在拿到一台域环境内主机权限时,第一步要做的不是对内网进行扫描,探测等大规模攻击行为,而是通过一些内置命令获取域中的基本信息,本文主要以 powershell 命令为主要工具来了解如何获取域内信息,获取什么信息。
PS C:> [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
Name: lab.adsecurity.org
Sites: {Default-First-Site-Name}
Domains: {lab.adsecurity.org, child.lab.adsecurity.org}
GlobalCatalogs: {ADSDC01.lab.adsecurity.org, ADSDC02.lab.adsecurity.org, ADSDC03.lab.adsecurity.org, ADSDC11.child.lab.adsecurity.org}
ApplicationPartitions: {DC=DomainDnsZones,DC=child,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org,
DC=ForestDnsZones,DC=lab,DC=adsecurity,DC=org}
ForestMode: Windows2008R2Forest
RootDomain: lab.adsecurity.org
Schema: CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org
SchemaRoleOwner: ADSDC03.lab.adsecurity.org
NamingRoleOwner: ADSDC03.lab.adsecurity.org
PS C:> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Forest: lab.adsecurity.org
DomainControllers: {ADSDC01.lab.adsecurity.org, ADSDC02.lab.adsecurity.org, ADSDC03.lab.adsecurity.org}
Children: {child.lab.adsecurity.org}
DomainMode: Windows2008R2Domain
Parent:
PdcRoleOwner: ADSDC03.lab.adsecurity.org
RidRoleOwner: ADSDC03.lab.adsecurity.org
InfrastructureRoleOwner: ADSDC03.lab.adsecurity.org
Name: lab.adsecurity.org
$ForestRootDomain = ‘lab.adsecurity.org’
([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext(‘Forest’, $ForestRootDomain)))).GetAllTrustRelationships()
PS C:> ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
SourceName: lab.adsecurity.org
TargetName: child.lab.adsecurity.org
TrustType: ParentChild
TrustDirection: Bidirectional
Global Catalog,简写为“GC”,有的地方叫“全局编录”,这里我把它叫做“通用类别目录”。
主要功能是:帮助域控制器把其他域包含本域的资料收集起来,便于客户端查询。
PS C:> [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs
Forest : lab.adsecurity.org
CurrentTime : 1/27/2016 5:31:36 PM
HighestCommittedUsn : 305210
OSVersion : Windows Server 2008 R2 Datacenter
Roles : {}
Domain : lab.adsecurity.org
IPAddress : 172.16.11.11
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {36bfdadf-777d-4bad-9427-bc148cea256f, 48594a5d-c2a3-4cd1-a80d-bedf367cc2a9, 549871d2-e238-4423-a6b8-1bb
OutboundConnections : {9da361fd-0eed-414a-b4ee-0a9caa1b153e, 86690811-f995-4c3e-89fe-73c61fa4a3a0, 8797cbb4-fe09-49dc-8891-952
Name : ADSDC01.lab.adsecurity.org
Partitions : {DC=lab,DC=adsecurity,DC=org, CN=Configuration,DC=lab,DC=adsecurity,DC=org,
CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org…
Forest : lab.adsecurity.org
CurrentTime : 1/27/2016 5:31:37 PM
HighestCommittedUsn : 274976
OSVersion : Windows Server 2012 R2 Datacenter
Roles : {SchemaRole, NamingRole, PdcRole, RidRole…}
Domain : lab.adsecurity.org
IPAddress : fe80::1881:40d5:fc2e:e744%12
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {86690811-f995-4c3e-89fe-73c61fa4a3a0, dd7b36a8-a52e-446d-95a8-318b69bd9765}
OutboundConnections : {f901f0b5-8754-44e9-92e8-f56b3d67197b, 549871d2-e238-4423-a6b8-1bb258e2a62f}
Name : ADSDC03.lab.adsecurity.org
Partitions : {DC=lab,DC=adsecurity,DC=org, CN=Configuration,DC=lab,DC=adsecurity,DC=org,
CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org…
Forest : lab.adsecurity.org
CurrentTime : 1/27/2016 5:31:38 PM
HighestCommittedUsn : 161898
OSVersion : Windows Server 2012 R2 Datacenter
Roles : {PdcRole, RidRole, InfrastructureRole}
Domain : child.lab.adsecurity.org
IPAddress : 172.16.11.21
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {612c2d75-1c35-4073-a8a9-d41169665000, 8797cbb4-fe09-49dc-8891-952f38822eda}
OutboundConnections : {71ea129f-8d56-4bd0-9b68-d80e89ae7385, 36bfdadf-777d-4bad-9427-bc148cea256f}
Name : ADSDC11.child.lab.adsecurity.org
