域枚举
PowerView
导入PowerView
beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1
Get-Domain
获取当前域
beacon> powershell Get-Domain
Get-DomainController
获取DC
beacon> powershell Get-DomainController | select Forest, Name, OSVersion | fl
Get-ForestDomain
获取当前林
beacon> powershell Get-ForestDomain
Get-DomainPolicyData
返回当前域或指定域/域控制器的默认域策略或域控制器策略。用于查找诸如域密码策略之类的信息。
beacon> powershell Get-DomainPolicyData | select -ExpandProperty SystemAccess
MinimumPasswordAge : 1
MaximumPasswordAge : 42
MinimumPasswordLength : 7
PasswordComplexity : 1
PasswordHistorySize : 24
LockoutBadCount : 0
RequireLogonToChangePassword : 0
ForceLogoffWhenHourExpire : 0
ClearTextPassword : 0
LSAAnonymousNameLookup : 0
Get-DomainUser
返回所有(或指定)用户。
返回特定属性 -Properties。
返回特定用户 -Identity。
beacon> powershell Get-DomainUser -Identity nlamb -Properties DisplayName, MemberOf | fl
displayname : Nina Lamb
memberof : {CN=Roaming Users,CN=Users,DC=dev,DC=cyberbotic,DC=io, CN=Group Policy Creator
Owners,CN=Users,DC=dev,DC=cyberbotic,DC=io, CN=Domain Admins,CN=Users,DC=dev,DC=cyberbotic,DC=io,
CN=Administrators,CN=Builtin,DC=dev,DC=cyberbotic,DC=io}
Get-DomainComputer
获取域内所有计算机
beacon> powershell Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
Get-DomainOU
搜索所有 organization units(OU) 或特定 OU 对象
beacon> powershell Get-DomainOU -Properties Name | sort -Property Name
name
----
Domain Controllers
Servers
Tier 1
Tier 2
Workstations
Get-DomainGroup
获取域内所有的组信息
beacon> powershell Get-DomainGroup
获取所有带admin
字样的组信息
beacon> powershell Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName
samaccountname
--------------
Domain Admins
Key Admins
DnsAdmins
Oracle Admins
Get-DomainGroupMember
返回特定的组成员信息,这里是返回DA组
beacon> powershell Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName
MemberDistinguishedName
-----------------------
CN=Nina Lamb,CN=Users,DC=dev,DC=cyberbotic,DC=io
CN=Administrator,CN=Users,DC=dev,DC=cyberbotic,DC=io
Get-DomainGPO
返回所有组策略对象 (GPO) 或特定 GPO 对象。要枚举应用于特定机器的所有 GPO,请使用-ComputerIdentity
beacon> powershell Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
displayname
-----------
Default Domain Controllers Policy
Default Domain Policy
Roaming Users
Tier 1 Admins
Tier 2 Admins
Windows Defender
Windows Firewall
beacon> powershell Get-DomainGPO -ComputerIdentity wkstn-1 -Properties DisplayName | sort -Property DisplayName
displayname
-----------
Default Domain Policy
LAPS
PowerShell Logging
Roaming Users
Windows Defender
Windows Firewall
Get-DomainGPOLocalGroup
返回所有通过受限组或组策略首选项修改本地组成员资格的GPO。
beacon> powershell Get-DomainGPOLocalGroup | select GPODisplayName, GroupName
GPODisplayName GroupName
-------------- ---------
Tier 1 Admins DEV\Developers
Tier 2 Admins DEV\1st Line Support
Get-DomainGPOUserLocalGroupMapping
枚举特定域用户/组是特定本地组成员的机器。
beacon> powershell Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName
ObjectName GPODisplayName ContainerName ComputerName
---------- -------------- ------------- ------------
1st Line Support Tier 2 Admins {OU=Tier 2,OU=Servers,DC=dev,DC=cyberbotic,DC=io} {srv-2.dev.cyberbotic.io}
Developers Tier 1 Admins {OU=Tier 1,OU=Servers,DC=dev,DC=cyberbotic,DC=io} {srv-1.dev.cyberbotic.io}
Find-DomainUserLocation
查找域用户(默认是DA)登录过的机器
beacon> powershell Find-DomainUserLocation | select UserName, SessionFromName
UserName SessionFromName
-------- ---------------
nlamb wkstn-2.dev.cyberbotic.io
Get-NetSession
返回本地(或远程)机器的会话信息(其中CName是源IP)
beacon> powershell Get-NetSession -ComputerName dc-2 | select CName, UserName
CName UserName
----- --------
\\10.10.17.231 bfarmer
\\10.10.17.132 nlamb
Get-DomainTrust
枚举域信任关系
beacon> powershell Get-DomainTrust
ADSearch
功能比powerview和shapview少一些,但是有强大的LDAP 查询功能
查找所有以admins
结尾的域用户组
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Debug\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admins))"
[*] No domain supplied. This PC's domain will be used instead
[*] LDAP://DC=dev,DC=cyberbotic,DC=io
[*] CUSTOM SEARCH:
[*] TOTAL NUMBER OF SEARCH RESULTS: 6
[+] cn : Domain Admins
[+] cn : Key Admins
[+] cn : DnsAdmins
[+] cn : Oracle Admins
[+] cn : Subsidiary Admins
[+] cn : MS SQL Admins
ASREP Roasting
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname
约束委派
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json
无约束委派
execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname