RFC - Offensive Security Notes
  • Active Directory
    • Enumeration
      • Active Directory Module
        • Enumerating the Domain
        • Enumerating ACLs
      • PowerView 3.0
      • Verify connectivity to domain controller
      • WMI domain enumeration through root\directory\ldap
      • PAM Trust
      • DNS discovery
        • Get-DnsServerZone
    • Privilege Escalation
      • Kerberos Delegation
        • Unconstrained delegation
        • Constrained delegation
        • Resource-based Constrained Delegation
      • Escalating from child to parent domain
      • Abusing inter-forest trust
      • WSUS server abuse
      • ACL Enumeration with PowerView 2.0
    • Persistence
      • Kerberos attacks
        • Golden ticket
        • Silver ticket
      • DSRM (Directory Services Restore Mode)
  • Initial Access
    • VBA Macros
      • Mark-of-the-Web
  • Discovery
    • Juicy files
      • PowerShell history
    • Network Enumeration
      • Network discovery scans
        • Ping scan
      • Nmap
      • Perimeter firewall scanning for open outbound ports
  • Execution
    • WMI
      • Remote code execution using WMI
    • PowerShell
      • C# assembly in PowerShell
        • List load assembly
        • Add-Type
        • UnsafeNativeMethods
        • DelegateType Reflection
        • Reflective Load
    • C# .Net Assembly
      • Process injection
        • Debugging
        • Using VirtualAllocEx and WriteProcessMemory
        • Using NTAPI Undocumented Functions
    • ReverseShells
      • Linux
        • Stabilizing zsh shell
    • Metasploit
      • HTTPs Meterpreter
  • Exploitation
    • Win32 APIs
      • OpenProcess
      • VirtualAllocEx
      • WriteProcessMemory
      • CreateRemoteThread
  • Credential Access
    • Microsoft Windows
      • Windows credential audit and logon types
      • Local credentials (SAM and LSA)
      • Lsass from forensics dump
      • Access Tokens
        • SeImpersonatePrivilege
      • ntds.dit
        • Dumping the contents of ntds.dit files using PowerShell
      • Mimikatz
      • LAPS
  • Lateral Movement
    • Windows Lateral Movement
      • Remote Desktop Protocol (RDP)
      • PowerShell Remoting (PS Remote)
        • Kerberos double hoping
      • Windows Task Scheduler
    • Linux Lateral Movement
  • Persistence
  • Defence Evasion
    • Antimalware Scan Interface (AMSI)
      • Debugging AMSI with Frida
      • PowerShell Bypasses
      • JS/VBA Bypasses
    • PowerShell
      • PowerShell version 2
      • Constrained Language Mode
      • Just Enough Administration (JEA)
      • ScriptBlockLogging
    • Microsoft Defender
    • Anti-virus evasion
      • Evasion and bypassing detection within C#
        • Encryptors
          • Aes encryptor
        • Sandbox evasion
          • Time accelerated checks
    • AppLocker
      • InstallUtil
      • MsBuild
  • Network Pivoting
    • Proxies and port fowarding
      • SSH
      • Metasploit
      • Socat
      • SSH Shuttle
      • Windows netsh command
    • Network discovery and scanning
  • Exfiltration
    • Windows
      • Copy files over SMB
  • Services
    • MS SQL Server
      • Enumeration
      • UNC Path Injection
      • Privilege Escalation
      • Linked Servers
      • SQL Injection
  • Misc
    • CrackMapExec
    • Cheat sheets
  • Cloud
    • Azure
      • Authentication
      • Enumeration
        • AzureHound
        • Az.Powershell
        • Microsoft Graph PowerShell
      • Initial Access
        • Device Code Phishing
        • Family-Of-Client-Ids - FOCI
        • JWT Assertion
Powered by GitBook
On this page
  • Domain enumeration using WMI
  • Finding the domain name
  • Getting the domain policy
  • Finding the domain controller
  • Searching user accounts
  • Enumerating currently logged-on users
  • Fetching groups
  • Query group membership
  • Finding machines in the domain
  • Enumerating admin privileges across AD
  • References
  1. Active Directory
  2. Enumeration

WMI domain enumeration through root\directory\ldap

Domain enumeration using WMI

The Active Directory provider uses the root\directory\ldap namespace. Within that namespace, every Active Directory schema class and attribute is mapped to corresponding WMI classes or properties.

Get-WmiObject -Namespace root\directory\ldap -Class ds_* -List

Finding the domain name

After gaining access to a box on a domain, one of the first steps in basic reconnaissance would be to try to figure out the domain name on which we are on:

Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select ds_dc, 
ds_distinguishedname, pscomputername

Getting the domain policy

This information can be important to avoid detections and lockouts

Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select ds_lockoutduration,
ds_lockoutobservationwindow, ds_lockoutthreshold, ds_maxpwdage,
ds_minpwdage, ds_minpwdlength, ds_pwdhistorylength, ds_pwdproperties

Finding the domain controller

UserAccountControl values

Here are the default UserAccountControl values for the certain objects:

Typical user: 0x200 (512)
Domain controller: 0x82000 (532480)
Workstation/server: 0x1000 (4096)

Filtering on UserAccountControl equal to 532480

Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where {
    $_.ds_useraccountcontrol -match 532480
} | select ds_cn, ds_dnshostname, ds_operatingsystem, ds_lastlogon, ds_pwdlastset

Searching user accounts

Query all user in trusted domains

Get-WmiObject -Class win32_useraccount | select name, domain, accounttype

Account Type

Identifier

Constant

Temporary Duplicate Account

UF_TEMP_DUPLICATE_ACCOUNT

256

Normal Account

UF_NORMAL_ACCOUNT

512

Interdomain Trust Account

UF_INTERDOMAIN_TRUST_ACCOUNT

2048

Workstation Trust Account

UF_WORKSTATION_TRUST_ACCOUNT

4096

Server Trust Account

UF_SERVER_TRUST_ACCOUNT

8192

Adding filtering

Get-WmiObject -Class win32_useraccount -Filter 'domain="infected"' | select caption

Enumerating currently logged-on users

The Win32_LoggedOnUser classes provide information about the logged-on users in that system as well as the domain. To filter out logged-on local users, we can use the following command:

Get-WmiObject -Class win32_loggedonuser | where {
    $_ -match 'infected'
} | foreach {[wmi]$_.antecedent}

Fetching groups

Get-WmiObject -Class win32_groupindomain | foreach {[wmi]$_.partcomponent}

The same could be done with the Win32_Group class, but the output would include the local groups as well.

Query group membership

Get-WmiObject -Class win32_groupuser | where {
    $_.groupcomponent -match 'domain admins'
} | foreach {[wmi]$_.partcomponent}

This is equally applicable for the reverse use case. If we want to enumerate the groups that a particular user is in (Administrator in this case), then we can do something like:

Get-WmiObject -Class win32_groupuser | where { 
    $.partcomponent -match 'Administrator' 
} | foreach {[wmi]$.groupcomponent}

Finding machines in the domain

Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select ds_cn

Enumerating admin privileges across AD

An important thing to remember is, by default WMI provides remote access only to local administrators.

$pcs = Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select -ExpandProperty ds_cn
foreach ($pc in $pcs) {
    (Get-WmiObject -Class win32_computersystem -ComputerName $pc -ErrorAction silentlycontinue).name
}

References

PreviousVerify connectivity to domain controllerNextPAM Trust

Last updated 2 years ago

Offensive WMI - Active Directory Enumeration (Part 5)0xInfection's Blog
Logo