Partitions : {CN=Configuration,DC=lab,DC=adsecurity,DC=org, CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org,
DC=ForestDnsZones,DC=lab,DC=adsecurity,DC=org, DC=child,DC=lab,DC=adsecurity,DC=org…}
通常情况下这些信息都不会被隐藏或者加密混淆。
这种方式也叫 SPN 扫描,当 windows 主机开启 RDP(TERMSERV)、Wi你RM(WSMAN)服务时可以被发现
PS C:> get-adcomputer -filter {ServicePrincipalName -like “*TERMSRV*”} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation
DistinguishedName : CN=ADSDC02,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSDC02.lab.adsecurity.org
Enabled : True
LastLogonDate : 1/20/2016 6:46:18 AM
Name : ADSDC02
ObjectClass : computer
ObjectGUID : 1efe44af-d8d9-420b-a66a-8d771d295085
OperatingSystem : Windows Server 2008 R2 Datacenter
OperatingSystemServicePack : Service Pack 1
OperatingSystemVersion : 6.1 (7601)
PasswordLastSet : 12/31/2015 6:34:15 AM
SamAccountName : ADSDC02$
ServicePrincipalName : {DNS/ADSDC02.lab.adsecurity.org, HOST/ADSDC02/ADSECLAB, HOST/ADSDC02.lab.adsecurity.org/ADSECLAB,
GC/ADSDC02.lab.adsecurity.org/lab.adsecurity.org…}
SID : S-1-5-21-1581655573-3923512380-696647894-1103
TrustedForDelegation : True
TrustedToAuthForDelegation : False
UserPrincipalName :
DistinguishedName : CN=ADSDC01,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSDC01.lab.adsecurity.org
Enabled : True
LastLogonDate : 1/20/2016 6:47:21 AM
Name : ADSDC01
ObjectClass : computer
ObjectGUID : 31b2038d-e63d-4cfe-b7b6-77206c325af9
OperatingSystem : Windows Server 2008 R2 Datacenter
OperatingSystemServicePack : Service Pack 1
OperatingSystemVersion : 6.1 (7601)
PasswordLastSet : 12/31/2015 6:34:14 AM
SamAccountName : ADSDC01$
ServicePrincipalName : {ldap/ADSDC01.lab.adsecurity.org/ForestDnsZones.lab.adsecurity.org,
ldap/ADSDC01.lab.adsecurity.org/DomainDnsZones.lab.adsecurity.org, TERMSRV/ADSDC01,
TERMSRV/ADSDC01.lab.adsecurity.org…}
SID : S-1-5-21-1581655573-3923512380-696647894-1000
TrustedForDelegation : True
TrustedToAuthForDelegation : False
UserPrincipalName :
DistinguishedName : CN=ADSDC03,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSDC03.lab.adsecurity.org
Enabled : True
LastLogonDate : 1/20/2016 6:35:16 AM
Name : ADSDC03
ObjectClass : computer
ObjectGUID : 0a2d849c-cc59-4785-8ba2-997fd6ca4dc8
OperatingSystem : Windows Server 2012 R2 Datacenter
OperatingSystemServicePack :
OperatingSystemVersion : 6.3 (9600)
PasswordLastSet : 12/31/2015 6:34:16 AM
SamAccountName : ADSDC03$
ServicePrincipalName : {DNS/ADSDC03.lab.adsecurity.org, HOST/ADSDC03.lab.adsecurity.org/ADSECLAB,
RPC/c8e1e99e-2aaa-4888-a5d8-23a4355fac48._msdcs.lab.adsecurity.org, GC/ADSDC03.lab.adsecurity.org/lab.adsecurity.org…}
SID : S-1-5-21-1581655573-3923512380-696647894-1601
TrustedForDelegation : True
TrustedToAuthForDelegation : False
UserPrincipalName :
DistinguishedName : CN=ADSWRKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSWRKWIN7.lab.adsecurity.org
Enabled : True
LastLogonDate : 8/29/2015 6:40:16 PM
Name : ADSWRKWIN7
ObjectClass : computer
ObjectGUID : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70
OperatingSystem : Windows 7 Enterprise
OperatingSystemServicePack : Service Pack 1
OperatingSystemVersion : 6.1 (7601)
PasswordLastSet : 8/29/2015 6:40:12 PM
SamAccountName : ADSWRKWIN7$
ServicePrincipalName : {TERMSRV/ADSWRKWin7.lab.adsecurity.org, TERMSRV/ADSWRKWIN7, RestrictedKrbHost/ADSWRKWIN7, HOST/ADSWRKWIN7…}
SID : S-1-5-21-1581655573-3923512380-696647894-1104
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UserPrincipalName :
DistinguishedName : CN=ADSAP01,CN=Computers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSAP01.lab.adsecurity.org
Enabled : True
