在拿到一台域环境内主机权限时,第一步要做的不是对内网进行扫描,探测等大规模攻击行为,而是通过一些内置命令获取域中的基本信息,本文主要以 powershell 命令为主要工具来了解如何获取域内信息,获取什么信息。
获取根域信息
PS C:> [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
Name: lab.adsecurity.orgSites: {Default-First-Site-Name}Domains: {lab.adsecurity.org, child.lab.adsecurity.org}GlobalCatalogs: {ADSDC01.lab.adsecurity.org, ADSDC02.lab.adsecurity.org, ADSDC03.lab.adsecurity.org, ADSDC11.child.lab.adsecurity.org}ApplicationPartitions: {DC=DomainDnsZones,DC=child,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org,DC=ForestDnsZones,DC=lab,DC=adsecurity,DC=org}ForestMode: Windows2008R2ForestRootDomain: lab.adsecurity.orgSchema: CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=orgSchemaRoleOwner: ADSDC03.lab.adsecurity.orgNamingRoleOwner: ADSDC03.lab.adsecurity.org
获取子域信息
PS C:> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Forest: lab.adsecurity.orgDomainControllers: {ADSDC01.lab.adsecurity.org, ADSDC02.lab.adsecurity.org, ADSDC03.lab.adsecurity.org}Children: {child.lab.adsecurity.org}DomainMode: Windows2008R2DomainParent:PdcRoleOwner: ADSDC03.lab.adsecurity.orgRidRoleOwner: ADSDC03.lab.adsecurity.orgInfrastructureRoleOwner: ADSDC03.lab.adsecurity.orgName: lab.adsecurity.org
根域信任关系
$ForestRootDomain = ‘lab.adsecurity.org’
([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext(‘Forest’, $ForestRootDomain)))).GetAllTrustRelationships()
子域信任关系
PS C:> ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
SourceName: lab.adsecurity.orgTargetName: child.lab.adsecurity.orgTrustType: ParentChildTrustDirection: Bidirectional
获取根域 GC(Global catalog)
Global Catalog,简写为“GC”,有的地方叫“全局编录”,这里我把它叫做“通用类别目录”。
主要功能是:帮助域控制器把其他域包含本域的资料收集起来,便于客户端查询。
PS C:> [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs
Forest : lab.adsecurity.orgCurrentTime : 1/27/2016 5:31:36 PMHighestCommittedUsn : 305210OSVersion : Windows Server 2008 R2 DatacenterRoles : {}Domain : lab.adsecurity.orgIPAddress : 172.16.11.11SiteName : Default-First-Site-NameSyncFromAllServersCallback :InboundConnections : {36bfdadf-777d-4bad-9427-bc148cea256f, 48594a5d-c2a3-4cd1-a80d-bedf367cc2a9, 549871d2-e238-4423-a6b8-1bbOutboundConnections : {9da361fd-0eed-414a-b4ee-0a9caa1b153e, 86690811-f995-4c3e-89fe-73c61fa4a3a0, 8797cbb4-fe09-49dc-8891-952Name : ADSDC01.lab.adsecurity.orgPartitions : {DC=lab,DC=adsecurity,DC=org, CN=Configuration,DC=lab,DC=adsecurity,DC=org,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org…Forest : lab.adsecurity.orgCurrentTime : 1/27/2016 5:31:37 PMHighestCommittedUsn : 274976OSVersion : Windows Server 2012 R2 DatacenterRoles : {SchemaRole, NamingRole, PdcRole, RidRole…}Domain : lab.adsecurity.orgIPAddress : fe80::1881:40d5:fc2e:e744%12SiteName : Default-First-Site-NameSyncFromAllServersCallback :InboundConnections : {86690811-f995-4c3e-89fe-73c61fa4a3a0, dd7b36a8-a52e-446d-95a8-318b69bd9765}OutboundConnections : {f901f0b5-8754-44e9-92e8-f56b3d67197b, 549871d2-e238-4423-a6b8-1bb258e2a62f}Name : ADSDC03.lab.adsecurity.orgPartitions : {DC=lab,DC=adsecurity,DC=org, CN=Configuration,DC=lab,DC=adsecurity,DC=org,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org…Forest : lab.adsecurity.orgCurrentTime : 1/27/2016 5:31:38 PMHighestCommittedUsn : 161898OSVersion : Windows Server 2012 R2 DatacenterRoles : {PdcRole, RidRole, InfrastructureRole}Domain : child.lab.adsecurity.orgIPAddress : 172.16.11.21SiteName : Default-First-Site-NameSyncFromAllServersCallback :InboundConnections : {612c2d75-1c35-4073-a8a9-d41169665000, 8797cbb4-fe09-49dc-8891-952f38822eda}OutboundConnections : {71ea129f-8d56-4bd0-9b68-d80e89ae7385, 36bfdadf-777d-4bad-9427-bc148cea256f}Name : ADSDC11.child.lab.adsecurity.orgPartitions : {CN=Configuration,DC=lab,DC=adsecurity,DC=org, CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org,DC=ForestDnsZones,DC=lab,DC=adsecurity,DC=org, DC=child,DC=lab,DC=adsecurity,DC=org…}
