刚入域环境下的域内信息收集

  • A+
所属分类:安全文章

刚入域环境下的域内信息收集

在拿到一台域环境内主机权限时,第一步要做的不是对内网进行扫描,探测等大规模攻击行为,而是通过一些内置命令获取域中的基本信息,本文主要以 powershell 命令为主要工具来了解如何获取域内信息,获取什么信息。

获取根域信息

PS C:> [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

Name: lab.adsecurity.orgSites: {Default-First-Site-Name}Domains: {lab.adsecurity.org, child.lab.adsecurity.org}GlobalCatalogs: {ADSDC01.lab.adsecurity.org, ADSDC02.lab.adsecurity.org, ADSDC03.lab.adsecurity.org, ADSDC11.child.lab.adsecurity.org}ApplicationPartitions: {DC=DomainDnsZones,DC=child,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org,DC=ForestDnsZones,DC=lab,DC=adsecurity,DC=org}ForestMode: Windows2008R2ForestRootDomain: lab.adsecurity.orgSchema: CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=orgSchemaRoleOwner: ADSDC03.lab.adsecurity.orgNamingRoleOwner: ADSDC03.lab.adsecurity.org

获取子域信息

PS C:> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Forest: lab.adsecurity.orgDomainControllers: {ADSDC01.lab.adsecurity.org, ADSDC02.lab.adsecurity.org, ADSDC03.lab.adsecurity.org}Children: {child.lab.adsecurity.org}DomainMode: Windows2008R2DomainParent:PdcRoleOwner: ADSDC03.lab.adsecurity.orgRidRoleOwner: ADSDC03.lab.adsecurity.orgInfrastructureRoleOwner: ADSDC03.lab.adsecurity.orgName: lab.adsecurity.org

根域信任关系

$ForestRootDomain = ‘lab.adsecurity.org’

([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext(‘Forest’, $ForestRootDomain)))).GetAllTrustRelationships()

子域信任关系

PS C:> ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

SourceName:    lab.adsecurity.orgTargetName: child.lab.adsecurity.orgTrustType:   ParentChildTrustDirection: Bidirectional

获取根域 GC(Global catalog)

Global Catalog,简写为“GC”,有的地方叫“全局编录”,这里我把它叫做“通用类别目录”。

主要功能是:帮助域控制器把其他域包含本域的资料收集起来,便于客户端查询。

PS C:> [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs

Forest                     : lab.adsecurity.orgCurrentTime                : 1/27/2016 5:31:36 PMHighestCommittedUsn        : 305210OSVersion                  : Windows Server 2008 R2 DatacenterRoles                      : {}Domain                     : lab.adsecurity.orgIPAddress                  : 172.16.11.11SiteName                   : Default-First-Site-NameSyncFromAllServersCallback :InboundConnections         : {36bfdadf-777d-4bad-9427-bc148cea256f, 48594a5d-c2a3-4cd1-a80d-bedf367cc2a9, 549871d2-e238-4423-a6b8-1bbOutboundConnections        : {9da361fd-0eed-414a-b4ee-0a9caa1b153e, 86690811-f995-4c3e-89fe-73c61fa4a3a0, 8797cbb4-fe09-49dc-8891-952Name                       : ADSDC01.lab.adsecurity.orgPartitions                 : {DC=lab,DC=adsecurity,DC=org, CN=Configuration,DC=lab,DC=adsecurity,DC=org,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org…Forest                     : lab.adsecurity.orgCurrentTime                : 1/27/2016 5:31:37 PMHighestCommittedUsn        : 274976OSVersion                  : Windows Server 2012 R2 DatacenterRoles                      : {SchemaRole, NamingRole, PdcRole, RidRole…}Domain                     : lab.adsecurity.orgIPAddress                  : fe80::1881:40d5:fc2e:e744%12SiteName                   : Default-First-Site-NameSyncFromAllServersCallback :InboundConnections         : {86690811-f995-4c3e-89fe-73c61fa4a3a0, dd7b36a8-a52e-446d-95a8-318b69bd9765}OutboundConnections        : {f901f0b5-8754-44e9-92e8-f56b3d67197b, 549871d2-e238-4423-a6b8-1bb258e2a62f}Name                       : ADSDC03.lab.adsecurity.orgPartitions                 : {DC=lab,DC=adsecurity,DC=org, CN=Configuration,DC=lab,DC=adsecurity,DC=org,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org…Forest                     : lab.adsecurity.orgCurrentTime                : 1/27/2016 5:31:38 PMHighestCommittedUsn        : 161898OSVersion                  : Windows Server 2012 R2 DatacenterRoles                      : {PdcRole, RidRole, InfrastructureRole}Domain                     : child.lab.adsecurity.orgIPAddress                  : 172.16.11.21SiteName                   : Default-First-Site-NameSyncFromAllServersCallback :InboundConnections         : {612c2d75-1c35-4073-a8a9-d41169665000, 8797cbb4-fe09-49dc-8891-952f38822eda}OutboundConnections        : {71ea129f-8d56-4bd0-9b68-d80e89ae7385, 36bfdadf-777d-4bad-9427-bc148cea256f}Name                       : ADSDC11.child.lab.adsecurity.orgPartitions                 : {CN=Configuration,DC=lab,DC=adsecurity,DC=org, CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org,DC=ForestDnsZones,DC=lab,DC=adsecurity,DC=org, DC=child,DC=lab,DC=adsecurity,DC=org…}