LastLogonDate : 1/24/2016 11:03:41 AM
Name : ADSAP01
ObjectClass : computer
ObjectGUID : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681
OperatingSystem : Windows Server 2008 R2 Datacenter
OperatingSystemServicePack : Service Pack 1
OperatingSystemVersion : 6.1 (7601)
PasswordLastSet : 1/4/2016 6:38:16 AM
SamAccountName : ADSAP01$
ServicePrincipalName : {WSMAN/ADSAP01.lab.adsecurity.org, WSMAN/ADSAP01, TERMSRV/ADSAP01.lab.adsecurity.org, TERMSRV/ADSAP01…}
SID : S-1-5-21-1581655573-3923512380-696647894-1105
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UserPrincipalName :
DistinguishedName : CN=ADSWKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSWKWIN7.lab.adsecurity.org
Enabled : True
LastLogonDate : 1/20/2016 7:07:11 AM
Name : ADSWKWIN7
ObjectClass : computer
ObjectGUID : 2f164d63-d721-4b0e-a553-3ca0e272aa96
OperatingSystem : Windows 7 Enterprise
OperatingSystemServicePack : Service Pack 1
OperatingSystemVersion : 6.1 (7601)
PasswordLastSet : 12/31/2015 8:03:05 AM
SamAccountName : ADSWKWIN7$
ServicePrincipalName : {TERMSRV/ADSWKWin7.lab.adsecurity.org, TERMSRV/ADSWKWIN7, RestrictedKrbHost/ADSWKWIN7, HOST/ADSWKWIN7…}
SID : S-1-5-21-1581655573-3923512380-696647894-1602
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UserPrincipalName :
DistinguishedName : CN=ADSAP02,CN=Computers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSAP02.lab.adsecurity.org
Enabled : True
LastLogonDate : 1/24/2016 7:39:48 AM
Name : ADSAP02
ObjectClass : computer
ObjectGUID : 1006978e-8627-4d01-98b6-3215c4ee4541
OperatingSystem : Windows Server 2012 R2 Datacenter
OperatingSystemServicePack :
OperatingSystemVersion : 6.3 (9600)
PasswordLastSet : 1/4/2016 6:39:25 AM
SamAccountName : ADSAP02$
ServicePrincipalName : {WSMAN/ADSAP02.lab.adsecurity.org, WSMAN/ADSAP02, TERMSRV/ADSAP02.lab.adsecurity.org, TERMSRV/ADSAP02…}
SID : S-1-5-21-1581655573-3923512380-696647894-1603
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UserPrincipalName :
PS C:> get-aduser -filter {ServicePrincipalName -like “*”} -Properties PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,Truste dtoAuthForDelegation
DistinguishedName : CN=svc-adsMSSQL11,OU=Test,DC=lab,DC=adsecurity,DC=org
Enabled : False
GivenName :
LastLogonDate :
Name : svc-adsMSSQL11
ObjectClass : user
ObjectGUID : 275d3bf4-80d3-42ba-9d77-405c5cc63c07
PasswordLastSet : 1/4/2016 7:13:03 AM
SamAccountName : svc-adsMSSQL11
ServicePrincipalName : {MSSQL/adsMSSQL11.lab.adsecurity.org:7434}
SID : S-1-5-21-1581655573-3923512380-696647894-3601
Surname :
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UserPrincipalName :
DistinguishedName : CN=svc-adsSQLSA,OU=Test,DC=lab,DC=adsecurity,DC=org
Enabled : False
GivenName :
LastLogonDate :
Name : svc-adsSQLSA
ObjectClass : user
ObjectGUID : 56faaab2-5b05-4bb2-aaea-0bdc1409eab3
PasswordLastSet : 1/4/2016 7:13:13 AM
SamAccountName : svc-adsSQLSA
ServicePrincipalName : {MSSQL/adsMSSQL23.lab.adsecurity.org:7434, MSSQL/adsMSSQL22.lab.adsecurity.org:5534, MSSQL/adsMSSQL21.lab.adsecurity.org:9834, MSSQL/adsMSSQL10.lab.adsecurity.org:14434…}
SID : S-1-5-21-1581655573-3923512380-696647894-3602
Surname :
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UserPrincipalName :
DistinguishedName : CN=svc-adsMSSQL10,OU=Test,DC=lab,DC=adsecurity,DC=org
Enabled : False
GivenName :
LastLogonDate :
Name : svc-adsMSSQL10
ObjectClass : user
ObjectGUID : 6c2f15a2-ba4a-485a-a367-39395ad82c86
PasswordLastSet : 1/4/2016 7:13:24 AM
SamAccountName : svc-adsMSSQL10
ServicePrincipalName : {MSSQL/adsMSSQL10.lab.adsecurity.org:7434}
SID : S-1-5-21-1581655573-3923512380-696647894-3603
