# WMI domain enumeration through root\directory\ldap

## Domain enumeration using WMI

The Active Directory provider uses the ***`root\directory\ldap`*** namespace. Within that namespace, every Active Directory schema class and attribute is mapped to corresponding WMI classes or properties.

```powershell
Get-WmiObject -Namespace root\directory\ldap -Class ds_* -List
```

### Finding the domain name

After gaining access to a box on a domain, one of the first steps in basic reconnaissance would be to try to figure out the domain name on which we are on:

```powershell
Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select ds_dc, 
ds_distinguishedname, pscomputername
```

### Getting the domain policy

This information can be important to avoid detections and lockouts

```powershell
Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select ds_lockoutduration,
ds_lockoutobservationwindow, ds_lockoutthreshold, ds_maxpwdage,
ds_minpwdage, ds_minpwdlength, ds_pwdhistorylength, ds_pwdproperties
```

### Finding the domain controller

UserAccountControl values

Here are the default UserAccountControl values for the certain objects:

```
Typical user: 0x200 (512)
Domain controller: 0x82000 (532480)
Workstation/server: 0x1000 (4096)
```

Filtering on UserAccountControl equal to 532480

```powershell
Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where {
    $_.ds_useraccountcontrol -match 532480
} | select ds_cn, ds_dnshostname, ds_operatingsystem, ds_lastlogon, ds_pwdlastset
```

### Searching user accounts

Query all user in trusted domains

```powershell
Get-WmiObject -Class win32_useraccount | select name, domain, accounttype
```

| Account Type                | Identifier                      | Constant |
| --------------------------- | ------------------------------- | -------- |
| Temporary Duplicate Account | UF\_TEMP\_DUPLICATE\_ACCOUNT    | 256      |
| Normal Account              | UF\_NORMAL\_ACCOUNT             | 512      |
| Interdomain Trust Account   | UF\_INTERDOMAIN\_TRUST\_ACCOUNT | 2048     |
| Workstation Trust Account   | UF\_WORKSTATION\_TRUST\_ACCOUNT | 4096     |
| Server Trust Account        | UF\_SERVER\_TRUST\_ACCOUNT      | 8192     |

#### Adding filtering

```powershell
Get-WmiObject -Class win32_useraccount -Filter 'domain="infected"' | select caption
```

### Enumerating currently logged-on users

The Win32\_LoggedOnUser classes provide information about the logged-on users in that system as well as the domain. To filter out logged-on local users, we can use the following command:

```powershell
Get-WmiObject -Class win32_loggedonuser | where {
    $_ -match 'infected'
} | foreach {[wmi]$_.antecedent}
```

### Fetching groups

```powershell
Get-WmiObject -Class win32_groupindomain | foreach {[wmi]$_.partcomponent}
```

> The same could be done with the Win32\_Group class, but the output would include the local groups as well.

### Query group membership

```powershell
Get-WmiObject -Class win32_groupuser | where {
    $_.groupcomponent -match 'domain admins'
} | foreach {[wmi]$_.partcomponent}
```

This is equally applicable for the reverse use case. If we want to enumerate the groups that a particular user is in (Administrator in this case), then we can do something like:

```powershell
Get-WmiObject -Class win32_groupuser | where { 
    $.partcomponent -match 'Administrator' 
} | foreach {[wmi]$.groupcomponent}
```

### Finding machines in the domain

```powershell
Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select ds_cn
```

### Enumerating admin privileges across AD

An important thing to remember is, by default WMI provides remote access only to local administrators.

```powershell
$pcs = Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select -ExpandProperty ds_cn
foreach ($pc in $pcs) {
    (Get-WmiObject -Class win32_computersystem -ComputerName $pc -ErrorAction silentlycontinue).name
}
```

## References

{% embed url="<https://0xinfection.github.io/posts/wmi-ad-enum>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rfc1918.gitbook.io/offsec/active-directory/enumeration/wmi-domain-enumeration-through-root-directory-ldap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.