Easily Find Domain Controllers – More Active Directory Kung-Fu

Following on from the previous Active Directory Kung-Fu post, I thought I would add a few more things that could be useful on a Pentest.

The tools used are not installed on a standard XP build and will have to be downloaded from Microsoft and installed.

First off get the 2 new tools, AdminPack and Group Policy Management.

http://www.microsoft.com/en-us/download/details.aspx?id=16770 – Admin Pack for XP

http://www.microsoft.com/en-us/download/details.aspx?id=21895 – Group Policy Management for XP

Extract and install the Admin Pack and install gpmc.msi

Once these 2 tools are installed you will find that there are new gui tools.

Although for the time being we are not really too interested in these, the command line versions of these tools are more what we need.

These tools can be run on non domain member clients by providing a username and password, this can be done by an un-priviledged user – you need an account from the domain and set your DNS server to one on the domain.
These user accounts can be found by many ‘Hacking techniques and Social Engineering.

So lets find the Domain Controllers

The command we need to use is DSQUERY

As you can see from the screenshot I provide the domain and a low privileged username and password.

The command returns the the distingushed name of the Domain Controller on my test lab.

Ok now lets find the Admin groups in the Domain

As you can see here we searched for groups with the word ‘domain*’ in the group title, now some admins change the names of group like Domain Admins

to stop or hinder attackers, but do they just rename the group and leave the group description the same, here we can even search the description given to the group

So using the dsquery command again but this time we search on the ‘description’

The group names are still unchanged  but we know from our serach that the description of the group has ‘domain’ in it, this would help an

attacker gain further info on the Active Directory.

As you can see we can gather so much info, 1 other nice command is the DSGET command, with this we can find the members of the groups,

Here we take the distinguished name of the group ‘Low Priv Users’ hoping this might actually be the renamed Domain Admins group

As we can see the only member of this group just happens to be Administrator!

This is only a brief look at the possible uses of a small set of the Directory Services commands, take some time to explore the others.

More detailed info can be found here,



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s