DEV Community

Cover image for Rapid Identification of Domain Administrators and Domain Controllers in Internal Network Penetration Testing
Excalibra
Excalibra

Posted on

Rapid Identification of Domain Administrators and Domain Controllers in Internal Network Penetration Testing

In the process of internal network penetration testing, the ability to rapidly identify Domain Administrators and Domain Controllers is of paramount importance. Several commonly employed methods are introduced below.

Locating Domain Administrators

Command Line Identification

The following command can be executed in the command prompt to query domain administrator accounts:

net group "Domain Admins" /domain            //Query Domain Administrators
Enter fullscreen mode Exit fullscreen mode

Figure 2: AV detection results for executables with embedded shellcode


Figure 1: Output of the net group command listing Domain Administrators.

Tool-Based Identification

Several specialised tools can facilitate the enumeration of Domain Administrator accounts and their logged-on locations.

PSLoggedon.exe

This utility identifies users logged on to a system by examining the registry key HKEY_USERS and utilising the NetSessionEnum API. Note that certain functionalities of this tool require elevated, administrator-level privileges.

Download Link: https://docs.microsoft.com/en-us/sysinternals/downloads/psloggedon

Parameter Description
- Displays supported options and units of measurement for output values.
-l Shows only local logons, excluding local and network resource logons.
-x Does not display logon times.
\computername Specifies the name of the computer for which logon information is to be listed.
username Specifies a user name to search for across the network for machines where that user is logged on.

To locate a specific user, such as 'Administrator', the tool is invoked as follows:

PsLoggedon.exe Administrator
Enter fullscreen mode Exit fullscreen mode

Figure 2: Enumeration results showing machines where the Administrator user has logged on.


Figure 2: Enumeration results showing machines where the Administrator user has logged on.

To query a specific machine, the command is:

PsLoggedon.exe \AD-server
Enter fullscreen mode Exit fullscreen mode

Figure 3: Output displaying users currently logged on to the machine AD-server.


Figure 3: Output displaying users currently logged on to the machine AD-server.

PVefindaduser.exe

This tool is designed to ascertain the logon locations of Active Directory users, enumerate domain users, and identify users logged on to specific computers, including local users, those connected via RDP, and accounts used to run services and scheduled tasks. This tool also requires administrator privileges.

Download Link: https://github.com/chrisdee/Tools/tree/master/AD/ADFindUsersLoggedOn

Parameter Description
-h Displays help information.
-u Checks if a newer version of the programme is available.
-current ["username"] Displays the user currently logged on to each PC within the domain. If a username is specified in quotation marks, it only displays PCs where that particular user is logged on.
-noping Prevents the tool from pinging target computers before attempting to enumerate user logons.
-target An optional parameter for specifying a comma-separated list of hostnames to query. If omitted, all hosts in the current domain are queried. Results are output to a report.csv file.

Executing the command pvefinaduser.exe -current will display all users currently logged on to all machines within the domain.

Figure 4: Console output of PVefindaduser.exe showing current logon sessions across the domain


Figure 4: Console output of PVefindaduser.exe showing current logon sessions across the domain

This operation generates a report.csv file on the target machine, which can be retrieved for subsequent analysis.

Figure 5: The contents of the generated report.csv file, detailing user logon locations.


Figure 5: The contents of the generated report.csv file, detailing user logon locations.

PowerView.ps1

This PowerShell script is a component of the PowerSploit toolkit and serves as a robust instrument for gathering domain information. A suite of cmdlets is provided, including Get-NetUser, Get-NetDomainController, and Invoke-UserHunter, which specifically aids in identifying the computers to which domain users are logged on and whether they possess local administrator privileges.

Download Link: https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView

To locate Domain Administrators using PowerView, one may bypass the execution policy and invoke the script as demonstrated below:

powershell.exe -exec bypass -Command "& {Import-Module C:\Users\win7\Desktop\tool\PowerView.ps1; Invoke-UserEvenHunter}"
Enter fullscreen mode Exit fullscreen mode

Figure 6: Output from the Invoke-UserEvenHunter function in PowerView, identifying logged-on domain users.


Figure 6: Output from the Invoke-UserEvenHunter function in PowerView, identifying logged-on domain users.

Locating Domain Controllers

Command Line Identification

A Domain Controller can be identified by querying the relevant domain group with the command:

net group "Domain controllers" /Domain        //View Domain Controllers
Enter fullscreen mode Exit fullscreen mode

Figure 7: Results of the 'net group' command, showing the Domain Controller computer account.


Figure 7: Results of the 'net group' command, showing the Domain Controller computer account.

Alternatively, the net time command can be utilised to reveal the Domain Controller serving the logon server role:

net time /do
Enter fullscreen mode Exit fullscreen mode

Figure 7: Results of the 'net group' command, showing the Domain Controller computer account.


Figure 8: Output showing the domain time, which implicitly reveals the Domain Controller's hostname.

DNS Record Enumeration

Should the local machine's configured DNS server be a domain-integrated DNS server, querying specific service location (SRV) records can identify Domain Controllers.

nslookup -type=all _ldap._tcp.dc._msdcs.tubai.com
Enter fullscreen mode Exit fullscreen mode

Figure 9: Nslookup query results showing SRV records that point to Domain Controllers.


Figure 9: Nslookup query results showing SRV records that point to Domain Controllers.

Port Probing

Domain Controllers typically expose a characteristic set of ports. Port 389 is the default port for the Lightweight Directory Access Protocol (LDAP), port 636 is for LDAP over SSL/TLS (LDAPS), and port 53 is the standard port for the Domain Name System (DNS) service. A targeted scan for hosts within the internal network range that have these specific ports open can reveal potential Domain Controllers.

A direct probe of the identified Domain Controller's IP address on these key ports confirms its role.

Figure 10: A port scan confirming that ports 53, 389, and 636 are open on a Domain Controller.


Figure 10: A port scan confirming that ports 53, 389, and 636 are open on a Domain Controller.

SPN Scanning

Service Principal Name (SPN) scanning is a stealthier alternative to conventional TCP or UDP port scanning, as it utilises standard Kerberos authentication requests. Most Windows installations include the native setspn.exe utility, which does not require administrative rights to perform queries.

The following command, executed from a domain-joined machine, can identify Domain Controllers by their registered SPNs:

setspn -T tubai.com -Q */*
Enter fullscreen mode Exit fullscreen mode

Within the scan results, Domain Controllers can be distinguished by canonical names containing the string OU=Domain Controllers, such as CN=AD-SERVER,OU=Domain Controllers,DC=tubai,DC=com.

Figure 10: A port scan confirming that ports 53, 389, and 636 are open on a Domain Controller.


Figure 11: The output of an SPN scan, with the Domain Controller's service account highlighted.

Summary

Numerous methods exist for identifying Domain Administrators and Domain Controllers; the techniques described herein represent only the most frequently employed. During routine internal network penetration tests, it is a cardinal principle to prioritise techniques that generate minimal detectable activity.

Top comments (0)