🔭Credentialed Enumeration (PowerView)

Domain User Information

Get-DomainUser

Code

Get-DomainUser -Identity <username> -Domain example.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,mail,useraccountcontrol

Example

name                 : Username
samaccountname       : username
description          :
memberof             : {CN=VPN Users,OU=Security Groups,OU=Corp,DC=EXAMPLE,DC=LOCAL, CN=Shared Calendar
                       Read,OU=Security Groups,OU=Corp,DC=EXAMPLE,DC=LOCAL, CN=Printer Access,OU=Security
                       Groups,OU=Corp,DC=EXAMPLE,DC=LOCAL, CN=File Share H Drive,OU=Security
                       Groups,OU=Corp,DC=EXAMPLE,DC=LOCAL...}
whencreated          : 10/27/2021 5:37:06 PM
pwdlastset           : 11/18/2021 10:02:57 AM
lastlogontimestamp   : 2/27/2022 6:34:25 PM
accountexpires       : NEVER
admincount           : 1
userprincipalname    : username@example.local
serviceprincipalname :
mail                 :
useraccountcontrol   : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH

Code

Enumerate All Domain Users / Export CSV

Code

Get-DomainUser * -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,mail,useraccountcontrol | Export-Csv .\inlanefreight_users.csv -NoTypeInformation

KerberosPreauthNotRequired

Code

Get-DomainUser -KerberosPreauthNotRequired -Properties samaccountname,useraccountcontrol,memberof

Kerberos Constrained Delegation

Code

Get-DomainUser -TrustedToAuth -Properties samaccountname,useraccountcontrol,memberof

Unconstrained Delegation

Code

Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"

Description Field

Code

Get-DomainUser -Properties samaccountname,description | Where {$_.description -ne $null}

Example

samaccountname description
-------------- -----------
Administrator  Built-in account for administering the computer/domain
Guest          Built-in account for guest access to the computer/domain
DefaultAccount A user account managed by the system.
krbtgt         Key Distribution Center Service Account
svc-sccm       **Do not change password** 03/04/2015 N3ssu$_svc2014!

Service Principal Names (SPNs)

Code

Get-DomainUser -SPN -Properties samaccountname,memberof,serviceprincipalname

Find-ForeignGroup

Code

Find-ForeignGroup

Convert-SidToName S-1-5-21-888139820-103978830-333442103-1602

Service Principal Names (Other Domains)

Code

Get-DomainUser -SPN -Domain freightlogistics.local | select samaccountname,memberof,serviceprincipalname | fl

Password Set Time

Code

Get-DomainUser -Properties samaccountname,pwdlastset,lastlogon -Domain InlaneFreight.local | select samaccountname, pwdlastset, lastlogon | Sort-Object -Property pwdlastset

Password Set Time (Before Certain Date)

Code

Get-DomainUser -Properties samaccountname,pwdlastset,lastlogon -Domain InlaneFreight.local | select samaccountname, pwdlastset, lastlogon | where { $_.pwdlastset -lt (Get-Date).addDays(-90) }

UAC Values

ConvertFrom-UACValue

Code

Get-DomainUser <username>  | ConvertFrom-UACValue -showall

• -showall: show all common UAC values

• +: The ones that are set for the user are marked with a +

Example

S C:\htb> Get-DomainUser harry.jones  | ConvertFrom-UACValue -showall

Name                           Value
----                           -----
SCRIPT                         1
ACCOUNTDISABLE                 2
HOMEDIR_REQUIRED               8
LOCKOUT                        16
PASSWD_NOTREQD                 32+
PASSWD_CANT_CHANGE             64
ENCRYPTED_TEXT_PWD_ALLOWED     128
TEMP_DUPLICATE_ACCOUNT         256
NORMAL_ACCOUNT                 512+
INTERDOMAIN_TRUST_ACCOUNT      2048
WORKSTATION_TRUST_ACCOUNT      4096
SERVER_TRUST_ACCOUNT           8192
DONT_EXPIRE_PASSWORD           65536+
MNS_LOGON_ACCOUNT              131072
SMARTCARD_REQUIRED             262144
TRUSTED_FOR_DELEGATION         524288
NOT_DELEGATED                  1048576
USE_DES_KEY_ONLY               2097152
DONT_REQ_PREAUTH               4194304
PASSWORD_EXPIRED               8388608
TRUSTED_TO_AUTH_FOR_DELEGATION 16777216
PARTIAL_SECRETS_ACCOUNT        67108864

Recursive Group Membership

Get-DomainGroupMember

Code

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

• -Recurse: List out the members of any groups that are part of the target group (nested group memberships)

Example

GroupDomain             : EXAMPLE.LOCAL
GroupName               : Domain Admins
GroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=EXAMPLE,DC=LOCAL
MemberDomain            : EXAMPLE.LOCAL
MemberName              : svc_qualys
MemberDistinguishedName : CN=svc_qualys,OU=Service Accounts,OU=Corp,DC=EXAMPLE,DC=LOCAL
MemberObjectClass       : user
MemberSID               : S-1-5-21-3842939050-3880317879-2865463114-5613

GroupDomain             : EXAMPLE.LOCAL
GroupName               : Domain Admins
GroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=EXAMPLE,DC=LOCAL
MemberDomain            : EXAMPLE.LOCAL
MemberName              : sp-admin
MemberDistinguishedName : CN=Sharepoint Admin,OU=Service Accounts,OU=Corp,DC=EXAMPLE,DC=LOCAL
MemberObjectClass       : user
MemberSID               : S-1-5-21-3842939050-3880317879-2865463114-5228

GroupDomain             : EXAMPLE.LOCAL
GroupName               : Secadmins
GroupDistinguishedName  : CN=Secadmins,OU=Security Groups,OU=Corp,DC=EXAMPLE,DC=LOCAL
MemberDomain            : EXAMPLE.LOCAL
MemberName              : spong1990
MemberDistinguishedName : CN=Maggie
                          Jablonski,OU=Operations,OU=Logistics-HK,OU=Employees,OU=Corp,DC=EXAMPLE,DC=LOCAL
MemberObjectClass       : user
MemberSID               : S-1-5-21-3842939050-3880317879-2865463114-1965

• For example, the output above shows that the Secadmins group is part of the Domain Admins group through nested group membership