通常情况下这些信息都不会被隐藏或者加密混淆。

不用扫描的情况下获取网络服务

这种方式也叫 SPN 扫描,当 windows 主机开启 RDP(TERMSERV)、Wi你RM(WSMAN)服务时可以被发现

PS C:> get-adcomputer -filter {ServicePrincipalName -like “*TERMSRV*”} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation

DistinguishedName          : CN=ADSDC02,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=orgDNSHostName                : ADSDC02.lab.adsecurity.orgEnabled                    : TrueLastLogonDate              : 1/20/2016 6:46:18 AMName                       : ADSDC02ObjectClass                : computerObjectGUID                 : 1efe44af-d8d9-420b-a66a-8d771d295085OperatingSystem            : Windows Server 2008 R2 DatacenterOperatingSystemServicePack : Service Pack 1OperatingSystemVersion     : 6.1 (7601)PasswordLastSet            : 12/31/2015 6:34:15 AMSamAccountName             : ADSDC02$ServicePrincipalName       : {DNS/ADSDC02.lab.adsecurity.org, HOST/ADSDC02/ADSECLAB, HOST/ADSDC02.lab.adsecurity.org/ADSECLAB,GC/ADSDC02.lab.adsecurity.org/lab.adsecurity.org…}SID                        : S-1-5-21-1581655573-3923512380-696647894-1103TrustedForDelegation       : TrueTrustedToAuthForDelegation : FalseUserPrincipalName          :DistinguishedName          : CN=ADSDC01,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=orgDNSHostName                : ADSDC01.lab.adsecurity.orgEnabled                    : TrueLastLogonDate              : 1/20/2016 6:47:21 AMName                       : ADSDC01ObjectClass                : computerObjectGUID                 : 31b2038d-e63d-4cfe-b7b6-77206c325af9OperatingSystem            : Windows Server 2008 R2 DatacenterOperatingSystemServicePack : Service Pack 1OperatingSystemVersion     : 6.1 (7601)PasswordLastSet            : 12/31/2015 6:34:14 AMSamAccountName             : ADSDC01$ServicePrincipalName       : {ldap/ADSDC01.lab.adsecurity.org/ForestDnsZones.lab.adsecurity.org,ldap/ADSDC01.lab.adsecurity.org/DomainDnsZones.lab.adsecurity.org, TERMSRV/ADSDC01,TERMSRV/ADSDC01.lab.adsecurity.org…}SID                        : S-1-5-21-1581655573-3923512380-696647894-1000TrustedForDelegation       : TrueTrustedToAuthForDelegation : FalseUserPrincipalName          :DistinguishedName          : CN=ADSDC03,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=orgDNSHostName                : ADSDC03.lab.adsecurity.orgEnabled                    : TrueLastLogonDate              : 1/20/2016 6:35:16 AMName                       : ADSDC03ObjectClass                : computerObjectGUID                 : 0a2d849c-cc59-4785-8ba2-997fd6ca4dc8OperatingSystem            : Windows Server 2012 R2 DatacenterOperatingSystemServicePack :OperatingSystemVersion     : 6.3 (9600)PasswordLastSet            : 12/31/2015 6:34:16 AMSamAccountName             : ADSDC03$ServicePrincipalName       : {DNS/ADSDC03.lab.adsecurity.org, HOST/ADSDC03.lab.adsecurity.org/ADSECLAB,RPC/c8e1e99e-2aaa-4888-a5d8-23a4355fac48._msdcs.lab.adsecurity.org, GC/ADSDC03.lab.adsecurity.org/lab.adsecurity.org…}SID                        : S-1-5-21-1581655573-3923512380-696647894-1601TrustedForDelegation       : TrueTrustedToAuthForDelegation : FalseUserPrincipalName          :DistinguishedName          : CN=ADSWRKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName                : ADSWRKWIN7.lab.adsecurity.orgEnabled                    : TrueLastLogonDate              : 8/29/2015 6:40:16 PMName                       : ADSWRKWIN7ObjectClass                : computerObjectGUID                 : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70OperatingSystem            : Windows 7 EnterpriseOperatingSystemServicePack : Service Pack 1OperatingSystemVersion     : 6.1 (7601)PasswordLastSet            : 8/29/2015 6:40:12 PMSamAccountName             : ADSWRKWIN7$ServicePrincipalName       : {TERMSRV/ADSWRKWin7.lab.adsecurity.org, TERMSRV/ADSWRKWIN7, RestrictedKrbHost/ADSWRKWIN7, HOST/ADSWRKWIN7…}SID                        : S-1-5-21-1581655573-3923512380-696647894-1104TrustedForDelegation       : FalseTrustedToAuthForDelegation : FalseUserPrincipalName          :DistinguishedName          : CN=ADSAP01,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName                : ADSAP01.lab.adsecurity.orgEnabled                    : TrueLastLogonDate              : 1/24/2016 11:03:41 AMName                       : ADSAP01ObjectClass                : computerObjectGUID                 : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681OperatingSystem            : Windows Server 2008 R2 DatacenterOperatingSystemServicePack : Service Pack 1OperatingSystemVersion     : 6.1 (7601)PasswordLastSet            : 1/4/2016 6:38:16 AMSamAccountName             : ADSAP01$ServicePrincipalName       : {WSMAN/ADSAP01.lab.adsecurity.org, WSMAN/ADSAP01, TERMSRV/ADSAP01.lab.adsecurity.org, TERMSRV/ADSAP01…}SID                        : S-1-5-21-1581655573-3923512380-696647894-1105TrustedForDelegation       : FalseTrustedToAuthForDelegation : FalseUserPrincipalName          :DistinguishedName          : CN=ADSWKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName                : ADSWKWIN7.lab.adsecurity.orgEnabled                    : TrueLastLogonDate              : 1/20/2016 7:07:11 AMName                       : ADSWKWIN7ObjectClass                : computerObjectGUID                 : 2f164d63-d721-4b0e-a553-3ca0e272aa96OperatingSystem            : Windows 7 EnterpriseOperatingSystemServicePack : Service Pack 1OperatingSystemVersion     : 6.1 (7601)PasswordLastSet            : 12/31/2015 8:03:05 AMSamAccountName             : ADSWKWIN7$ServicePrincipalName       : {TERMSRV/ADSWKWin7.lab.adsecurity.org, TERMSRV/ADSWKWIN7, RestrictedKrbHost/ADSWKWIN7, HOST/ADSWKWIN7…}SID                        : S-1-5-21-1581655573-3923512380-696647894-1602TrustedForDelegation       : FalseTrustedToAuthForDelegation : FalseUserPrincipalName          :DistinguishedName          : CN=ADSAP02,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName                : ADSAP02.lab.adsecurity.orgEnabled                    : TrueLastLogonDate              : 1/24/2016 7:39:48 AMName                       : ADSAP02ObjectClass                : computerObjectGUID                 : 1006978e-8627-4d01-98b6-3215c4ee4541OperatingSystem            : Windows Server 2012 R2 DatacenterOperatingSystemServicePack :OperatingSystemVersion     : 6.3 (9600)PasswordLastSet            : 1/4/2016 6:39:25 AMSamAccountName             : ADSAP02$ServicePrincipalName       : {WSMAN/ADSAP02.lab.adsecurity.org, WSMAN/ADSAP02, TERMSRV/ADSAP02.lab.adsecurity.org, TERMSRV/ADSAP02…}SID                        : S-1-5-21-1581655573-3923512380-696647894-1603TrustedForDelegation       : FalseTrustedToAuthForDelegation : FalseUserPrincipalName          :