Surname :
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UserPrincipalName :
每一个加入域的主机,都会在域控上有所记录,包括很多详细的信息,比如创建时间、修改时间、密码策略、操作系统版本信息等。
PS C:> get-adcomputer -filter {PrimaryGroupID -eq “515”} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,Passwot,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation
DistinguishedName : CN=ADSWRKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSWRKWIN7.lab.adsecurity.org
Enabled : True
LastLogonDate : 8/29/2015 6:40:16 PM
Name : ADSWRKWIN7
ObjectClass : computer
ObjectGUID : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70
OperatingSystem : Windows 7 Enterprise
OperatingSystemServicePack : Service Pack 1
OperatingSystemVersion : 6.1 (7601)
PasswordLastSet : 8/29/2015 6:40:12 PM
SamAccountName : ADSWRKWIN7$
ServicePrincipalName : {TERMSRV/ADSWRKWin7.lab.adsecurity.org, TERMSRV/ADSWRKWIN7, RestrictedKrbHost/ADSWRKWIN7, HOST/ADSWRKWIN7…}
SID : S-1-5-21-1581655573-3923512380-696647894-1104
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UserPrincipalName :
DistinguishedName : CN=ADSAP01,CN=Computers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSAP01.lab.adsecurity.org
Enabled : True
LastLogonDate : 1/24/2016 11:03:41 AM
Name : ADSAP01
ObjectClass : computer
ObjectGUID : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681
OperatingSystem : Windows Server 2008 R2 Datacenter
OperatingSystemServicePack : Service Pack 1
OperatingSystemVersion : 6.1 (7601)
PasswordLastSet : 1/4/2016 6:38:16 AM
SamAccountName : ADSAP01$
ServicePrincipalName : {WSMAN/ADSAP01.lab.adsecurity.org, WSMAN/ADSAP01, TERMSRV/ADSAP01.lab.adsecurity.org, TERMSRV/ADSAP01…}
SID : S-1-5-21-1581655573-3923512380-696647894-1105
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UserPrincipalName :
DistinguishedName : CN=ADSWKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSWKWIN7.lab.adsecurity.org
Enabled : True
LastLogonDate : 1/20/2016 7:07:11 AM
Name : ADSWKWIN7
ObjectClass : computer
ObjectGUID : 2f164d63-d721-4b0e-a553-3ca0e272aa96
OperatingSystem : Windows 7 Enterprise
OperatingSystemServicePack : Service Pack 1
OperatingSystemVersion : 6.1 (7601)
PasswordLastSet : 12/31/2015 8:03:05 AM
SamAccountName : ADSWKWIN7$
ServicePrincipalName : {TERMSRV/ADSWKWin7.lab.adsecurity.org, TERMSRV/ADSWKWIN7, RestrictedKrbHost/ADSWKWIN7, HOST/ADSWKWIN7…}
SID : S-1-5-21-1581655573-3923512380-696647894-1602
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UserPrincipalName :
DistinguishedName : CN=ADSAP02,CN=Computers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSAP02.lab.adsecurity.org
Enabled : True
LastLogonDate : 1/24/2016 7:39:48 AM
Name : ADSAP02
ObjectClass : computer
ObjectGUID : 1006978e-8627-4d01-98b6-3215c4ee4541
OperatingSystem : Windows Server 2012 R2 Datacenter
OperatingSystemServicePack :
OperatingSystemVersion : 6.3 (9600)
PasswordLastSet : 1/4/2016 6:39:25 AM
SamAccountName : ADSAP02$
ServicePrincipalName : {WSMAN/ADSAP02.lab.adsecurity.org, WSMAN/ADSAP02, TERMSRV/ADSAP02.lab.adsecurity.org, TERMSRV/ADSAP02…}
SID : S-1-5-21-1581655573-3923512380-696647894-1603
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UserPrincipalName :
可以修改 PrimaryGroupID 的值为 515 来获取域控中的其他主机信息,也可以使用 “-filter *” 来获取所有主机信息:
PS C:> get-adcomputer -filter {PrimaryGroupID -eq “516”} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,Passwot,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation
DistinguishedName : CN=ADSDC02,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSDC02.lab.adsecurity.org
Enabled : True
LastLogonDate : 1/20/2016 6:46:18 AM
