定位域管理员

1 定位域管位置

Locate the domain administrator, which servers or hosts are logged in to the domain of the privileged account?

Obtained a universal local password (Windows NT5.* system), locate the privileged user to obtain the privileged user's login credentials, thereby obtaining domain administrator permissions

After the Vista system, it can be used as information detection for directional attacks

1.1 原理

Through IPC empty connection or low-privilege connection, call the system API to enumerate the session information, login history, group information and group member information in the target system

1.2 相关 API

NetsessionEnum

NetShareEnum

NetWkstaUserEnum

Active Directory Service INterfaces [ADSI] Win NT provider

2 相关工具

Netsess.exe

Netview.exe

Pslogon.exe

PVEFindADUser.exe

2.1 netsess.exe

First perform IPC connection, otherwise the connection is rejected, the error code is 5

Run netsess.exe

2.2 nete.exe

Download address

1

nets.exe \\192.168.8.205 /0

2.3 Powershell

Group and group member information acquisition, ADSI's WinNT provider supports, and you can quickly obtain information through Powershell

Get-NetLocalGroup

Get-NetLocalGroupMember -Computername [win10x64en] -GroupName [administrators]

When an administrator formulates a group policy, the currently logged-in domain user can be added to the local administrator group

The host group policy is stored in the $GPOPath\MACHINE\Microsoft\Windows NT\SecEdit\GptTmp1.inf file and the $GPOPath\MACHINE\Preferences\Groups\Groups.xml file.

In the experimental environment, we added a group policy called LocalAdmin to add the reduser user to the local administrator group of logged in hosts

PowerView provides similar and more powerful features, the Get-DomainGPOLocalGroup command, enumeration and analysis of all group policies, and can easily obtain results.

The principle of Get-DomainGPOLocalGroup is to analyze whether there are changes in the privilege group in the GptTmp1.inf file.