收集服务账号

PS C:> get-aduser -filter {ServicePrincipalName -like “*”} -Properties PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,Truste dtoAuthForDelegation

DistinguishedName          : CN=svc-adsMSSQL11,OU=Test,DC=lab,DC=adsecurity,DC=orgEnabled                    : FalseGivenName                  :LastLogonDate              :Name                       : svc-adsMSSQL11ObjectClass                : userObjectGUID                 : 275d3bf4-80d3-42ba-9d77-405c5cc63c07PasswordLastSet            : 1/4/2016 7:13:03 AMSamAccountName             : svc-adsMSSQL11ServicePrincipalName       : {MSSQL/adsMSSQL11.lab.adsecurity.org:7434}SID                        : S-1-5-21-1581655573-3923512380-696647894-3601Surname                    :TrustedForDelegation       : FalseTrustedToAuthForDelegation : FalseUserPrincipalName          :DistinguishedName          : CN=svc-adsSQLSA,OU=Test,DC=lab,DC=adsecurity,DC=orgEnabled                    : FalseGivenName                  :LastLogonDate              :Name                       : svc-adsSQLSAObjectClass                : userObjectGUID                 : 56faaab2-5b05-4bb2-aaea-0bdc1409eab3PasswordLastSet            : 1/4/2016 7:13:13 AMSamAccountName             : svc-adsSQLSAServicePrincipalName       : {MSSQL/adsMSSQL23.lab.adsecurity.org:7434, MSSQL/adsMSSQL22.lab.adsecurity.org:5534,                            MSSQL/adsMSSQL21.lab.adsecurity.org:9834, MSSQL/adsMSSQL10.lab.adsecurity.org:14434…}SID                        : S-1-5-21-1581655573-3923512380-696647894-3602Surname                    :TrustedForDelegation       : FalseTrustedToAuthForDelegation : FalseUserPrincipalName          :DistinguishedName          : CN=svc-adsMSSQL10,OU=Test,DC=lab,DC=adsecurity,DC=orgEnabled                    : FalseGivenName                  :LastLogonDate              :Name                       : svc-adsMSSQL10ObjectClass                : userObjectGUID                 : 6c2f15a2-ba4a-485a-a367-39395ad82c86PasswordLastSet            : 1/4/2016 7:13:24 AMSamAccountName             : svc-adsMSSQL10ServicePrincipalName       : {MSSQL/adsMSSQL10.lab.adsecurity.org:7434}SID                        : S-1-5-21-1581655573-3923512380-696647894-3603Surname                    :TrustedForDelegation       : FalseTrustedToAuthForDelegation : FalseUserPrincipalName          :

