WMI domain enumeration through root\directory\ldap
Domain enumeration using WMI
The Active Directory provider uses the root\directory\ldap
namespace. Within that namespace, every Active Directory schema class and attribute is mapped to corresponding WMI classes or properties.
Finding the domain name
After gaining access to a box on a domain, one of the first steps in basic reconnaissance would be to try to figure out the domain name on which we are on:
Getting the domain policy
This information can be important to avoid detections and lockouts
Finding the domain controller
UserAccountControl values
Here are the default UserAccountControl values for the certain objects:
Filtering on UserAccountControl equal to 532480
Searching user accounts
Query all user in trusted domains
Account Type
Identifier
Constant
Temporary Duplicate Account
UF_TEMP_DUPLICATE_ACCOUNT
256
Normal Account
UF_NORMAL_ACCOUNT
512
Interdomain Trust Account
UF_INTERDOMAIN_TRUST_ACCOUNT
2048
Workstation Trust Account
UF_WORKSTATION_TRUST_ACCOUNT
4096
Server Trust Account
UF_SERVER_TRUST_ACCOUNT
8192
Adding filtering
Enumerating currently logged-on users
The Win32_LoggedOnUser classes provide information about the logged-on users in that system as well as the domain. To filter out logged-on local users, we can use the following command:
Fetching groups
The same could be done with the Win32_Group class, but the output would include the local groups as well.
Query group membership
This is equally applicable for the reverse use case. If we want to enumerate the groups that a particular user is in (Administrator in this case), then we can do something like:
Finding machines in the domain
Enumerating admin privileges across AD
An important thing to remember is, by default WMI provides remote access only to local administrators.
References
Last updated