Archive for January, 2014
Powershell Reconnaissance
Posted by Spoonman1091 in Uncategorized on January 22, 2014
This post is a simple introduction to Powershell and a demonstration of a couple of useful ways it can be utilized during the information gathering stages of a pentest. All of the examples are demonstrated using Powershell version 3.0, so unless you are running Windows 8/2012 or above, you will most likely need to download the latest version from Microsoft. To check what version you are currently running, simply run the following command.
PS C:\Users\TrustedSec> $PSVersionTable Name Value ---- ----- PSVersion 3.0 WSManStackVersion 3.0 SerializationVersion 1.1.0.1 CLRVersion 4.0.30319.18408 BuildVersion 6.2.9200.16398 PSCompatibleVersions {1.0, 2.0, 3.0} PSRemotingProtocolVersion 2.2
Edit: @obscuresec pointed out that you must also have the “Active Directory Module for Windows Powershell” installed/enabled to utilize the following cmdlets. You can find this module in the “Remote Server Administration Tools”, which is a separate download from Microsoft. The module is enabled through the “Programs and Features” Control Panel item.
Assuming that you will be running these commands from a local machine that isn’t joined to the domain, the first requirement for enumerating Active Directory is valid domain credentials, because any valid domain user has full “read” access to Active Directory. If your lucky, these are usually attained via brute force or possibly a compromised host on the domain. This is often the first step towards the fall of the “Domain Admin”. However you attain these credentials, use them to connect to the Active Directory service.
PS C:\Users\TrustedSec> $cred = Get-Credential
When prompted, enter the credentials, which will be saved in the “$cred” variable.
Now we can simply call the “$cred” variable when we want to query the domain service. The first command that I like to run is a query for the list of “Domain Admins”.
PS C:\Users\TrustedSec> Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins" distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com name : Administrator objectClass : user objectGUID : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db SamAccountName : Administrator SID : S-1-5-21-2027135834-1792351174-2509185371-500 distinguishedName : CN=Larry Spohn,CN=Users,DC=pwnt,DC=com name : Larry Spohn objectClass : user objectGUID : 73cf7cc6-121a-42dd-b3db-1d4ed99a081b SamAccountName : Spoonman SID : S-1-5-21-2027135834-1792351174-2509185371-1105 distinguishedName : CN=Scott White,CN=Users,DC=pwnt,DC=com name : Scott White objectClass : user objectGUID : 3e28c37b-3c2d-44da-97aa-1a2dc49d10fc SamAccountName : s4squatch SID : S-1-5-21-2027135834-1792351174-2509185371-1106 distinguishedName : CN=Paul Koblitz,CN=Users,DC=pwnt,DC=com name : Paul Koblitz objectClass : user objectGUID : a064e92b-3f4b-4b99-ba4e-37bdb4c52378 SamAccountName : ph4que SID : S-1-5-21-2027135834-1792351174-2509185371-1107 distinguishedName : CN=Nick Hitchcock,CN=Users,DC=pwnt,DC=com name : Nick Hitchcock objectClass : user objectGUID : 47ce17ad-6f10-4ba1-9a3a-1e23ebe0d308 SamAccountName : nich8ch SID : S-1-5-21-2027135834-1792351174-2509185371-1108 distinguishedName : CN=David Kennedy,CN=Users,DC=pwnt,DC=com name : David Kennedy objectClass : user objectGUID : ba51b393-2ea7-424f-9bd9-f114dcf25b4d SamAccountName : rel1k SID : S-1-5-21-2027135834-1792351174-2509185371-1109 distinguishedName : CN=Tristan Jones,CN=Users,DC=pwnt,DC=com name : Tristan Jones objectClass : user objectGUID : f5799e28-d357-4ecd-b225-7ff9305d3549 SamAccountName : AIM_9X SID : S-1-5-21-2027135834-1792351174-2509185371-1110
Now, the only field important to us is the “SamAccountName”, so lets filter the rest out.
PS C:\Users\TrustedSec> Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins" |select samaccountname samaccountname -------------- Administrator Spoonman s4squatch ph4que nich8ch rel1k AIM_9X
Another useful query might be to enumerate all servers on the domain.
PS C:\Users\TrustedSec> Get-ADComputer -Credential $cred -server pwnt.com -LDAPFilter "(&(objectCategory=computer)(opera tingSystem=*Server*))" |select name name ---- PWNT-DC Exchange1 SharePoint1
What if we want to search for any computers that are named according to users, such as specific “Domain Admins”?
PS C:\Users\TrustedSec> Get-ADComputer -Credential $cred -server pwnt.com -LDAPFilter "(name=*Spoonman*)" |select name name ---- Spoonman-Win7
Or maybe we want to search for unix or database admin users…
PS C:\Users\TrustedSec> Get-ADUser -Credential $cred -server pwnt.com -Properties Title -LDAPFilter "(title=*database*)" |select SamAccountName,Title SamAccountName Title -------------- ----- s4squatch Database Admin
Hopefully this sparks your interest in Powershell and helps you on your next pentest. If you haven’t already, you should also check out Matt Graeber’s PowerSploit cmdlets. There are many incredibly useful scripts that he maintains and provides to the community for free. Happy PowerSploiting!