非扫描式获取主机名

每一个加入域的主机,都会在域控上有所记录,包括很多详细的信息,比如创建时间、修改时间、密码策略、操作系统版本信息等。

PS C:> get-adcomputer -filter {PrimaryGroupID -eq “515”} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,Passwot,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation

DistinguishedName          : CN=ADSWRKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName                : ADSWRKWIN7.lab.adsecurity.orgEnabled                    : TrueLastLogonDate              : 8/29/2015 6:40:16 PMName                       : ADSWRKWIN7ObjectClass                : computerObjectGUID                 : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70OperatingSystem            : Windows 7 EnterpriseOperatingSystemServicePack : Service Pack 1OperatingSystemVersion     : 6.1 (7601)PasswordLastSet            : 8/29/2015 6:40:12 PMSamAccountName             : ADSWRKWIN7$ServicePrincipalName       : {TERMSRV/ADSWRKWin7.lab.adsecurity.org, TERMSRV/ADSWRKWIN7, RestrictedKrbHost/ADSWRKWIN7, HOST/ADSWRKWIN7…}SID                        : S-1-5-21-1581655573-3923512380-696647894-1104TrustedForDelegation       : FalseTrustedToAuthForDelegation : FalseUserPrincipalName          :DistinguishedName          : CN=ADSAP01,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName                : ADSAP01.lab.adsecurity.orgEnabled                    : TrueLastLogonDate              : 1/24/2016 11:03:41 AMName                       : ADSAP01ObjectClass                : computerObjectGUID                 : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681OperatingSystem            : Windows Server 2008 R2 DatacenterOperatingSystemServicePack : Service Pack 1OperatingSystemVersion     : 6.1 (7601)PasswordLastSet            : 1/4/2016 6:38:16 AMSamAccountName             : ADSAP01$ServicePrincipalName       : {WSMAN/ADSAP01.lab.adsecurity.org, WSMAN/ADSAP01, TERMSRV/ADSAP01.lab.adsecurity.org, TERMSRV/ADSAP01…}SID                        : S-1-5-21-1581655573-3923512380-696647894-1105TrustedForDelegation       : FalseTrustedToAuthForDelegation : FalseUserPrincipalName          :DistinguishedName          : CN=ADSWKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName                : ADSWKWIN7.lab.adsecurity.orgEnabled                    : TrueLastLogonDate              : 1/20/2016 7:07:11 AMName                       : ADSWKWIN7ObjectClass                : computerObjectGUID                 : 2f164d63-d721-4b0e-a553-3ca0e272aa96OperatingSystem            : Windows 7 EnterpriseOperatingSystemServicePack : Service Pack 1OperatingSystemVersion     : 6.1 (7601)PasswordLastSet            : 12/31/2015 8:03:05 AMSamAccountName             : ADSWKWIN7$ServicePrincipalName       : {TERMSRV/ADSWKWin7.lab.adsecurity.org, TERMSRV/ADSWKWIN7, RestrictedKrbHost/ADSWKWIN7, HOST/ADSWKWIN7…}SID                        : S-1-5-21-1581655573-3923512380-696647894-1602TrustedForDelegation       : FalseTrustedToAuthForDelegation : FalseUserPrincipalName          :DistinguishedName          : CN=ADSAP02,CN=Computers,DC=lab,DC=adsecurity,DC=orgDNSHostName                : ADSAP02.lab.adsecurity.orgEnabled                    : TrueLastLogonDate              : 1/24/2016 7:39:48 AMName                       : ADSAP02ObjectClass                : computerObjectGUID                 : 1006978e-8627-4d01-98b6-3215c4ee4541OperatingSystem            : Windows Server 2012 R2 DatacenterOperatingSystemServicePack :OperatingSystemVersion     : 6.3 (9600)PasswordLastSet            : 1/4/2016 6:39:25 AMSamAccountName             : ADSAP02$ServicePrincipalName       : {WSMAN/ADSAP02.lab.adsecurity.org, WSMAN/ADSAP02, TERMSRV/ADSAP02.lab.adsecurity.org, TERMSRV/ADSAP02…}SID                        : S-1-5-21-1581655573-3923512380-696647894-1603TrustedForDelegation       : FalseTrustedToAuthForDelegation : FalseUserPrincipalName          :

可以修改 PrimaryGroupID 的值为 515 来获取域控中的其他主机信息,也可以使用 “-filter *” 来获取所有主机信息:

PS C:> get-adcomputer -filter {PrimaryGroupID -eq “516”} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,Passwot,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation

DistinguishedName          : CN=ADSDC02,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=orgDNSHostName                : ADSDC02.lab.adsecurity.orgEnabled                    : TrueLastLogonDate              : 1/20/2016 6:46:18 AMName                       : ADSDC02ObjectClass                : computerObjectGUID                 : 1efe44af-d8d9-420b-a66a-8d771d295085OperatingSystem            : Windows Server 2008 R2 DatacenterOperatingSystemServicePack : Service Pack 1OperatingSystemVersion     : 6.1 (7601)PasswordLastSet            : 12/31/2015 6:34:15 AMSamAccountName             : ADSDC02$ServicePrincipalName       : {DNS/ADSDC02.lab.adsecurity.org, HOST/ADSDC02/ADSECLAB, HOST/ADSDC02.lab.adsecurity.org/ADSECLAB,GC/ADSDC02.lab.adsecurity.org/lab.adsecurity.org…}SID                        : S-1-5-21-1581655573-3923512380-696647894-1103TrustedForDelegation       : TrueTrustedToAuthForDelegation : FalseUserPrincipalName          :DistinguishedName          : CN=ADSDC01,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=orgDNSHostName                : ADSDC01.lab.adsecurity.orgEnabled                    : TrueLastLogonDate              : 1/20/2016 6:47:21 AMName                       : ADSDC01ObjectClass                : computerObjectGUID                 : 31b2038d-e63d-4cfe-b7b6-77206c325af9OperatingSystem            : Windows Server 2008 R2 DatacenterOperatingSystemServicePack : Service Pack 1OperatingSystemVersion     : 6.1 (7601)PasswordLastSet            : 12/31/2015 6:34:14 AMSamAccountName             : ADSDC01$ServicePrincipalName       : {ldap/ADSDC01.lab.adsecurity.org/ForestDnsZones.lab.adsecurity.org,ldap/ADSDC01.lab.adsecurity.org/DomainDnsZones.lab.adsecurity.org, TERMSRV/ADSDC01,TERMSRV/ADSDC01.lab.adsecurity.org…}SID                        : S-1-5-21-1581655573-3923512380-696647894-1000TrustedForDelegation       : TrueTrustedToAuthForDelegation : FalseUserPrincipalName          :DistinguishedName          : CN=ADSDC03,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=orgDNSHostName                : ADSDC03.lab.adsecurity.orgEnabled                    : TrueLastLogonDate              : 1/20/2016 6:35:16 AMName                       : ADSDC03ObjectClass                : computerObjectGUID                 : 0a2d849c-cc59-4785-8ba2-997fd6ca4dc8OperatingSystem            : Windows Server 2012 R2 DatacenterOperatingSystemServicePack :OperatingSystemVersion     : 6.3 (9600)PasswordLastSet            : 12/31/2015 6:34:16 AMSamAccountName             : ADSDC03$ServicePrincipalName       : {DNS/ADSDC03.lab.adsecurity.org, HOST/ADSDC03.lab.adsecurity.org/ADSECLAB,RPC/c8e1e99e-2aaa-4888-a5d8-23a4355fac48._msdcs.lab.adsecurity.org, GC/ADSDC03.lab.adsecurity.org/lab.adsecurity.org…}SID                        : S-1-5-21-1581655573-3923512380-696647894-1601TrustedForDelegation       : TrueTrustedToAuthForDelegation : FalseUserPrincipalName          :

也可以使用下面的参数根据系统版本来获取相关主机:

  • OperatingSystem -Like “Samba

  • OperatingSystem -Like “OnTap

  • OperatingSystem -Like “Data Domain

  • OperatingSystem -Like “EMC

  • OperatingSystem -Like “Windows NT

识别管理员信息

PS C:> get-aduser -filter {AdminCount -eq 1} -Properties Name,AdminCount,ServicePrincipalName,PasswordLastSet,LastLogonDate,MemberOf

AdminCount        : 1DistinguishedName : CN=ADSAdministrator,CN=Users,DC=lab,DC=adsecurity,DC=orgEnabled           : TrueGivenName         :LastLogonDate     : 1/27/2016 8:55:48 AMMemberOf          : {CN=Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=org, CN=Schema Admins,CN=Users,DC=lab,DC=adsecurity,DC=org, CN=GroupPolicy Creator Owners,CN=Users,DC=lab,DC=adsecurity,DC=org, CN=Enterprise Admins,CN=Users,DC=lab,DC=adsecurity,DC=org…}Name              : ADSAdministratorObjectClass       : userObjectGUID        : 72ac7731-0a76-4e5a-8e5d-b4ded9a304b5PasswordLastSet   : 12/31/2015 8:45:27 AMSamAccountName    : ADSAdministratorSID               : S-1-5-21-1581655573-3923512380-696647894-500Surname           :UserPrincipalName :AdminCount           : 1DistinguishedName    : CN=krbtgt,CN=Users,DC=lab,DC=adsecurity,DC=orgEnabled              : FalseGivenName            :LastLogonDate        :MemberOf             : {CN=Denied RODC Password Replication Group,CN=Users,DC=lab,DC=adsecurity,DC=org}Name                 : krbtgtObjectClass          : userObjectGUID           : 3d5be8dd-df7f-4f84-b2cf-4556310a7292PasswordLastSet      : 8/27/2015 7:10:22 PMSamAccountName       : krbtgtServicePrincipalName : {kadmin/changepw}SID                  : S-1-5-21-1581655573-3923512380-696647894-502Surname              :UserPrincipalName    :AdminCount        : 1DistinguishedName : CN=LukeSkywalker,OU=AD Management,DC=lab,DC=adsecurity,DC=orgEnabled           : TrueGivenName         :LastLogonDate     : 8/29/2015 7:29:52 PMMemberOf          : {CN=Domain Admins,CN=Users,DC=lab,DC=adsecurity,DC=org}Name              : LukeSkywalkerObjectClass       : userObjectGUID        : 32b5226b-aa6d-4b35-a031-ddbcbde07137PasswordLastSet   : 8/29/2015 7:26:02 PMSamAccountName    : LukeSkywalkerSID               : S-1-5-21-1581655573-3923512380-696647894-2629Surname           :UserPrincipalName :