Name : ADSDC02
ObjectClass : computer
ObjectGUID : 1efe44af-d8d9-420b-a66a-8d771d295085
OperatingSystem : Windows Server 2008 R2 Datacenter
OperatingSystemServicePack : Service Pack 1
OperatingSystemVersion : 6.1 (7601)
PasswordLastSet : 12/31/2015 6:34:15 AM
SamAccountName : ADSDC02$
ServicePrincipalName : {DNS/ADSDC02.lab.adsecurity.org, HOST/ADSDC02/ADSECLAB, HOST/ADSDC02.lab.adsecurity.org/ADSECLAB,
GC/ADSDC02.lab.adsecurity.org/lab.adsecurity.org…}
SID : S-1-5-21-1581655573-3923512380-696647894-1103
TrustedForDelegation : True
TrustedToAuthForDelegation : False
UserPrincipalName :
DistinguishedName : CN=ADSDC01,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSDC01.lab.adsecurity.org
Enabled : True
LastLogonDate : 1/20/2016 6:47:21 AM
Name : ADSDC01
ObjectClass : computer
ObjectGUID : 31b2038d-e63d-4cfe-b7b6-77206c325af9
OperatingSystem : Windows Server 2008 R2 Datacenter
OperatingSystemServicePack : Service Pack 1
OperatingSystemVersion : 6.1 (7601)
PasswordLastSet : 12/31/2015 6:34:14 AM
SamAccountName : ADSDC01$
ServicePrincipalName : {ldap/ADSDC01.lab.adsecurity.org/ForestDnsZones.lab.adsecurity.org,
ldap/ADSDC01.lab.adsecurity.org/DomainDnsZones.lab.adsecurity.org, TERMSRV/ADSDC01,
TERMSRV/ADSDC01.lab.adsecurity.org…}
SID : S-1-5-21-1581655573-3923512380-696647894-1000
TrustedForDelegation : True
TrustedToAuthForDelegation : False
UserPrincipalName :
DistinguishedName : CN=ADSDC03,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSDC03.lab.adsecurity.org
Enabled : True
LastLogonDate : 1/20/2016 6:35:16 AM
Name : ADSDC03
ObjectClass : computer
ObjectGUID : 0a2d849c-cc59-4785-8ba2-997fd6ca4dc8
OperatingSystem : Windows Server 2012 R2 Datacenter
OperatingSystemServicePack :
OperatingSystemVersion : 6.3 (9600)
PasswordLastSet : 12/31/2015 6:34:16 AM
SamAccountName : ADSDC03$
ServicePrincipalName : {DNS/ADSDC03.lab.adsecurity.org, HOST/ADSDC03.lab.adsecurity.org/ADSECLAB,
RPC/c8e1e99e-2aaa-4888-a5d8-23a4355fac48._msdcs.lab.adsecurity.org, GC/ADSDC03.lab.adsecurity.org/lab.adsecurity.org…}
SID : S-1-5-21-1581655573-3923512380-696647894-1601
TrustedForDelegation : True
TrustedToAuthForDelegation : False
UserPrincipalName :
也可以使用下面的参数根据系统版本来获取相关主机:
OperatingSystem -Like “Samba”
OperatingSystem -Like “OnTap”
OperatingSystem -Like “Data Domain”
OperatingSystem -Like “EMC”
OperatingSystem -Like “Windows NT”
PS C:> get-aduser -filter {AdminCount -eq 1} -Properties Name,AdminCount,ServicePrincipalName,PasswordLastSet,LastLogonDate,MemberOf
AdminCount : 1
DistinguishedName : CN=ADSAdministrator,CN=Users,DC=lab,DC=adsecurity,DC=org
Enabled : True
GivenName :
LastLogonDate : 1/27/2016 8:55:48 AM
MemberOf : {CN=Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=org, CN=Schema Admins,CN=Users,DC=lab,DC=adsecurity,DC=org, CN=Group
Policy Creator Owners,CN=Users,DC=lab,DC=adsecurity,DC=org, CN=Enterprise Admins,CN=Users,DC=lab,DC=adsecurity,DC=org…}
Name : ADSAdministrator
ObjectClass : user
ObjectGUID : 72ac7731-0a76-4e5a-8e5d-b4ded9a304b5
PasswordLastSet : 12/31/2015 8:45:27 AM
SamAccountName : ADSAdministrator
SID : S-1-5-21-1581655573-3923512380-696647894-500
Surname :
UserPrincipalName :
AdminCount : 1
DistinguishedName : CN=krbtgt,CN=Users,DC=lab,DC=adsecurity,DC=org
Enabled : False
GivenName :
LastLogonDate :
MemberOf : {CN=Denied RODC Password Replication Group,CN=Users,DC=lab,DC=adsecurity,DC=org}
Name : krbtgt
ObjectClass : user
ObjectGUID : 3d5be8dd-df7f-4f84-b2cf-4556310a7292
PasswordLastSet : 8/27/2015 7:10:22 PM
SamAccountName : krbtgt
ServicePrincipalName : {kadmin/changepw}
SID : S-1-5-21-1581655573-3923512380-696647894-502
