Pen Testing Active Directory Environments e b o o k contents



Download 3,04 Mb.
Pdf ko'rish
bet5/20
Sana23.12.2022
Hajmi3,04 Mb.
#895103
1   2   3   4   5   6   7   8   9   ...   20
Bog'liq
AD pentesting

 Invoke-UserHunter.
More power than I 
really need for this: it actually tells me all users currently logged in on all machines across the domain.
But this allows me to then introduce a PowerShell pipeline. Unlike in a Linux command shell, the output of a PowerShell cmdlet 
is an object, not a string, and that brings in all the machinery of the object-oriented model — attributes, classes, inheritance, etc. 
We’ll explore more of this idea below.
I present for your amusement the following pipeline below. It uses the Where-object cmdlet, aliased by the ? PowerShell 
symbol, and filters out only those user objects where the ComputerName AD attribute is equal to “Salsa”, which is my 
current server.


10
Note: the $_. is the way PowerShell lets you refer to a single object in a stream or collection of objects. 
To see who’s on the Taco server, I did this instead:
Interesting! I found an Administrator.
One of the goals of pen testing is hunting down admins and other users with higher privileges. 
Invoke- UserHunter 
is the 
go-to cmdlet for this word.
Another good source of useful information are the AD groups in the Acme environment. You can learn about organizational 
structure from looking at group names.
I used PowerView’s 
Get-NetGroup
to query Active Directory for all the groups in the Acme domain. As the output sped by, I 
noticed, besides all the default groups, that there were a few group names that had Acme as prefix. It was probably set up and 
customized by the Acme system admin, which would be me in this case.
One group that caught my attention was the Acme-VIPs group.
It might be interesting to see this group’s user membership, and PV’s Get-NetGroupMember does this for me.
I now have a person of interest: Ted Bloatly, and obviously important guy at Acme.


Viewing Ted’s Active Directory permissions for properties.
11
Active Directory Treasures
At this point, I’ve not done anything disruptive or invasive. 
I’m just gathering information – under the hood PowerView, 
though is making low-level AD queries.
Suppose I want to find out more details about this Ted
Bloatly person.
AD administrators are of course familiar with the Users and 
Computer interface through which they manage the directory.
It’s also a treasure trove of information for hackers. Can I 
access this using PowerView?
Through another PV cmdlet, 

Download 3,04 Mb.

Do'stlaringiz bilan baham:
1   2   3   4   5   6   7   8   9   ...   20




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling

kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha


yuklab olish