Pen Testing Active Directory Environments e b o o k contents

10
Note: the $_. is the way PowerShell lets you refer to a single object in a stream or collection of objects. 
To see who’s on the Taco server, I did this instead:
Interesting! I found an Administrator.
One of the goals of pen testing is hunting down admins and other users with higher privileges. 
Invoke- UserHunter 
is the 
go-to cmdlet for this word.
Another good source of useful information are the AD groups in the Acme environment. You can learn about organizational 
structure from looking at group names.
I used PowerView’s 
Get-NetGroup
to query Active Directory for all the groups in the Acme domain. As the output sped by, I 
noticed, besides all the default groups, that there were a few group names that had Acme as prefix. It was probably set up and 
customized by the Acme system admin, which would be me in this case.
One group that caught my attention was the Acme-VIPs group.
It might be interesting to see this group’s user membership, and PV’s Get-NetGroupMember does this for me.
I now have a person of interest: Ted Bloatly, and obviously important guy at Acme.

Viewing Ted’s Active Directory permissions for properties.
11
Active Directory Treasures
At this point, I’ve not done anything disruptive or invasive. 
I’m just gathering information – under the hood PowerView, 
though is making low-level AD queries.
Suppose I want to find out more details about this Ted
Bloatly person.
AD administrators are of course familiar with the Users and 
Computer interface through which they manage the directory.
It’s also a treasure trove of information for hackers. Can I 
access this using PowerView?
Through another PV cmdlet, 

Download 3,04 Mb.

Do'stlaringiz bilan baham: