Hello Everyone !
In the previous article, I explained the installation of the Active Directory structure which we prepared for pentest. In this article, we will collect information about this structure without using a tool.
The purpose of this article is to gather information using Windows features without using tools. Since the text is long, I divided it into several other headlines;
- For Domain and Forest, Recon with .NET
- For Users, Recon with WMIC
- For Organization Unit and Groups, Recon with Active Directory Powershell was developed as a management interface by combining command line and script language based on .NET framework. This situation did not only benefit system engineers… It also worked for us pentesters.
For example, in some Active Directory structures, there are times when you do not have access to PowerShell Part 1
Active Directory PowerShell.
We were unable to use this command when the module was not installed. But now we can use… You saw the output given when querying with .NET. You can get more detailed information with this module.
Let’s continue to analyze the group objects in the Active Directory structure…
We could detect these group names with wmic. But we do not know which Organization Unit these Groups are in. Organization Unit is a structure that contains objects such as users and computers. There is a remarkable name among the OUs analyzed…
In the window on the left of the screen, the groups of OU detected are listed. In the window on the right of the screen, we see that there are groups when we list the members of the group named Crew. So if we assume a tree, Nebuchadnezzar OU is on top of it. Below it is Crew. On the branches of Crew, we can see FieldOfficers and ShipOfficers. I shared this tree in the previous post…
When you make the same query to a group, the objects that are members are listed. As an example, you see that members of the group object called FieldOfficers also have 3 users. The value written in the ObjectClass section indicates the type of the object.
We have listed important users belonging to the Domain Admins group. Remember, with the user belonging to the Domain Admins group, you can control the entire AD structure.
Active Directory Powershell can be divided into several parts. I am already planning that in the future articles, users privilege, groups privilege and information gathering of group policies implemented in AD structure.
I apologize in advance if I am mistake or wrong. Please warn me in such cases. Don’t forget!
Knowledge increases with sharing…