WMI domain enumeration through root\directory\ldap
Domain enumeration using WMI
The Active Directory provider uses the root\directory\ldap namespace. Within that namespace, every Active Directory schema class and attribute is mapped to corresponding WMI classes or properties.
Get-WmiObject -Namespace root\directory\ldap -Class ds_* -ListFinding the domain name
After gaining access to a box on a domain, one of the first steps in basic reconnaissance would be to try to figure out the domain name on which we are on:
Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select ds_dc,
ds_distinguishedname, pscomputernameGetting the domain policy
This information can be important to avoid detections and lockouts
Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select ds_lockoutduration,
ds_lockoutobservationwindow, ds_lockoutthreshold, ds_maxpwdage,
ds_minpwdage, ds_minpwdlength, ds_pwdhistorylength, ds_pwdpropertiesFinding the domain controller
UserAccountControl values
Here are the default UserAccountControl values for the certain objects:
Typical user: 0x200 (512)
Domain controller: 0x82000 (532480)
Workstation/server: 0x1000 (4096)Filtering on UserAccountControl equal to 532480
Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where {
$_.ds_useraccountcontrol -match 532480
} | select ds_cn, ds_dnshostname, ds_operatingsystem, ds_lastlogon, ds_pwdlastsetSearching user accounts
Query all user in trusted domains
Get-WmiObject -Class win32_useraccount | select name, domain, accounttypeAccount Type
Identifier
Constant
Temporary Duplicate Account
UF_TEMP_DUPLICATE_ACCOUNT
256
Normal Account
UF_NORMAL_ACCOUNT
512
Interdomain Trust Account
UF_INTERDOMAIN_TRUST_ACCOUNT
2048
Workstation Trust Account
UF_WORKSTATION_TRUST_ACCOUNT
4096
Server Trust Account
UF_SERVER_TRUST_ACCOUNT
8192
Adding filtering
Get-WmiObject -Class win32_useraccount -Filter 'domain="infected"' | select captionEnumerating currently logged-on users
The Win32_LoggedOnUser classes provide information about the logged-on users in that system as well as the domain. To filter out logged-on local users, we can use the following command:
Get-WmiObject -Class win32_loggedonuser | where {
$_ -match 'infected'
} | foreach {[wmi]$_.antecedent}Fetching groups
Get-WmiObject -Class win32_groupindomain | foreach {[wmi]$_.partcomponent}The same could be done with the Win32_Group class, but the output would include the local groups as well.
Query group membership
Get-WmiObject -Class win32_groupuser | where {
$_.groupcomponent -match 'domain admins'
} | foreach {[wmi]$_.partcomponent}This is equally applicable for the reverse use case. If we want to enumerate the groups that a particular user is in (Administrator in this case), then we can do something like:
Get-WmiObject -Class win32_groupuser | where {
$.partcomponent -match 'Administrator'
} | foreach {[wmi]$.groupcomponent}Finding machines in the domain
Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select ds_cnEnumerating admin privileges across AD
An important thing to remember is, by default WMI provides remote access only to local administrators.
$pcs = Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select -ExpandProperty ds_cn
foreach ($pc in $pcs) {
(Get-WmiObject -Class win32_computersystem -ComputerName $pc -ErrorAction silentlycontinue).name
}References
Last updated