获取管理员组

PS C:> get-adgroup -filter {GroupCategory -eq ‘Security’ -AND Name -like “*admin*”}

DistinguishedName : CN=Domain Admins,CN=Users,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : GlobalName : Domain AdminsObjectClass : groupObjectGUID : 5621cc71-d318-4e2c-b1b1-c181f630e10eSamAccountName : Domain AdminsSID : S-1-5-21-1581655573-3923512380-696647894-512DistinguishedName : CN=Workstation Admins,OU=AD Management,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : GlobalName : Workstation AdminsObjectClass : groupObjectGUID : 88cd4d52-aedb-4f90-9ebd-02d4c0e322e4SamAccountName : WorkstationAdminsSID : S-1-5-21-1581655573-3923512380-696647894-2627DistinguishedName : CN=Server Admins,OU=AD Management,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : GlobalName : Server AdminsObjectClass : groupObjectGUID : 3877c311-9321-41c0-a6b5-c0d88684b335SamAccountName : ServerAdminsSID : S-1-5-21-1581655573-3923512380-696647894-2628DistinguishedName : CN=DnsAdmins,CN=Users,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : DomainLocalName : DnsAdminsObjectClass : groupObjectGUID : 46caa0dd-6a22-42a3-a2d9-bd467934aab5SamAccountName : DnsAdminsSID : S-1-5-21-1581655573-3923512380-696647894-1101DistinguishedName : CN=Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : DomainLocalName : AdministratorsObjectClass : groupObjectGUID : d03a4afc-b14e-48c6-893c-bbc1ac872ca2SamAccountName : AdministratorsSID : S-1-5-32-544DistinguishedName : CN=Hyper-V Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : DomainLocalName : Hyper-V AdministratorsObjectClass : groupObjectGUID : 3137943e-f1c3-46d0-acf2-4711bf6f8417SamAccountName : Hyper-V AdministratorsSID : S-1-5-32-578DistinguishedName : CN=Enterprise Admins,CN=Users,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : UniversalName : Enterprise AdminsObjectClass : groupObjectGUID : 7674d6ad-777b-4db1-9fe3-e31fd664eb6eSamAccountName : Enterprise AdminsSID : S-1-5-21-1581655573-3923512380-696647894-519DistinguishedName : CN=Schema Admins,CN=Users,DC=lab,DC=adsecurity,DC=orgGroupCategory : SecurityGroupScope : UniversalName : Schema AdminsObjectClass : groupObjectGUID : 420e8ee5-77f5-43b8-9f51-cde3feea0662SamAccountName : Schema AdminsSID : S-1-5-21-1581655573-3923512380-696647894-518

获取合作伙伴信息

PS C:> get-adobject -filter {ObjectClass -eq “Contact”} -Prop *

CanonicalName                   : lab.adsecurity.org/Contaxts/Admiral AckbarCN                              : Admiral AckbarCreated                         : 1/27/2016 10:00:06 AMcreateTimeStamp                 : 1/27/2016 10:00:06 AMDeleted                         :Description                     :DisplayName                     :DistinguishedName               : CN=Admiral Ackbar,OU=Contaxts,DC=lab,DC=adsecurity,DC=orgdSCorePropagationData           : {12/31/1600 4:00:00 PM}givenName                       : AdmiralinstanceType                    : 4isDeleted                       :LastKnownParent                 :mail                            : [email protected]Modified                        : 1/27/2016 10:00:24 AMmodifyTimeStamp                 : 1/27/2016 10:00:24 AMName                            : Admiral AckbarnTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurityObjectCategory                  : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=orgObjectClass                     : contactObjectGUID                      : 52c80a1d-a614-4889-92d4-1f588387d9f3ProtectedFromAccidentalDeletion : FalsesDRightsEffective               : 15sn                              : AckbaruSNChanged                      : 275113uSNCreated                      : 275112whenChanged                     : 1/27/2016 10:00:24 AMwhenCreated                     : 1/27/2016 10:00:06 AMCanonicalName                   : lab.adsecurity.org/Contaxts/Leia OrganaCN                              : Leia OrganaCreated                         : 1/27/2016 10:01:25 AMcreateTimeStamp                 : 1/27/2016 10:01:25 AMDeleted                         :Description                     :DisplayName                     :DistinguishedName               : CN=Leia Organa,OU=Contaxts,DC=lab,DC=adsecurity,DC=orgdSCorePropagationData           : {12/31/1600 4:00:00 PM}givenName                       : LeiainstanceType                    : 4isDeleted                       :LastKnownParent                 :mail                            : [email protected]Modified                        : 1/27/2016 10:09:15 AMmodifyTimeStamp                 : 1/27/2016 10:09:15 AMName                            : Leia OrgananTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurityObjectCategory                  : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=orgObjectClass                     : contactObjectGUID                      : ba8ec318-a0a2-41d5-923e-a3f646d1c7f9ProtectedFromAccidentalDeletion : FalsesDRightsEffective               : 15sn                              : OrganauSNChanged                      : 275157uSNCreated                      : 275132whenChanged                     : 1/27/2016 10:09:15 AMwhenCreated                     : 1/27/2016 10:01:25 AM

