Commands to identify domains/work groups and memberships within the network, from outside a windows computer?
- nslookup
- nmap
- name -dhcp
- dig
Commands to identify domains/work groups and memberships within the network, with access to windows cmd or powershell?
CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges
PS
Get -WmiObject -Class Win32_UserAccount
Get -LocalUser | ft Name, Enabled, LastLogon
Get -ChildItem C:\Users -Force | select Name
Get -LocalGroupMember Administrators | ft Name, PrincipalSource
Command to show scans and domain controller names from nmap?
net View
Commands to browse list of available shared network resources collected and distributed by the computer browser service on a Microsoft network?
net share
net view
net view \<computer_name> /All</computer_name>
Command to identify and analyse accessible SMB shares?
net share
enum4linux <target_ip>
smbclient -L \\\<target_ip></target_ip></target_ip>
smbclients option L lists shares
Remove L option to connect
Try anonymous login, if not, use other credentials.
Identifying user accounts on target systems
and domains using NetBIOS
nbtscan <target_ip>
nmap -sV 172.16.1.102 --script nbstat.nse -v</target_ip>
Identifying user accounts on target systems
and domains using SNMP
snmpwalk -c public -vl -t <target_ip>
nmap --script "snmp * and not snmp-brute" <target_ip></target_ip></target_ip>
Identifying user accounts on target systems
and domains using LDAP
nmap -n -sV –script “ldap * and not brute” <target_ip>
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w <passwords>' -b "DC=<1_SUBDOMAIN></passwords></username></DOMAIN></IP></target_ip>
3 AD roles?
- Global Catalogue
- Domain Master Browser
- Flexible Single Master operations (FSMO)
What is Global Catalogue?
Handles AD queries and logon
What is Domain Master Browser?
- used when more than one network in the domain
- each subnet/domain has a master browser, which share info
- when browser list is collected and compiled, then transmitted to all master browser again as the enterprise-wide browse list for the domain
What is Flexible Single Master Operations (FSMO)?
- FSMO is a specialised domain controller set of tasks used where standard data transfer and update methods are inadequate.
- AD normally relies on multiple peer DCs, each with a copy of AD database, being synchronised by multi-master replication.
- The tasks not suited to multi-master replication and are viable only with a single master database are the FSMOs.
5 FSMO roles?
- Schema Master 1 per forest
- Domain Naming Master 1 per forest
- Relative ID (RID) Master 1 per domain
- Primary Domain Controller (PDC) Emulator 1 per domain
- Infrastructure Master 1 per domain
What is Schema Master?
Manages read-write copy of AD schema
The AD schema defines attributes that you can apply to objects in AD database.
What is Domain Naming Master?
Ensures you don’t have domains with same names in the same forest.
Master of domain names.
Since domains aren’t created often, this role is likely to live on same DC with another role.