通常情况下这些信息都不会被隐藏或者加密混淆。
不用扫描的情况下获取网络服务
这种方式也叫 SPN 扫描,当 windows 主机开启 RDP(TERMSERV)、Wi你RM(WSMAN)服务时可以被发现
PS C:> get-adcomputer -filter {ServicePrincipalName -like “*TERMSRV*”} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation
DistinguishedName : CN=ADSDC02,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSDC02.lab.adsecurity.orgEnabled : TrueLastLogonDate : 1/20/2016 6:46:18 AMName : ADSDC02ObjectClass : computerObjectGUID : 1efe44af-d8d9-420b-a66a-8d771d295085OperatingSystem : Windows Server 2008 R2 DatacenterOperatingSystemServicePack : Service Pack 1OperatingSystemVersion : 6.1 (7601)PasswordLastSet : 12/31/2015 6:34:15 AMSamAccountName : ADSDC02$ServicePrincipalName : {DNS/ADSDC02.lab.adsecurity.org, HOST/ADSDC02/ADSECLAB, HOST/ADSDC02.lab.adsecurity.org/ADSECLAB,GC/ADSDC02.lab.adsecurity.org/lab.adsecurity.org…}SID : S-1-5-21-1581655573-3923512380-696647894-1103TrustedForDelegation : TrueTrustedToAuthForDelegation : FalseUserPrincipalName :DistinguishedName : CN=ADSDC01,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSDC01.lab.adsecurity.orgEnabled : TrueLastLogonDate : 1/20/2016 6:47:21 AMName : ADSDC01ObjectClass : computerObjectGUID : 31b2038d-e63d-4cfe-b7b6-77206c325af9OperatingSystem : Windows Server 2008 R2 DatacenterOperatingSystemServicePack : Service Pack 1OperatingSystemVersion : 6.1 (7601)PasswordLastSet : 12/31/2015 6:34:14 AMSamAccountName : ADSDC01$ServicePrincipalName : {ldap/ADSDC01.lab.adsecurity.org/ForestDnsZones.lab.adsecurity.org,TERMSRV/ADSDC01,TERMSRV/ADSDC01.lab.adsecurity.org…}SID : S-1-5-21-1581655573-3923512380-696647894-1000TrustedForDelegation : TrueTrustedToAuthForDelegation : FalseUserPrincipalName :DistinguishedName : CN=ADSDC03,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSDC03.lab.adsecurity.orgEnabled : TrueLastLogonDate : 1/20/2016 6:35:16 AMName : ADSDC03ObjectClass : computerObjectGUID : 0a2d849c-cc59-4785-8ba2-997fd6ca4dc8OperatingSystem : Windows Server 2012 R2 DatacenterOperatingSystemServicePack :OperatingSystemVersion : 6.3 (9600)PasswordLastSet : 12/31/2015 6:34:16 AMSamAccountName : ADSDC03$ServicePrincipalName : {DNS/ADSDC03.lab.adsecurity.org, HOST/ADSDC03.lab.adsecurity.org/ADSECLAB,GC/ADSDC03.lab.adsecurity.org/lab.adsecurity.org…}SID : S-1-5-21-1581655573-3923512380-696647894-1601TrustedForDelegation : TrueTrustedToAuthForDelegation : FalseUserPrincipalName :DistinguishedName : CN=ADSWRKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSWRKWIN7.lab.adsecurity.orgEnabled : TrueLastLogonDate : 8/29/2015 6:40:16 PMName : ADSWRKWIN7ObjectClass : computerObjectGUID : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70OperatingSystem : Windows 7 EnterpriseOperatingSystemServicePack : Service Pack 1OperatingSystemVersion : 6.1 (7601)PasswordLastSet : 8/29/2015 6:40:12 PMSamAccountName : ADSWRKWIN7$ServicePrincipalName : {TERMSRV/ADSWRKWin7.lab.adsecurity.org, TERMSRV/ADSWRKWIN7, RestrictedKrbHost/ADSWRKWIN7, HOST/ADSWRKWIN7…}SID : S-1-5-21-1581655573-3923512380-696647894-1104TrustedForDelegation : FalseTrustedToAuthForDelegation : FalseUserPrincipalName :DistinguishedName : CN=ADSAP01,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSAP01.lab.adsecurity.orgEnabled : TrueLastLogonDate : 1/24/2016 11:03:41 AMName : ADSAP01ObjectClass : computerObjectGUID : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681OperatingSystem : Windows Server 2008 R2 DatacenterOperatingSystemServicePack : Service Pack 1OperatingSystemVersion : 6.1 (7601)PasswordLastSet : 1/4/2016 6:38:16 AMSamAccountName : ADSAP01$ServicePrincipalName : {WSMAN/ADSAP01.lab.adsecurity.org, WSMAN/ADSAP01, TERMSRV/ADSAP01.lab.adsecurity.org, TERMSRV/ADSAP01…}SID : S-1-5-21-1581655573-3923512380-696647894-1105TrustedForDelegation : FalseTrustedToAuthForDelegation : FalseUserPrincipalName :DistinguishedName : CN=ADSWKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSWKWIN7.lab.adsecurity.orgEnabled : TrueLastLogonDate : 1/20/2016 7:07:11 AMName : ADSWKWIN7ObjectClass : computerObjectGUID : 2f164d63-d721-4b0e-a553-3ca0e272aa96OperatingSystem : Windows 7 EnterpriseOperatingSystemServicePack : Service Pack 1OperatingSystemVersion : 6.1 (7601)PasswordLastSet : 12/31/2015 8:03:05 AMSamAccountName : ADSWKWIN7$ServicePrincipalName : {TERMSRV/ADSWKWin7.lab.adsecurity.org, TERMSRV/ADSWKWIN7, RestrictedKrbHost/ADSWKWIN7, HOST/ADSWKWIN7…}SID : S-1-5-21-1581655573-3923512380-696647894-1602TrustedForDelegation : FalseTrustedToAuthForDelegation : FalseUserPrincipalName :DistinguishedName : CN=ADSAP02,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSAP02.lab.adsecurity.orgEnabled : TrueLastLogonDate : 1/24/2016 7:39:48 AMName : ADSAP02ObjectClass : computerObjectGUID : 1006978e-8627-4d01-98b6-3215c4ee4541OperatingSystem : Windows Server 2012 R2 DatacenterOperatingSystemServicePack :OperatingSystemVersion : 6.3 (9600)PasswordLastSet : 1/4/2016 6:39:25 AMSamAccountName : ADSAP02$ServicePrincipalName : {WSMAN/ADSAP02.lab.adsecurity.org, WSMAN/ADSAP02, TERMSRV/ADSAP02.lab.adsecurity.org, TERMSRV/ADSAP02…}SID : S-1-5-21-1581655573-3923512380-696647894-1603TrustedForDelegation : FalseTrustedToAuthForDelegation : FalseUserPrincipalName :
收集服务账号
PS C:> get-aduser -filter {ServicePrincipalName -like “*”} -Properties PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,Truste dtoAuthForDelegation
DistinguishedName : CN=svc-adsMSSQL11,OU=Test,DC=lab,DC=adsecurity,DC=orgEnabled : FalseGivenName :LastLogonDate :Name : svc-adsMSSQL11ObjectClass : userObjectGUID : 275d3bf4-80d3-42ba-9d77-405c5cc63c07PasswordLastSet : 1/4/2016 7:13:03 AMSamAccountName : svc-adsMSSQL11ServicePrincipalName : {MSSQL/adsMSSQL11.lab.adsecurity.org:7434}SID : S-1-5-21-1581655573-3923512380-696647894-3601Surname :TrustedForDelegation : FalseTrustedToAuthForDelegation : FalseUserPrincipalName :DistinguishedName : CN=svc-adsSQLSA,OU=Test,DC=lab,DC=adsecurity,DC=orgEnabled : FalseGivenName :LastLogonDate :Name : svc-adsSQLSAObjectClass : userObjectGUID : 56faaab2-5b05-4bb2-aaea-0bdc1409eab3PasswordLastSet : 1/4/2016 7:13:13 AMSamAccountName : svc-adsSQLSAServicePrincipalName : {MSSQL/adsMSSQL23.lab.adsecurity.org:7434, MSSQL/adsMSSQL22.lab.adsecurity.org:5534, MSSQL/adsMSSQL21.lab.adsecurity.org:9834, MSSQL/adsMSSQL10.lab.adsecurity.org:14434…}SID : S-1-5-21-1581655573-3923512380-696647894-3602Surname :TrustedForDelegation : FalseTrustedToAuthForDelegation : FalseUserPrincipalName :DistinguishedName : CN=svc-adsMSSQL10,OU=Test,DC=lab,DC=adsecurity,DC=orgEnabled : FalseGivenName :LastLogonDate :Name : svc-adsMSSQL10ObjectClass : userObjectGUID : 6c2f15a2-ba4a-485a-a367-39395ad82c86PasswordLastSet : 1/4/2016 7:13:24 AMSamAccountName : svc-adsMSSQL10ServicePrincipalName : {MSSQL/adsMSSQL10.lab.adsecurity.org:7434}SID : S-1-5-21-1581655573-3923512380-696647894-3603Surname :TrustedForDelegation : FalseTrustedToAuthForDelegation : FalseUserPrincipalName :
