In the process of internal network penetration testing, the ability to rapidly identify Domain Administrators and Domain Controllers is of paramount importance. Several commonly employed methods are introduced below.
Locating Domain Administrators
Command Line Identification
The following command can be executed in the command prompt to query domain administrator accounts:
net group "Domain Admins" /domain //Query Domain Administrators
Tool-Based Identification
Several specialised tools can facilitate the enumeration of Domain Administrator accounts and their logged-on locations.
PSLoggedon.exe
This utility identifies users logged on to a system by examining the registry key HKEY_USERS and utilising the NetSessionEnum API. Note that certain functionalities of this tool require elevated, administrator-level privileges.
Download Link: https://docs.microsoft.com/en-us/sysinternals/downloads/psloggedon
| Parameter | Description |
|---|---|
- |
Displays supported options and units of measurement for output values. |
-l |
Shows only local logons, excluding local and network resource logons. |
-x |
Does not display logon times. |
\computername |
Specifies the name of the computer for which logon information is to be listed. |
username |
Specifies a user name to search for across the network for machines where that user is logged on. |
To locate a specific user, such as 'Administrator', the tool is invoked as follows:
PsLoggedon.exe Administrator
To query a specific machine, the command is:
PsLoggedon.exe \AD-server
PVefindaduser.exe
This tool is designed to ascertain the logon locations of Active Directory users, enumerate domain users, and identify users logged on to specific computers, including local users, those connected via RDP, and accounts used to run services and scheduled tasks. This tool also requires administrator privileges.
Download Link: https://github.com/chrisdee/Tools/tree/master/AD/ADFindUsersLoggedOn
| Parameter | Description |
|---|---|
-h |
Displays help information. |
-u |
Checks if a newer version of the programme is available. |
-current ["username"] |
Displays the user currently logged on to each PC within the domain. If a username is specified in quotation marks, it only displays PCs where that particular user is logged on. |
-noping |
Prevents the tool from pinging target computers before attempting to enumerate user logons. |
-target |
An optional parameter for specifying a comma-separated list of hostnames to query. If omitted, all hosts in the current domain are queried. Results are output to a report.csv file. |
Executing the command pvefinaduser.exe -current will display all users currently logged on to all machines within the domain.
This operation generates a report.csv file on the target machine, which can be retrieved for subsequent analysis.
PowerView.ps1
This PowerShell script is a component of the PowerSploit toolkit and serves as a robust instrument for gathering domain information. A suite of cmdlets is provided, including Get-NetUser, Get-NetDomainController, and Invoke-UserHunter, which specifically aids in identifying the computers to which domain users are logged on and whether they possess local administrator privileges.
Download Link: https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
To locate Domain Administrators using PowerView, one may bypass the execution policy and invoke the script as demonstrated below:
powershell.exe -exec bypass -Command "& {Import-Module C:\Users\win7\Desktop\tool\PowerView.ps1; Invoke-UserEvenHunter}"
Locating Domain Controllers
Command Line Identification
A Domain Controller can be identified by querying the relevant domain group with the command:
net group "Domain controllers" /Domain //View Domain Controllers
Alternatively, the net time command can be utilised to reveal the Domain Controller serving the logon server role:
net time /do
DNS Record Enumeration
Should the local machine's configured DNS server be a domain-integrated DNS server, querying specific service location (SRV) records can identify Domain Controllers.
nslookup -type=all _ldap._tcp.dc._msdcs.tubai.com
Port Probing
Domain Controllers typically expose a characteristic set of ports. Port 389 is the default port for the Lightweight Directory Access Protocol (LDAP), port 636 is for LDAP over SSL/TLS (LDAPS), and port 53 is the standard port for the Domain Name System (DNS) service. A targeted scan for hosts within the internal network range that have these specific ports open can reveal potential Domain Controllers.
A direct probe of the identified Domain Controller's IP address on these key ports confirms its role.
SPN Scanning
Service Principal Name (SPN) scanning is a stealthier alternative to conventional TCP or UDP port scanning, as it utilises standard Kerberos authentication requests. Most Windows installations include the native setspn.exe utility, which does not require administrative rights to perform queries.
The following command, executed from a domain-joined machine, can identify Domain Controllers by their registered SPNs:
setspn -T tubai.com -Q */*
Within the scan results, Domain Controllers can be distinguished by canonical names containing the string OU=Domain Controllers, such as CN=AD-SERVER,OU=Domain Controllers,DC=tubai,DC=com.
Summary
Numerous methods exist for identifying Domain Administrators and Domain Controllers; the techniques described herein represent only the most frequently employed. During routine internal network penetration tests, it is a cardinal principle to prioritise techniques that generate minimal detectable activity.