获取域密码策略

PS C:> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled           : TrueDistinguishedName           : DC=lab,DC=adsecurity,DC=orgLockoutDuration             : 00:30:00LockoutObservationWindow    : 00:30:00LockoutThreshold            : 0MaxPasswordAge              : 42.00:00:00MinPasswordAge              : 1.00:00:00MinPasswordLength           : 7objectClass                 : {domainDNS}objectGuid                  : bbf0907c-3171-4448-b33a-76a48d859039PasswordHistoryCount        : 24ReversibleEncryptionEnabled : False

获取细粒度的密码策略

对于 Windows server 2008 以上的系统,可以对用户或组设置细粒度的密码策略

PS C:> Get-ADFineGrainedPasswordPolicy -Filter *

AppliesTo                   : {CN=Special FGPP Users,OU=Test,DC=lab,DC=adsecurity,DC=org}ComplexityEnabled           : TrueDistinguishedName           : CN=Special Password Policy Group,CN=Password Settings Container,CN=System,DC=lab,DC=adsecurity,DC=orgLockoutDuration             : 12:00:00LockoutObservationWindow    : 00:15:00LockoutThreshold            : 10MaxPasswordAge              : 00:00:00.0000365MinPasswordAge              : 00:00:00MinPasswordLength           : 7Name                        : Special Password Policy GroupObjectClass                 : msDS-PasswordSettingsObjectGUID                  : c1301d8f-ba52-4bb3-b160-c449d9c7b8f8PasswordHistoryCount        : 24Precedence                  : 100ReversibleEncryptionEnabled : True

获取管理服务的组和账号

PS C:> Get-ADServiceAccount -Filter * -Properties *

AccountExpirationDate                      : 12/27/2017 11:14:38 AMaccountExpires                             : 131588756787719890AccountLockoutTime                         :AccountNotDelegated                        : FalseAllowReversiblePasswordEncryption          : FalseAuthenticationPolicy                       : {}AuthenticationPolicySilo                   : {}BadLogonCount                              : 0badPasswordTime                            : 0badPwdCount                                : 0CannotChangePassword                       : FalseCanonicalName                              : lab.adsecurity.org/Managed Service Accounts/ADSMSA12Certificates                               : {}CN                                         : ADSMSA12codePage                                   : 0CompoundIdentitySupported                  : {False}countryCode                                : 0Created                                    : 1/27/2016 11:14:38 AMcreateTimeStamp                            : 1/27/2016 11:14:38 AMDeleted                                    :Description                                : gMSA for XYZ AppDisplayName                                : ADSMSA12DistinguishedName                          : CN=ADSMSA12,CN=Managed Service Accounts,DC=lab,DC=adsecurity,DC=orgDNSHostName                                : ADSAP02.lab.adsecurity.orgDoesNotRequirePreAuth                      : FalsedSCorePropagationData                      : {12/31/1600 4:00:00 PM}Enabled                                    : TrueHomedirRequired                            : FalseHomePage                                   :HostComputers                              : {}instanceType                               : 4isCriticalSystemObject                     : FalseisDeleted                                  :KerberosEncryptionType                     : {RC4, AES128, AES256}LastBadPasswordAttempt                     :LastKnownParent                            :lastLogoff                                 : 0lastLogon                                  : 0LastLogonDate                              :localPolicyFlags                           : 0LockedOut                                  : FalselogonCount                                 : 0ManagedPasswordIntervalInDays              : {21}MemberOf                                   : {}MNSLogonAccount                            : FalseModified                                   : 1/27/2016 11:14:39 AMmodifyTimeStamp                            : 1/27/2016 11:14:39 AMmsDS-ManagedPasswordId                     : {1, 0, 0, 0…}msDS-ManagedPasswordInterval               : 21msDS-SupportedEncryptionTypes              : 28msDS-User-Account-Control-Computed         : 0Name                                       : ADSMSA12nTSecurityDescriptor                       : System.DirectoryServices.ActiveDirectorySecurityObjectCategory                             : CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=orgObjectClass                                : msDS-GroupManagedServiceAccountObjectGUID                                 : fe4c287b-f9d2-45ce-abe3-4acd6d09c3ffobjectSid                                  : S-1-5-21-1581655573-3923512380-696647894-3605PasswordExpired                            : FalsePasswordLastSet                            : 1/27/2016 11:14:38 AMPasswordNeverExpires                       : FalsePasswordNotRequired                        : FalsePrimaryGroup                               : CN=Domain Computers,CN=Users,DC=lab,DC=adsecurity,DC=orgprimaryGroupID                             : 515PrincipalsAllowedToDelegateToAccount       : {}PrincipalsAllowedToRetrieveManagedPassword : {}ProtectedFromAccidentalDeletion            : FalsepwdLastSet                                 : 130983956789440119SamAccountName                             : ADSMSA12$sAMAccountType                             : 805306369sDRightsEffective                          : 15ServicePrincipalNames                      :SID                                        : S-1-5-21-1581655573-3923512380-696647894-3605SIDHistory                                 : {}TrustedForDelegation                       : FalseTrustedToAuthForDelegation                 : FalseUseDESKeyOnly                              : FalseuserAccountControl                         : 4096userCertificate                            : {}UserPrincipalName                          :uSNChanged                                 : 275383uSNCreated                                 : 275380whenChanged                                : 1/27/2016 11:14:39 AMwhenCreated                                : 1/27/2016 11:14:38 AM