非扫描式获取主机名
每一个加入域的主机,都会在域控上有所记录,包括很多详细的信息,比如创建时间、修改时间、密码策略、操作系统版本信息等。
PS C:> get-adcomputer -filter {PrimaryGroupID -eq “515”} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,Passwot,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation
DistinguishedName : CN=ADSWRKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSWRKWIN7.lab.adsecurity.orgEnabled : TrueLastLogonDate : 8/29/2015 6:40:16 PMName : ADSWRKWIN7ObjectClass : computerObjectGUID : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70OperatingSystem : Windows 7 EnterpriseOperatingSystemServicePack : Service Pack 1OperatingSystemVersion : 6.1 (7601)PasswordLastSet : 8/29/2015 6:40:12 PMSamAccountName : ADSWRKWIN7$ServicePrincipalName : {TERMSRV/ADSWRKWin7.lab.adsecurity.org, TERMSRV/ADSWRKWIN7, RestrictedKrbHost/ADSWRKWIN7, HOST/ADSWRKWIN7…}SID : S-1-5-21-1581655573-3923512380-696647894-1104TrustedForDelegation : FalseTrustedToAuthForDelegation : FalseUserPrincipalName :DistinguishedName : CN=ADSAP01,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSAP01.lab.adsecurity.orgEnabled : TrueLastLogonDate : 1/24/2016 11:03:41 AMName : ADSAP01ObjectClass : computerObjectGUID : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681OperatingSystem : Windows Server 2008 R2 DatacenterOperatingSystemServicePack : Service Pack 1OperatingSystemVersion : 6.1 (7601)PasswordLastSet : 1/4/2016 6:38:16 AMSamAccountName : ADSAP01$ServicePrincipalName : {WSMAN/ADSAP01.lab.adsecurity.org, WSMAN/ADSAP01, TERMSRV/ADSAP01.lab.adsecurity.org, TERMSRV/ADSAP01…}SID : S-1-5-21-1581655573-3923512380-696647894-1105TrustedForDelegation : FalseTrustedToAuthForDelegation : FalseUserPrincipalName :DistinguishedName : CN=ADSWKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSWKWIN7.lab.adsecurity.orgEnabled : TrueLastLogonDate : 1/20/2016 7:07:11 AMName : ADSWKWIN7ObjectClass : computerObjectGUID : 2f164d63-d721-4b0e-a553-3ca0e272aa96OperatingSystem : Windows 7 EnterpriseOperatingSystemServicePack : Service Pack 1OperatingSystemVersion : 6.1 (7601)PasswordLastSet : 12/31/2015 8:03:05 AMSamAccountName : ADSWKWIN7$ServicePrincipalName : {TERMSRV/ADSWKWin7.lab.adsecurity.org, TERMSRV/ADSWKWIN7, RestrictedKrbHost/ADSWKWIN7, HOST/ADSWKWIN7…}SID : S-1-5-21-1581655573-3923512380-696647894-1602TrustedForDelegation : FalseTrustedToAuthForDelegation : FalseUserPrincipalName :DistinguishedName : CN=ADSAP02,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSAP02.lab.adsecurity.orgEnabled : TrueLastLogonDate : 1/24/2016 7:39:48 AMName : ADSAP02ObjectClass : computerObjectGUID : 1006978e-8627-4d01-98b6-3215c4ee4541OperatingSystem : Windows Server 2012 R2 DatacenterOperatingSystemServicePack :OperatingSystemVersion : 6.3 (9600)PasswordLastSet : 1/4/2016 6:39:25 AMSamAccountName : ADSAP02$ServicePrincipalName : {WSMAN/ADSAP02.lab.adsecurity.org, WSMAN/ADSAP02, TERMSRV/ADSAP02.lab.adsecurity.org, TERMSRV/ADSAP02…}SID : S-1-5-21-1581655573-3923512380-696647894-1603TrustedForDelegation : FalseTrustedToAuthForDelegation : FalseUserPrincipalName :
可以修改 PrimaryGroupID 的值为 515 来获取域控中的其他主机信息,也可以使用 “-filter *” 来获取所有主机信息:
PS C:> get-adcomputer -filter {PrimaryGroupID -eq “516”} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,Passwot,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation
DistinguishedName : CN=ADSDC02,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSDC02.lab.adsecurity.orgEnabled : TrueLastLogonDate : 1/20/2016 6:46:18 AMName : ADSDC02ObjectClass : computerObjectGUID : 1efe44af-d8d9-420b-a66a-8d771d295085OperatingSystem : Windows Server 2008 R2 DatacenterOperatingSystemServicePack : Service Pack 1OperatingSystemVersion : 6.1 (7601)PasswordLastSet : 12/31/2015 6:34:15 AMSamAccountName : ADSDC02$ServicePrincipalName : {DNS/ADSDC02.lab.adsecurity.org, HOST/ADSDC02/ADSECLAB, HOST/ADSDC02.lab.adsecurity.org/ADSECLAB,GC/ADSDC02.lab.adsecurity.org/lab.adsecurity.org…}SID : S-1-5-21-1581655573-3923512380-696647894-1103TrustedForDelegation : TrueTrustedToAuthForDelegation : FalseUserPrincipalName :DistinguishedName : CN=ADSDC01,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSDC01.lab.adsecurity.orgEnabled : TrueLastLogonDate : 1/20/2016 6:47:21 AMName : ADSDC01ObjectClass : computerObjectGUID : 31b2038d-e63d-4cfe-b7b6-77206c325af9OperatingSystem : Windows Server 2008 R2 DatacenterOperatingSystemServicePack : Service Pack 1OperatingSystemVersion : 6.1 (7601)PasswordLastSet : 12/31/2015 6:34:14 AMSamAccountName : ADSDC01$ServicePrincipalName : {ldap/ADSDC01.lab.adsecurity.org/ForestDnsZones.lab.adsecurity.org,TERMSRV/ADSDC01,TERMSRV/ADSDC01.lab.adsecurity.org…}SID : S-1-5-21-1581655573-3923512380-696647894-1000TrustedForDelegation : TrueTrustedToAuthForDelegation : FalseUserPrincipalName :DistinguishedName : CN=ADSDC03,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSDC03.lab.adsecurity.orgEnabled : TrueLastLogonDate : 1/20/2016 6:35:16 AMName : ADSDC03ObjectClass : computerObjectGUID : 0a2d849c-cc59-4785-8ba2-997fd6ca4dc8OperatingSystem : Windows Server 2012 R2 DatacenterOperatingSystemServicePack :OperatingSystemVersion : 6.3 (9600)PasswordLastSet : 12/31/2015 6:34:16 AMSamAccountName : ADSDC03$ServicePrincipalName : {DNS/ADSDC03.lab.adsecurity.org, HOST/ADSDC03.lab.adsecurity.org/ADSECLAB,GC/ADSDC03.lab.adsecurity.org/lab.adsecurity.org…}SID : S-1-5-21-1581655573-3923512380-696647894-1601TrustedForDelegation : TrueTrustedToAuthForDelegation : FalseUserPrincipalName :
也可以使用下面的参数根据系统版本来获取相关主机:
OperatingSystem -Like “Samba”
OperatingSystem -Like “OnTap”
OperatingSystem -Like “Data Domain”
OperatingSystem -Like “EMC”
OperatingSystem -Like “Windows NT”
识别管理员信息
PS C:> get-aduser -filter {AdminCount -eq 1} -Properties Name,AdminCount,ServicePrincipalName,PasswordLastSet,LastLogonDate,MemberOf
AdminCount : 1DistinguishedName : CN=ADSAdministrator,CN=Users,DC=lab,DC=adsecurity,DC=orgEnabled : TrueGivenName :LastLogonDate : 1/27/2016 8:55:48 AMMemberOf : {CN=Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=org, CN=Schema Admins,CN=Users,DC=lab,DC=adsecurity,DC=org, CN=GroupPolicy Creator Owners,CN=Users,DC=lab,DC=adsecurity,DC=org, CN=Enterprise Admins,CN=Users,DC=lab,DC=adsecurity,DC=org…}Name : ADSAdministratorObjectClass : userObjectGUID : 72ac7731-0a76-4e5a-8e5d-b4ded9a304b5PasswordLastSet : 12/31/2015 8:45:27 AMSamAccountName : ADSAdministratorSID : S-1-5-21-1581655573-3923512380-696647894-500Surname :UserPrincipalName :AdminCount : 1DistinguishedName : CN=krbtgt,CN=Users,DC=lab,DC=adsecurity,DC=orgEnabled : FalseGivenName :LastLogonDate :MemberOf : {CN=Denied RODC Password Replication Group,CN=Users,DC=lab,DC=adsecurity,DC=org}Name : krbtgtObjectClass : userObjectGUID : 3d5be8dd-df7f-4f84-b2cf-4556310a7292PasswordLastSet : 8/27/2015 7:10:22 PMSamAccountName : krbtgtServicePrincipalName : {kadmin/changepw}SID : S-1-5-21-1581655573-3923512380-696647894-502Surname :UserPrincipalName :AdminCount : 1DistinguishedName : CN=LukeSkywalker,OU=AD Management,DC=lab,DC=adsecurity,DC=orgEnabled : TrueGivenName :LastLogonDate : 8/29/2015 7:29:52 PMMemberOf : {CN=Domain Admins,CN=Users,DC=lab,DC=adsecurity,DC=org}Name : LukeSkywalkerObjectClass : userObjectGUID : 32b5226b-aa6d-4b35-a031-ddbcbde07137PasswordLastSet : 8/29/2015 7:26:02 PMSamAccountName : LukeSkywalkerSID : S-1-5-21-1581655573-3923512380-696647894-2629Surname :UserPrincipalName :
