-- Find users with DCSync rights
MATCH p=()-[:DCSync|AllExtendedRights|GenericAll]->(:Domain) RETURN p
-- Find computers with LAPS enabled
MATCH (c:Computer) WHERE c.haslaps = true RETURN c
-- Find sessions for high-value targets
MATCH p=(c:Computer)-[:HasSession]->(u:User) WHERE u.highvalue = true RETURN p
-- Find constrained delegation opportunities
MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN pπ― HTB Academy Lab Solutions
π Lab Questions & Solutions
π Question 1: "Using Bloodhound, determine how many Kerberoastable accounts exist within the INLANEFREIGHT domain. (Submit the number as the answer)"
Solution Process:
# Method 1: BloodHound Raw Query
MATCH (u:User) WHERE u.hasspn=true RETURN count(u)
# Method 2: Pre-built Query Analysis
# Go to Analysis tab -> "Find All Kerberoastable Users"
# Count the returned nodes
# Method 3: PowerView verification
Get-DomainUser -SPN | Measure-Object | Select-Object Count
# Method 4: ActiveDirectory module verification
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} | Measure-Object | Select-Object CountExpected Answer Format: [number] (e.g., 13)
β‘ Question 2: "What PowerView function allows us to test if a user has administrative access to a local or remote host?"
Solution:
# The function is: Test-AdminAccess
Test-AdminAccess -ComputerName HOSTNAME
# Alternative verification:
Get-Help Test-AdminAccessExpected Answer: Test-AdminAccess
π Question 3: "Run Snaffler and hunt for a readable web config file. What is the name of the user in the connection string within the file?"
Solution Process:
# Step 1: Run Snaffler to find web.config files
.\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data | findstr -i "web.config"
# Step 2: Look for web.config files in the output
# Example output might show:
# [File] {Red}<KeepExtExactRed|R|^\.config$|1024B|...>(\\HOST\Share\path\web.config) .config
# Step 3: Access the file and examine connection strings
type "\\HOSTNAME\Share\path\web.config"
# Step 4: Look for connection string patterns like:
# <connectionStrings>
# <add name="DefaultConnection" connectionString="Server=...;User ID=USERNAME;Password=..." />
# </connectionStrings>
# Step 5: Extract the username from the connection stringExpected Answer Format: [username] (e.g., sqlservice)
π Question 4: "What is the password for the database user?"
Solution Process:
# Continue from Question 3 - examine the same web.config file
# Look for the password in the connection string:
# connectionString="Server=server;User ID=username;Password=PASSWORD_HERE;"
# Extract the password value from the connection stringExpected Answer Format: [password] (e.g., MyV3ryStr0ngP@ssw0rd!)
π§ Advanced Enumeration Techniques
π― Comprehensive User Analysis
# Find high-value user accounts
Get-DomainUser -Properties admincount,serviceprincipalname,memberof | Where-Object {$_.admincount -eq 1 -or $_.serviceprincipalname -ne $null}
# Analyze password policies and account settings
Get-DomainUser -Properties pwdlastset,lastlogontimestamp,useraccountcontrol | Where-Object {$_.useraccountcontrol -match "DONT_EXPIRE_PASSWORD"}
# Find users with constrained delegation
Get-DomainUser -TrustedToAuth -Properties trustedtodelegated,serviceprincipalnameπ₯οΈ Computer and Service Analysis
# Find computers with specific services
Get-DomainComputer -Properties operatingsystem,serviceprincipalname | Where-Object {$_.serviceprincipalname -match "MSSQL|HTTP|CIFS"}
# Identify file servers and shares
Get-DomainFileServer
Get-DomainDFSShare
# Find computers with sessions from high-value users
Find-DomainUserLocation -UserGroupIdentity "Domain Admins"π Permission and ACL Analysis
# Find interesting ACLs
Find-InterestingDomainAcl -ResolveGUIDs
# Find modifiable GPOs
Get-DomainGPO | Where-Object {$_.gpcfilesyspath -like "*SYSVOL*"}
# Analyze dangerous privileges
Get-DomainUser -AdminCount | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -match "GenericAll|WriteDacl|WriteOwner"}β‘ Quick Reference Commands
π§ Essential One-Liners
# Quick Kerberoastable account count
(Get-ADUser -Filter {ServicePrincipalName -ne "$null"}).Count
# Find Domain Admins with PowerView
Get-DomainGroupMember -Identity "Domain Admins" | Select-Object MemberName
# Quick admin access test
Test-AdminAccess -ComputerName (Get-Content hosts.txt)
# Fast SPN enumeration
Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname
# Trust relationship summary
Get-DomainTrust | Select-Object SourceName,TargetName,TrustDirection,TrustTypeπ Data Analysis and Correlation
# Cross-reference users and groups
$users = Get-DomainUser -Properties memberof
$groups = Get-DomainGroup
$users | ForEach-Object {
$_.memberof | ForEach-Object {
if($_ -match "Domain Admins|Enterprise Admins|Backup Operators") {
Write-Host "High-value group membership: $($_.samaccountname) -> $_"
}
}
}
# Correlate sessions with admin rights
$admins = Get-DomainGroupMember -Identity "Domain Admins"
$sessions = Get-NetSession
$admins | ForEach-Object {
$sessions | Where-Object {$_.UserName -eq $_.MemberName}
}π Key Takeaways
β
Windows Enumeration Advantages
Native Tool Integration: Access to ActiveDirectory PowerShell module and built-in cmdlets
Stealth Operations: Blend in with legitimate administrative activities
Comprehensive Analysis: Deep attribute and relationship enumeration
Visual Intelligence: BloodHound provides unmatched attack path visualization
π― Strategic Priorities
Kerberoastable Accounts: Identify service accounts with SPNs for credential extraction
Administrative Rights: Map local admin access across domain systems
Sensitive File Discovery: Use Snaffler to find configuration files and credentials
Attack Path Analysis: Leverage BloodHound for relationship mapping and privilege escalation paths
Trust Relationships: Understand cross-domain attack opportunities
β οΈ Operational Considerations
Tool Placement: Document all tools transferred to domain systems
Artifact Cleanup: Remove tools and logs at engagement conclusion
Stealth vs Speed: Balance comprehensive enumeration with detection avoidance
Data Correlation: Cross-reference findings from multiple tools for accuracy
π Next Steps After Enumeration
Kerberoasting: Extract and crack service account credentials
ASREPRoasting: Target accounts without Kerberos pre-authentication
Privilege Escalation: Exploit identified admin rights and permissions
Lateral Movement: Use discovered credentials and access rights for network traversal
Windows-based credentialed enumeration provides the deepest insight into Active Directory environments - leveraging native tools and comprehensive frameworks to map the entire domain landscape and identify critical attack paths.
Last updated