获取对普通电脑有管理员权限的组

可以使用 PowerView 来快速识别 GPO,PowerView 下载地址:

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

PS C:> Get-NetGPOGroup

GPOName        : {E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212}GPOPath        : \lab.adsecurity.orgSysVollab.adsecurity.orgPolicies{E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212}Members        : {Server Admins}MemberOf       : {Administrators}GPODisplayName : Add Server Admins to Local Administrator GroupFilters        :GPOName        : {45556105-EFE6-43D8-A92C-AACB1D3D4DE5}GPOPath        : \lab.adsecurity.orgSysVollab.adsecurity.orgPolicies{45556105-EFE6-43D8-A92C-AACB1D3D4DE5}Members        : {Workstation Admins}MemberOf       : {Administrators}GPODisplayName : Add Workstation Admins to Local Administrators Group

有了以上信息可以获取该 GPO 属于那个 OU

PS C:> get-netOU -guid “E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212”


LDAP://OU=Servers,DC=lab,DC=adsecurity,DC=org

PS C:> get-netOU -guid “45556105-EFE6-43D8-A92C-AACB1D3D4DE5”


LDAP://OU=Workstations,DC=lab,DC=adsecurity,DC=org

接下来获取该 OU 下的主机信息

PS C:> get-adcomputer -filter * -SearchBase “OU=Servers,DC=lab,DC=adsecurity,DC=org”
DistinguishedName : CN=ADSAP01,OU=Servers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSAP01.lab.adsecurity.orgEnabled : TrueName : ADSAP01ObjectClass : computerObjectGUID : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681SamAccountName : ADSAP01$SID : S-1-5-21-1581655573-3923512380-696647894-1105UserPrincipalName :DistinguishedName : CN=ADSAP02,OU=Servers,DC=lab,DC=adsecurity,DC=orgDNSHostName : ADSAP02.lab.adsecurity.orgEnabled : TrueName : ADSAP02ObjectClass : computerObjectGUID : 1006978e-8627-4d01-98b6-3215c4ee4541SamAccountName : ADSAP02$SID : S-1-5-21-1581655573-3923512380-696647894-1603UserPrincipalName :

PS C:> get-adcomputer -filter * -SearchBase “OU=Workstations,DC=lab,DC=adsecurity,DC=org”
DistinguishedName : CN=ADSWRKWIN7,OU=Workstations,DC=lab,DC=adsecurity,DC=orgDNSHostName       : ADSWRKWIN7.lab.adsecurity.orgEnabled           : TrueName              : ADSWRKWIN7ObjectClass       : computerObjectGUID        : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70SamAccountName    : ADSWRKWIN7$SID               : S-1-5-21-1581655573-3923512380-696647894-1104UserPrincipalName :DistinguishedName : CN=ADSWKWIN7,OU=Workstations,DC=lab,DC=adsecurity,DC=orgDNSHostName       : ADSWKWIN7.lab.adsecurity.orgEnabled           : TrueName              : ADSWKWIN7ObjectClass       : computerObjectGUID        : 2f164d63-d721-4b0e-a553-3ca0e272aa96SamAccountName    : ADSWKWIN7$SID               : S-1-5-21-1581655573-3923512380-696647894-1602UserPrincipalName :

以上就是使用 powershell 获取域内基本信息的方式,除了这种方式我们还可以使用 net 命令,但是这个命令通常会被杀软重点关注,多种方式多条路,以备不时之需。

刚入域环境下的域内信息收集

本文始发于微信公众号(信安之路):刚入域环境下的域内信息收集

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: