Following on from the previous Active Directory Kung-Fu post, I thought I would add a few more things that could be useful on a Pentest.
The tools used are not installed on a standard XP build and will have to be downloaded from Microsoft and installed.
First off get the 2 new tools, AdminPack and Group Policy Management.
http://www.microsoft.com/en-us/download/details.aspx?id=16770 – Admin Pack for XP
http://www.microsoft.com/en-us/download/details.aspx?id=21895 – Group Policy Management for XP
Extract and install the Admin Pack and install gpmc.msi
Once these 2 tools are installed you will find that there are new gui tools.
Although for the time being we are not really too interested in these, the command line versions of these tools are more what we need.
These tools can be run on non domain member clients by providing a username and password, this can be done by an un-priviledged user – you need an account from the domain and set your DNS server to one on the domain.
These user accounts can be found by many ‘Hacking techniques and Social Engineering.
So lets find the Domain Controllers
The command we need to use is DSQUERY
As you can see from the screenshot I provide the domain and a low privileged username and password.
The command returns the the distingushed name of the Domain Controller on my test lab.
Ok now lets find the Admin groups in the Domain
As you can see here we searched for groups with the word ‘domain*’ in the group title, now some admins change the names of group like Domain Admins
to stop or hinder attackers, but do they just rename the group and leave the group description the same, here we can even search the description given to the group
So using the dsquery command again but this time we search on the ‘description’
The group names are still unchanged but we know from our serach that the description of the group has ‘domain’ in it, this would help an
attacker gain further info on the Active Directory.
As you can see we can gather so much info, 1 other nice command is the DSGET command, with this we can find the members of the groups,
Here we take the distinguished name of the group ‘Low Priv Users’ hoping this might actually be the renamed Domain Admins group
As we can see the only member of this group just happens to be Administrator!
This is only a brief look at the possible uses of a small set of the Directory Services commands, take some time to explore the others.
More detailed info can be found here,