获取管理员组
PS C:> get-adgroup -filter {GroupCategory -eq ‘Security’ -AND Name -like “*admin*”}
DistinguishedName : CN=Domain Admins,CN=Users,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : GlobalName : Domain AdminsObjectClass : groupObjectGUID : 5621cc71-d318-4e2c-b1b1-c181f630e10eSamAccountName : Domain AdminsSID : S-1-5-21-1581655573-3923512380-696647894-512DistinguishedName : CN=Workstation Admins,OU=AD Management,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : GlobalName : Workstation AdminsObjectClass : groupObjectGUID : 88cd4d52-aedb-4f90-9ebd-02d4c0e322e4SamAccountName : WorkstationAdminsSID : S-1-5-21-1581655573-3923512380-696647894-2627DistinguishedName : CN=Server Admins,OU=AD Management,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : GlobalName : Server AdminsObjectClass : groupObjectGUID : 3877c311-9321-41c0-a6b5-c0d88684b335SamAccountName : ServerAdminsSID : S-1-5-21-1581655573-3923512380-696647894-2628DistinguishedName : CN=DnsAdmins,CN=Users,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : DomainLocalName : DnsAdminsObjectClass : groupObjectGUID : 46caa0dd-6a22-42a3-a2d9-bd467934aab5SamAccountName : DnsAdminsSID : S-1-5-21-1581655573-3923512380-696647894-1101DistinguishedName : CN=Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : DomainLocalName : AdministratorsObjectClass : groupObjectGUID : d03a4afc-b14e-48c6-893c-bbc1ac872ca2SamAccountName : AdministratorsSID : S-1-5-32-544DistinguishedName : CN=Hyper-V Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : DomainLocalName : Hyper-V AdministratorsObjectClass : groupObjectGUID : 3137943e-f1c3-46d0-acf2-4711bf6f8417SamAccountName : Hyper-V AdministratorsSID : S-1-5-32-578DistinguishedName : CN=Enterprise Admins,CN=Users,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : UniversalName : Enterprise AdminsObjectClass : groupObjectGUID : 7674d6ad-777b-4db1-9fe3-e31fd664eb6eSamAccountName : Enterprise AdminsSID : S-1-5-21-1581655573-3923512380-696647894-519DistinguishedName : CN=Schema Admins,CN=Users,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : UniversalName : Schema AdminsObjectClass : groupObjectGUID : 420e8ee5-77f5-43b8-9f51-cde3feea0662SamAccountName : Schema AdminsSID : S-1-5-21-1581655573-3923512380-696647894-518
获取合作伙伴信息
PS C:> get-adobject -filter {ObjectClass -eq “Contact”} -Prop *
CanonicalName : lab.adsecurity.org/Contaxts/Admiral AckbarCN : Admiral AckbarCreated : 1/27/2016 10:00:06 AMcreateTimeStamp : 1/27/2016 10:00:06 AMDeleted :Description :DisplayName :DistinguishedName : CN=Admiral Ackbar,OU=Contaxts,DC=lab,DC=adsecurity,DC=orgdSCorePropagationData : {12/31/1600 4:00:00 PM}givenName : AdmiralinstanceType : 4isDeleted :LastKnownParent :mail : [email protected]Modified : 1/27/2016 10:00:24 AMmodifyTimeStamp : 1/27/2016 10:00:24 AMName : Admiral AckbarnTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurityObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=orgObjectClass : contactObjectGUID : 52c80a1d-a614-4889-92d4-1f588387d9f3ProtectedFromAccidentalDeletion : FalsesDRightsEffective : 15sn : AckbaruSNChanged : 275113uSNCreated : 275112whenChanged : 1/27/2016 10:00:24 AMwhenCreated : 1/27/2016 10:00:06 AMCanonicalName : lab.adsecurity.org/Contaxts/Leia OrganaCN : Leia OrganaCreated : 1/27/2016 10:01:25 AMcreateTimeStamp : 1/27/2016 10:01:25 AMDeleted :Description :DisplayName :DistinguishedName : CN=Leia Organa,OU=Contaxts,DC=lab,DC=adsecurity,DC=orgdSCorePropagationData : {12/31/1600 4:00:00 PM}givenName : LeiainstanceType : 4isDeleted :LastKnownParent :mail : [email protected]Modified : 1/27/2016 10:09:15 AMmodifyTimeStamp : 1/27/2016 10:09:15 AMName : Leia OrgananTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurityObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=orgObjectClass : contactObjectGUID : ba8ec318-a0a2-41d5-923e-a3f646d1c7f9ProtectedFromAccidentalDeletion : FalsesDRightsEffective : 15sn : OrganauSNChanged : 275157uSNCreated : 275132whenChanged : 1/27/2016 10:09:15 AMwhenCreated : 1/27/2016 10:01:25 AM
获取域密码策略
PS C:> Get-ADDefaultDomainPasswordPolicy
ComplexityEnabled : TrueDistinguishedName : DC=lab,DC=adsecurity,DC=orgLockoutDuration : 00:30:00LockoutObservationWindow : 00:30:00LockoutThreshold : 0MaxPasswordAge : 42.00:00:00MinPasswordAge : 1.00:00:00MinPasswordLength : 7objectClass : {domainDNS}objectGuid : bbf0907c-3171-4448-b33a-76a48d859039PasswordHistoryCount : 24ReversibleEncryptionEnabled : False
获取细粒度的密码策略
对于 Windows server 2008 以上的系统,可以对用户或组设置细粒度的密码策略
PS C:> Get-ADFineGrainedPasswordPolicy -Filter *
AppliesTo : {CN=Special FGPP Users,OU=Test,DC=lab,DC=adsecurity,DC=org}ComplexityEnabled : TrueDistinguishedName : CN=Special Password Policy Group,CN=Password Settings Container,CN=System,DC=lab,DC=adsecurity,DC=orgLockoutDuration : 12:00:00LockoutObservationWindow : 00:15:00LockoutThreshold : 10MaxPasswordAge : 00:00:00.0000365MinPasswordAge : 00:00:00MinPasswordLength : 7Name : Special Password Policy GroupObjectClass : msDS-PasswordSettingsObjectGUID : c1301d8f-ba52-4bb3-b160-c449d9c7b8f8PasswordHistoryCount : 24Precedence : 100ReversibleEncryptionEnabled : True
获取管理服务的组和账号
PS C:> Get-ADServiceAccount -Filter * -Properties *
AccountExpirationDate : 12/27/2017 11:14:38 AMaccountExpires : 131588756787719890AccountLockoutTime :AccountNotDelegated : FalseAllowReversiblePasswordEncryption : FalseAuthenticationPolicy : {}AuthenticationPolicySilo : {}BadLogonCount : 0badPasswordTime : 0badPwdCount : 0CannotChangePassword : FalseCanonicalName : lab.adsecurity.org/Managed Service Accounts/ADSMSA12Certificates : {}CN : ADSMSA12codePage : 0CompoundIdentitySupported : {False}countryCode : 0Created : 1/27/2016 11:14:38 AMcreateTimeStamp : 1/27/2016 11:14:38 AMDeleted :Description : gMSA for XYZ AppDisplayName : ADSMSA12DistinguishedName : CN=ADSMSA12,CN=Managed Service Accounts,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSAP02.lab.adsecurity.orgDoesNotRequirePreAuth : FalsedSCorePropagationData : {12/31/1600 4:00:00 PM}Enabled : TrueHomedirRequired : FalseHomePage :HostComputers : {}instanceType : 4isCriticalSystemObject : FalseisDeleted :KerberosEncryptionType : {RC4, AES128, AES256}LastBadPasswordAttempt :LastKnownParent :lastLogoff : 0lastLogon : 0LastLogonDate :localPolicyFlags : 0LockedOut : FalselogonCount : 0ManagedPasswordIntervalInDays : {21}MemberOf : {}MNSLogonAccount : FalseModified : 1/27/2016 11:14:39 AMmodifyTimeStamp : 1/27/2016 11:14:39 AM: {1, 0, 0, 0…}: 21: 28: 0Name : ADSMSA12nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurityObjectCategory : CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=orgObjectClass : msDS-GroupManagedServiceAccountObjectGUID : fe4c287b-f9d2-45ce-abe3-4acd6d09c3ffobjectSid : S-1-5-21-1581655573-3923512380-696647894-3605PasswordExpired : FalsePasswordLastSet : 1/27/2016 11:14:38 AMPasswordNeverExpires : FalsePasswordNotRequired : FalsePrimaryGroup : CN=Domain Computers,CN=Users,DC=lab,DC=adsecurity,DC=orgprimaryGroupID : 515PrincipalsAllowedToDelegateToAccount : {}PrincipalsAllowedToRetrieveManagedPassword : {}ProtectedFromAccidentalDeletion : FalsepwdLastSet : 130983956789440119SamAccountName : ADSMSA12$sAMAccountType : 805306369sDRightsEffective : 15ServicePrincipalNames :SID : S-1-5-21-1581655573-3923512380-696647894-3605SIDHistory : {}TrustedForDelegation : FalseTrustedToAuthForDelegation : FalseUseDESKeyOnly : FalseuserAccountControl : 4096userCertificate : {}UserPrincipalName :uSNChanged : 275383uSNCreated : 275380whenChanged : 1/27/2016 11:14:39 AMwhenCreated : 1/27/2016 11:14:38 AM
获取对普通电脑有管理员权限的组
可以使用 PowerView 来快速识别 GPO,PowerView 下载地址:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
PS C:> Get-NetGPOGroup
GPOName : {E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212}GPOPath : \lab.adsecurity.orgSysVollab.adsecurity.orgPolicies{E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212}Members : {Server Admins}MemberOf : {Administrators}GPODisplayName : Add Server Admins to Local Administrator GroupFilters :GPOName : {45556105-EFE6-43D8-A92C-AACB1D3D4DE5}GPOPath : \lab.adsecurity.orgSysVollab.adsecurity.orgPolicies{45556105-EFE6-43D8-A92C-AACB1D3D4DE5}Members : {Workstation Admins}MemberOf : {Administrators}GPODisplayName : Add Workstation Admins to Local Administrators Group
有了以上信息可以获取该 GPO 属于那个 OU
PS C:> get-netOU -guid “E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212”
PS C:> get-netOU -guid “45556105-EFE6-43D8-A92C-AACB1D3D4DE5”
接下来获取该 OU 下的主机信息
PS C:> get-adcomputer -filter * -SearchBase “OU=Servers,DC=lab,DC=adsecurity,DC=org”
DistinguishedName : CN=ADSAP01,OU=Servers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSAP01.lab.adsecurity.orgEnabled : TrueName : ADSAP01ObjectClass : computerObjectGUID : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681SamAccountName : ADSAP01$SID : S-1-5-21-1581655573-3923512380-696647894-1105UserPrincipalName :DistinguishedName : CN=ADSAP02,OU=Servers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSAP02.lab.adsecurity.orgEnabled : TrueName : ADSAP02ObjectClass : computerObjectGUID : 1006978e-8627-4d01-98b6-3215c4ee4541SamAccountName : ADSAP02$SID : S-1-5-21-1581655573-3923512380-696647894-1603UserPrincipalName :
PS C:> get-adcomputer -filter * -SearchBase “OU=Workstations,DC=lab,DC=adsecurity,DC=org”
DistinguishedName : CN=ADSWRKWIN7,OU=Workstations,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSWRKWIN7.lab.adsecurity.orgEnabled : TrueName : ADSWRKWIN7ObjectClass : computerObjectGUID : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70SamAccountName : ADSWRKWIN7$SID : S-1-5-21-1581655573-3923512380-696647894-1104UserPrincipalName :DistinguishedName : CN=ADSWKWIN7,OU=Workstations,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSWKWIN7.lab.adsecurity.orgEnabled : TrueName : ADSWKWIN7ObjectClass : computerObjectGUID : 2f164d63-d721-4b0e-a553-3ca0e272aa96SamAccountName : ADSWKWIN7$SID : S-1-5-21-1581655573-3923512380-696647894-1602UserPrincipalName :总结
以上就是使用 powershell 获取域内基本信息的方式,除了这种方式我们还可以使用 net 命令,但是这个命令通常会被杀软重点关注,多种方式多条路,以备不时之需。
本文始发于微信公众号(信安之路):刚入域环境下的域内信息收集
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论