WMI domain enumeration through root\directory\ldap

Domain enumeration using WMI

The Active Directory provider uses the root\directory\ldap namespace. Within that namespace, every Active Directory schema class and attribute is mapped to corresponding WMI classes or properties.

Get-WmiObject -Namespace root\directory\ldap -Class ds_* -List

Finding the domain name

After gaining access to a box on a domain, one of the first steps in basic reconnaissance would be to try to figure out the domain name on which we are on:

Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select ds_dc, 
ds_distinguishedname, pscomputername

Getting the domain policy

This information can be important to avoid detections and lockouts

Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select ds_lockoutduration,
ds_lockoutobservationwindow, ds_lockoutthreshold, ds_maxpwdage,
ds_minpwdage, ds_minpwdlength, ds_pwdhistorylength, ds_pwdproperties

Finding the domain controller

UserAccountControl values

Here are the default UserAccountControl values for the certain objects:

Typical user: 0x200 (512)
Domain controller: 0x82000 (532480)
Workstation/server: 0x1000 (4096)

Filtering on UserAccountControl equal to 532480

Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where {
    $_.ds_useraccountcontrol -match 532480
} | select ds_cn, ds_dnshostname, ds_operatingsystem, ds_lastlogon, ds_pwdlastset

Searching user accounts

Query all user in trusted domains

Get-WmiObject -Class win32_useraccount | select name, domain, accounttype

Account Type

Identifier

Constant

Temporary Duplicate Account

UF_TEMP_DUPLICATE_ACCOUNT

256

Normal Account

UF_NORMAL_ACCOUNT

512

Interdomain Trust Account

UF_INTERDOMAIN_TRUST_ACCOUNT

2048

Workstation Trust Account

UF_WORKSTATION_TRUST_ACCOUNT

4096

Server Trust Account

UF_SERVER_TRUST_ACCOUNT

8192

Adding filtering

Get-WmiObject -Class win32_useraccount -Filter 'domain="infected"' | select caption

Enumerating currently logged-on users

The Win32_LoggedOnUser classes provide information about the logged-on users in that system as well as the domain. To filter out logged-on local users, we can use the following command:

Get-WmiObject -Class win32_loggedonuser | where {
    $_ -match 'infected'
} | foreach {[wmi]$_.antecedent}

Fetching groups

Get-WmiObject -Class win32_groupindomain | foreach {[wmi]$_.partcomponent}

The same could be done with the Win32_Group class, but the output would include the local groups as well.

Query group membership

Get-WmiObject -Class win32_groupuser | where {
    $_.groupcomponent -match 'domain admins'
} | foreach {[wmi]$_.partcomponent}

This is equally applicable for the reverse use case. If we want to enumerate the groups that a particular user is in (Administrator in this case), then we can do something like:

Get-WmiObject -Class win32_groupuser | where { 
    $.partcomponent -match 'Administrator' 
} | foreach {[wmi]$.groupcomponent}

Finding machines in the domain

Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select ds_cn

Enumerating admin privileges across AD

An important thing to remember is, by default WMI provides remote access only to local administrators.

$pcs = Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select -ExpandProperty ds_cn
foreach ($pc in $pcs) {
    (Get-WmiObject -Class win32_computersystem -ComputerName $pc -ErrorAction silentlycontinue).name
}

References

https://0xinfection.github.io/posts/wmi-ad-enum0xinfection.github.io

PreviousVerify connectivity to domain controller NextPAM Trust

Last updated 3 years ago

hashtagDomain enumeration using WMI

hashtagFinding the domain name

hashtagGetting the domain policy

hashtagFinding the domain controller

hashtagSearching user accounts

hashtagAdding filtering

hashtagEnumerating currently logged-on users

hashtagFetching groups

hashtagQuery group membership

hashtagFinding machines in the domain

hashtagEnumerating admin privileges across AD

hashtagReferences