Surname :
UserPrincipalName :
AdminCount : 1
DistinguishedName : CN=LukeSkywalker,OU=AD Management,DC=lab,DC=adsecurity,DC=org
Enabled : True
GivenName :
LastLogonDate : 8/29/2015 7:29:52 PM
MemberOf : {CN=Domain Admins,CN=Users,DC=lab,DC=adsecurity,DC=org}
Name : LukeSkywalker
ObjectClass : user
ObjectGUID : 32b5226b-aa6d-4b35-a031-ddbcbde07137
PasswordLastSet : 8/29/2015 7:26:02 PM
SamAccountName : LukeSkywalker
SID : S-1-5-21-1581655573-3923512380-696647894-2629
Surname :
UserPrincipalName :
PS C:> get-adgroup -filter {GroupCategory -eq ‘Security’ -AND Name -like “*admin*”}
DistinguishedName : CN=Domain Admins,CN=Users,DC=lab,DC=adsecurity,DC=org
GroupCategory : Security
GroupScope : Global
Name : Domain Admins
ObjectClass : group
ObjectGUID : 5621cc71-d318-4e2c-b1b1-c181f630e10e
SamAccountName : Domain Admins
SID : S-1-5-21-1581655573-3923512380-696647894-512
DistinguishedName : CN=Workstation Admins,OU=AD Management,DC=lab,DC=adsecurity,DC=org
GroupCategory : Security
GroupScope : Global
Name : Workstation Admins
ObjectClass : group
ObjectGUID : 88cd4d52-aedb-4f90-9ebd-02d4c0e322e4
SamAccountName : WorkstationAdmins
SID : S-1-5-21-1581655573-3923512380-696647894-2627
DistinguishedName : CN=Server Admins,OU=AD Management,DC=lab,DC=adsecurity,DC=org
GroupCategory : Security
GroupScope : Global
Name : Server Admins
ObjectClass : group
ObjectGUID : 3877c311-9321-41c0-a6b5-c0d88684b335
SamAccountName : ServerAdmins
SID : S-1-5-21-1581655573-3923512380-696647894-2628
DistinguishedName : CN=DnsAdmins,CN=Users,DC=lab,DC=adsecurity,DC=org
GroupCategory : Security
GroupScope : DomainLocal
Name : DnsAdmins
ObjectClass : group
ObjectGUID : 46caa0dd-6a22-42a3-a2d9-bd467934aab5
SamAccountName : DnsAdmins
SID : S-1-5-21-1581655573-3923512380-696647894-1101
DistinguishedName : CN=Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=org
GroupCategory : Security
GroupScope : DomainLocal
Name : Administrators
ObjectClass : group
ObjectGUID : d03a4afc-b14e-48c6-893c-bbc1ac872ca2
SamAccountName : Administrators
SID : S-1-5-32-544
DistinguishedName : CN=Hyper-V Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=org
GroupCategory : Security
GroupScope : DomainLocal
Name : Hyper-V Administrators
ObjectClass : group
ObjectGUID : 3137943e-f1c3-46d0-acf2-4711bf6f8417
SamAccountName : Hyper-V Administrators
SID : S-1-5-32-578
DistinguishedName : CN=Enterprise Admins,CN=Users,DC=lab,DC=adsecurity,DC=org
GroupCategory : Security
GroupScope : Universal
Name : Enterprise Admins
ObjectClass : group
ObjectGUID : 7674d6ad-777b-4db1-9fe3-e31fd664eb6e
SamAccountName : Enterprise Admins
SID : S-1-5-21-1581655573-3923512380-696647894-519
DistinguishedName : CN=Schema Admins,CN=Users,DC=lab,DC=adsecurity,DC=org
GroupCategory : Security
GroupScope : Universal
Name : Schema Admins
ObjectClass : group
ObjectGUID : 420e8ee5-77f5-43b8-9f51-cde3feea0662
SamAccountName : Schema Admins
SID : S-1-5-21-1581655573-3923512380-696647894-518
PS C:> get-adobject -filter {ObjectClass -eq “Contact”} -Prop *
CanonicalName : lab.adsecurity.org/Contaxts/Admiral Ackbar
CN : Admiral Ackbar
Created : 1/27/2016 10:00:06 AM
createTimeStamp : 1/27/2016 10:00:06 AM
Deleted :
Description :
DisplayName :
DistinguishedName : CN=Admiral Ackbar,OU=Contaxts,DC=lab,DC=adsecurity,DC=org
dSCorePropagationData : {12/31/1600 4:00:00 PM}
givenName : Admiral
instanceType : 4
isDeleted :
LastKnownParent :
mail : [email protected]
Modified : 1/27/2016 10:00:24 AM
modifyTimeStamp : 1/27/2016 10:00:24 AM
Name : Admiral Ackbar
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org
