Basics

Enumeration

Create user

net user <username> <password> /add
net localgroup administrators <username> /add

Permissions

icacls usage:
check permissions, set ownership of the folder, set, remove or deny permissions

# Check permissions
PS C:\> icacls C:\folder_name
(...)

I - permission inherited from the parent container
F - full access (full control)
M - Modify right/access
OI - object inherit
IO - inherit only
CI - container inherit
RX - read and execute
AD - append data (add subdirectories)
WD - write data and add files

# Set ownership
PS C:\> icacls C:\folder_name /setowner Username

AD DS Data Store

• Contains the NTDS.dit - a database that contains all of the information of an Active Directory domain controller as well as password hashes for domain users

• Stored by default in %SystemRoot%\NTDS

• accessible only by the domain controller

Forest overview

The Forest consists of :

• Trees - A hierarchy of domains in Active Directory Domain Services

• Domains - Used to group and manage objects

• Organizational Units (OUs) - Containers for groups, computers, users, printers and other OUs

• Trusts - Allows users to access resources in other domains

• Objects - users, groups, printers, computers, shares

• Domain Services - DNS Server, LLMNR, IPv6

• Domain Schema - Rules for object creation

Users

• Domain Admins : the only ones with access to the domain controller.

• Service Accounts: they are required by Windows for services such as SQL to pair a service with a service account

• Local Administrators - These users can make changes to local machines as an administrator and may even be able to control other normal users, but they cannot access the domain controller

• Domain Users - These are your everyday users.

Windows server AD vs Azure AD

Windows Server AD	Azure AD
LDAP	Rest APIs
NTLM	OAuth/SAML
Kerberos	OpenID
OU Tree	Flat Structure
Domains and Forests	Tenants
Trusts	Guests

Powershell

- Get-Help

Get-Help Command-Name

- Get-Command

Get-Command Verb-*

- Creating Objects

Get-ChildItem | Select-Object -Property Mode, Name

- Filtering Objects

Verb-Noun | Where-Object -Property PropertyName -operator Value Ex: Get-Service | Where-Object -Property Status -eq Stopped

- Sort Object

Verb-Noun | Sort-Object Ex: Get-ChildItem | Sort-Object

- Using Modules

Import-Module Module . .\Module.ps1

- Get-ADDomain

C:\[Path]\Powersploit\PowerSploit-master\Recon> Import-Module ActiveDirectory C:\[Path]\Powersploit\PowerSploit-master\Recon> Get-ADDomain | Select-Object NetBIOSName, DNSRoot, InfrastructureMaster

- Get-ADForest

C:\[Path]\Powersploit\PowerSploit-master\Recon> Get-ADForest | Select-Object Domains

- Get-ADTrust

C:\[Path]\Powersploit\PowerSploit-master\Recon> Get-ADTrust -Filter * | Select-Object Direction,Source,Target

- Powerview

Download: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

-- Get-NetDomain

C:\[Path]\Powersploit\PowerSploit-master\Recon> Import-Module .\PowerView.ps1 C:\[Path]\Powersploit\PowerSploit-master\Recon> Get-NetDomain

-- Get-NetDomainController -- Get-NetForest -- Get-NetDomainTrust

Powershell - powerview

C:\Users\Administrator\Downloads>dir
 Volume in drive C has no label.
 Volume Serial Number is F83F-6346

 Directory of C:\Users\Administrator\Downloads

01/03/2021  09:59 AM    <DIR>          .
01/03/2021  09:59 AM    <DIR>          ..
05/14/2020  10:39 AM         1,261,832 mimikatz.exe
05/14/2020  10:41 AM           374,625 PowerView.ps1
05/14/2020  10:43 AM           973,325 SharpHound.ps1
               3 File(s)      2,609,782 bytes
               2 Dir(s)  47,299,473,408 bytes free

# load a powershell shell with execution policy bypassed

C:\Users\Administrator\Downloads>powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

# import the PowerView module

PS C:\Users\Administrator\Downloads> . .\PowerView.ps1

PowerView

# get a list of all operating systems on the domain
Get-NetComputer -fulldata | select operatingsystem

# get a list of all users on the domain
Get-NetUser | select cn