ObjectClass : contact
ObjectGUID : 52c80a1d-a614-4889-92d4-1f588387d9f3
ProtectedFromAccidentalDeletion : False
sDRightsEffective : 15
sn : Ackbar
uSNChanged : 275113
uSNCreated : 275112
whenChanged : 1/27/2016 10:00:24 AM
whenCreated : 1/27/2016 10:00:06 AM
CanonicalName : lab.adsecurity.org/Contaxts/Leia Organa
CN : Leia Organa
Created : 1/27/2016 10:01:25 AM
createTimeStamp : 1/27/2016 10:01:25 AM
Deleted :
Description :
DisplayName :
DistinguishedName : CN=Leia Organa,OU=Contaxts,DC=lab,DC=adsecurity,DC=org
dSCorePropagationData : {12/31/1600 4:00:00 PM}
givenName : Leia
instanceType : 4
isDeleted :
LastKnownParent :
mail : [email protected]
Modified : 1/27/2016 10:09:15 AM
modifyTimeStamp : 1/27/2016 10:09:15 AM
Name : Leia Organa
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org
ObjectClass : contact
ObjectGUID : ba8ec318-a0a2-41d5-923e-a3f646d1c7f9
ProtectedFromAccidentalDeletion : False
sDRightsEffective : 15
sn : Organa
uSNChanged : 275157
uSNCreated : 275132
whenChanged : 1/27/2016 10:09:15 AM
whenCreated : 1/27/2016 10:01:25 AM
PS C:> Get-ADDefaultDomainPasswordPolicy
ComplexityEnabled : True
DistinguishedName : DC=lab,DC=adsecurity,DC=org
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 0
MaxPasswordAge : 42.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : bbf0907c-3171-4448-b33a-76a48d859039
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False
对于 Windows server 2008 以上的系统,可以对用户或组设置细粒度的密码策略
PS C:> Get-ADFineGrainedPasswordPolicy -Filter *
AppliesTo : {CN=Special FGPP Users,OU=Test,DC=lab,DC=adsecurity,DC=org}
ComplexityEnabled : True
DistinguishedName : CN=Special Password Policy Group,CN=Password Settings Container,CN=System,DC=lab,DC=adsecurity,DC=org
LockoutDuration : 12:00:00
LockoutObservationWindow : 00:15:00
LockoutThreshold : 10
MaxPasswordAge : 00:00:00.0000365
MinPasswordAge : 00:00:00
MinPasswordLength : 7
Name : Special Password Policy Group
ObjectClass : msDS-PasswordSettings
ObjectGUID : c1301d8f-ba52-4bb3-b160-c449d9c7b8f8
PasswordHistoryCount : 24
Precedence : 100
ReversibleEncryptionEnabled : True
PS C:> Get-ADServiceAccount -Filter * -Properties *
AccountExpirationDate : 12/27/2017 11:14:38 AM
accountExpires : 131588756787719890
AccountLockoutTime :
AccountNotDelegated : False
AllowReversiblePasswordEncryption : False
AuthenticationPolicy : {}
AuthenticationPolicySilo : {}
BadLogonCount : 0
badPasswordTime : 0
badPwdCount : 0
CannotChangePassword : False
CanonicalName : lab.adsecurity.org/Managed Service Accounts/ADSMSA12
Certificates : {}
CN : ADSMSA12
codePage : 0
CompoundIdentitySupported : {False}
countryCode : 0
Created : 1/27/2016 11:14:38 AM
createTimeStamp : 1/27/2016 11:14:38 AM
Deleted :
Description : gMSA for XYZ App
DisplayName : ADSMSA12
DistinguishedName : CN=ADSMSA12,CN=Managed Service Accounts,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSAP02.lab.adsecurity.org
DoesNotRequirePreAuth : False
dSCorePropagationData : {12/31/1600 4:00:00 PM}
Enabled : True
HomedirRequired : False
HomePage :
HostComputers : {}
instanceType : 4
isCriticalSystemObject : False
isDeleted :
KerberosEncryptionType : {RC4, AES128, AES256}
LastBadPasswordAttempt :
LastKnownParent :
lastLogoff : 0
lastLogon : 0
LastLogonDate :
localPolicyFlags : 0
LockedOut : False
logonCount : 0
ManagedPasswordIntervalInDays : {21}
MemberOf : {}
MNSLogonAccount : False
Modified : 1/27/2016 11:14:39 AM
modifyTimeStamp : 1/27/2016 11:14:39 AM
msDS-ManagedPasswordId : {1, 0, 0, 0…}
msDS-ManagedPasswordInterval : 21
msDS-SupportedEncryptionTypes : 28
msDS-User-Account-Control-Computed : 0
Name : ADSMSA12
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : fe4c287b-f9d2-45ce-abe3-4acd6d09c3ff
objectSid : S-1-5-21-1581655573-3923512380-696647894-3605
PasswordExpired : False
PasswordLastSet : 1/27/2016 11:14:38 AM
PasswordNeverExpires : False
PasswordNotRequired : False
PrimaryGroup : CN=Domain Computers,CN=Users,DC=lab,DC=adsecurity,DC=org
primaryGroupID : 515
PrincipalsAllowedToDelegateToAccount : {}
PrincipalsAllowedToRetrieveManagedPassword : {}
ProtectedFromAccidentalDeletion : False
pwdLastSet : 130983956789440119
SamAccountName : ADSMSA12$
sAMAccountType : 805306369
sDRightsEffective : 15
ServicePrincipalNames :
SID : S-1-5-21-1581655573-3923512380-696647894-3605
SIDHistory : {}
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UseDESKeyOnly : False
userAccountControl : 4096
userCertificate : {}
UserPrincipalName :
uSNChanged : 275383
uSNCreated : 275380
whenChanged : 1/27/2016 11:14:39 AM
whenCreated : 1/27/2016 11:14:38 AM
可以使用 PowerView 来快速识别 GPO,PowerView 下载地址:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
PS C:> Get-NetGPOGroup
GPOName : {E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212}
GPOPath : \\lab.adsecurity.org\SysVol\lab.adsecurity.org\Policies\{E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212}
Members : {Server Admins}
MemberOf : {Administrators}
GPODisplayName : Add Server Admins to Local Administrator Group
Filters :
GPOName : {45556105-EFE6-43D8-A92C-AACB1D3D4DE5}
GPOPath : \\lab.adsecurity.org\SysVol\lab.adsecurity.org\Policies\{45556105-EFE6-43D8-A92C-AACB1D3D4DE5}
Members : {Workstation Admins}
MemberOf : {Administrators}
GPODisplayName : Add Workstation Admins to Local Administrators Group
有了以上信息可以获取该 GPO 属于那个 OU
PS C:> get-netOU -guid “E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212”
LDAP://OU=Servers,DC=lab,DC=adsecurity,DC=org
PS C:> get-netOU -guid “45556105-EFE6-43D8-A92C-AACB1D3D4DE5”
LDAP://OU=Workstations,DC=lab,DC=adsecurity,DC=org
接下来获取该 OU 下的主机信息
PS C:> get-adcomputer -filter * -SearchBase “OU=Servers,DC=lab,DC=adsecurity,DC=org”
DistinguishedName : CN=ADSAP01,OU=Servers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSAP01.lab.adsecurity.org
Enabled : True
Name : ADSAP01
ObjectClass : computer
ObjectGUID : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681
SamAccountName : ADSAP01$
SID : S-1-5-21-1581655573-3923512380-696647894-1105
UserPrincipalName :
DistinguishedName : CN=ADSAP02,OU=Servers,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSAP02.lab.adsecurity.org
Enabled : True
Name : ADSAP02
ObjectClass : computer
ObjectGUID : 1006978e-8627-4d01-98b6-3215c4ee4541
SamAccountName : ADSAP02$
SID : S-1-5-21-1581655573-3923512380-696647894-1603
UserPrincipalName :
PS C:> get-adcomputer -filter * -SearchBase “OU=Workstations,DC=lab,DC=adsecurity,DC=org”
DistinguishedName : CN=ADSWRKWIN7,OU=Workstations,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSWRKWIN7.lab.adsecurity.org
Enabled : True
Name : ADSWRKWIN7
ObjectClass : computer
ObjectGUID : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70
SamAccountName : ADSWRKWIN7$
SID : S-1-5-21-1581655573-3923512380-696647894-1104
UserPrincipalName :
DistinguishedName : CN=ADSWKWIN7,OU=Workstations,DC=lab,DC=adsecurity,DC=org
DNSHostName : ADSWKWIN7.lab.adsecurity.org
Enabled : True
Name : ADSWKWIN7
ObjectClass : computer
ObjectGUID : 2f164d63-d721-4b0e-a553-3ca0e272aa96
SamAccountName : ADSWKWIN7$
SID : S-1-5-21-1581655573-3923512380-696647894-1602
UserPrincipalName :
以上就是使用 powershell 获取域内基本信息的方式,除了这种方式我们还可以使用 net 命令,但是这个命令通常会被杀软重点关注,多种方式多条路,以备不时之需。