CINXE.COM
Offensive WMI - Active Directory Enumeration (Part 5) :: 0xInfection's Blog — Ramblings of an Infected Geek.
<!DOCTYPE html> <html lang="en"> <head> <title> Offensive WMI - Active Directory Enumeration (Part 5) :: 0xInfection's Blog — Ramblings of an Infected Geek. </title> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="description" content="This blog is the fifth installation of the &ldquo;Offensive WMI&rdquo; series that I&rsquo;ve been writing on, and this post will cover Active Directory enumeration. Active Directory (AD) is Microsoft&rsquo;s implementation of a directory and IAM service for Windows domain networks &ndash; which enables admins to manage permissions and access to resources. Anything used for managing multiple resources is handy for administrators, however, the same is also useful for evil-doers in gathering information and lateral movement." /> <meta name="keywords" content="security" /> <meta name="robots" content="noodp" /> <link rel="canonical" href="https://0xinfection.github.io/posts/wmi-ad-enum/" /> <link rel="stylesheet" href="/css/style.css" /> <link rel="stylesheet" href="https://0xinfection.github.io/style.css" /> <link rel="apple-touch-icon-precomposed" sizes="144x144" href="https://0xinfection.github.io/img/apple-touch-icon-144-precomposed.png" /> <link rel="shortcut icon" href="https://0xinfection.github.io/img/favicon.png" /> <link href="/fonts/Inter-Italic.woff2" rel="preload" type="font/woff2" as="font" crossorigin=""> <link href="/fonts/Inter-Regular.woff2" rel="preload" type="font/woff2" as="font" crossorigin=""> <link href="/fonts/Inter-Medium.woff2" rel="preload" type="font/woff2" as="font" crossorigin=""> <link href="/fonts/Inter-MediumItalic.woff2" rel="preload" type="font/woff2" as="font" crossorigin=""> <link href="/fonts/Inter-Bold.woff2" rel="preload" type="font/woff2" as="font" crossorigin=""> <link href="/fonts/Inter-BoldItalic.woff2" rel="preload" type="font/woff2" as="font" crossorigin=""> <meta name="twitter:card" content="summary_large_image"/> <meta name="twitter:image" content="https://0xinfection.github.io/posts/wmi-ad-enum/cover.png"/> <meta name="twitter:title" content="Offensive WMI - Active Directory Enumeration (Part 5)"/> <meta name="twitter:description" content="This blog is the fifth installation of the “Offensive WMI” series that I’ve been writing on, and this post will cover Active Directory enumeration. Active Directory (AD) is Microsoft’s implementation of a directory and IAM service for Windows domain networks – which enables admins to manage permissions and access to resources. Anything used for managing multiple resources is handy for administrators, however, the same is also useful for evil-doers in gathering information and lateral movement."/> <meta property="og:title" content="Offensive WMI - Active Directory Enumeration (Part 5)" /> <meta property="og:description" content="This blog is the fifth installation of the “Offensive WMI” series that I’ve been writing on, and this post will cover Active Directory enumeration. Active Directory (AD) is Microsoft’s implementation of a directory and IAM service for Windows domain networks – which enables admins to manage permissions and access to resources. Anything used for managing multiple resources is handy for administrators, however, the same is also useful for evil-doers in gathering information and lateral movement." /> <meta property="og:type" content="article" /> <meta property="og:url" content="https://0xinfection.github.io/posts/wmi-ad-enum/" /><meta property="og:image" content="https://0xinfection.github.io/posts/wmi-ad-enum/cover.png"/><meta property="article:section" content="posts" /> <meta property="article:published_time" content="2021-10-17T00:00:00+05:30" /> <meta property="article:modified_time" content="2021-10-17T00:00:00+05:30" /><meta property="og:site_name" content="0xInfection's Blog" /> </head> <body class="dark-theme"> <div class="container"> <header class="header"> <span class="header__inner"> <a href="/" class="logo" style="text-decoration: none;" > <span class="logo__mark"><svg xmlns="http://www.w3.org/2000/svg" class="greater-icon" viewBox="0 0 44 44"> <path fill="none" d="M15 8l14.729 14.382L15 35.367" /> </svg> </span> <span class="logo__text" >0xinfection's security stuff</span > <span class="logo__cursor"></span> </a> <span class="header__right"> <nav class="menu"> <ul class="menu__inner menu__inner--desktop"> <li><a href="/about">About</a></li> <li><a href="/posts">Blog</a></li> </ul> <ul class="menu__inner menu__inner--mobile"> <li><a href="/about">About</a></li> <li><a href="/posts">Blog</a></li> </ul> </nav> <span class="menu-trigger"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"> <path d="M0 0h24v24H0z" fill="none" /> <path d="M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z" /> </svg> </span> <span class="theme-toggle"> <svg class="theme-toggler" width="24" height="24" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg" > <path d="M22 41C32.4934 41 41 32.4934 41 22C41 11.5066 32.4934 3 22 3C11.5066 3 3 11.5066 3 22C3 32.4934 11.5066 41 22 41ZM7 22C7 13.7157 13.7157 7 22 7V37C13.7157 37 7 30.2843 7 22Z" /> </svg> </span> </span> </span> </header> <div class="content"> <article class="post"> <h1 class="post-title">Offensive WMI - Active Directory Enumeration (Part 5)</h1> <div class="post-meta"> <time class="post-date"> 2021-10-17 </time> </div> <figure class="post-cover"> <img src="https://0xinfection.github.io/posts/wmi-ad-enum/cover.png" alt="Offensive WMI - Active Directory Enumeration (Part 5)"/> </figure> <div class="post-content"> <p>This blog is the fifth installation of the “Offensive WMI” series that I’ve been writing on, and this post will cover Active Directory enumeration.</p> <p>Active Directory (AD) is Microsoft’s implementation of a directory and IAM service for Windows domain networks – which enables admins to manage permissions and access to resources. Anything used for managing multiple resources is handy for administrators, however, the same is also useful for evil-doers in gathering information and lateral movement.</p> <p>It is important to note that there are several ways to interact with any AD environment, but for this blog we’ll stick with pure WMI.</p> <h2 id="ad-and-wmi"> AD and WMI <a href="#ad-and-wmi" class="h-anchor" aria-hidden="true">#</a> </h2> <p>WMI has a provider called <code>root\directory\ldap</code> which can be used for interaction with the active directory environment. If we try to list the classes under that provider, we can see that there are a lot of classes that come with either of these prefixes, viz. <code>ads_</code> or <code>ds_</code>. The classes starting with <code>ads_</code> are abstract, and the ones with <code>ds_</code> are dynamic (the only ones useful to us since they allow retrieval of instances).</p> <p>We’ll quickly list out the available classes using the following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#66d9ef">Get</span><span style="color:#f92672">-</span>WmiObject <span style="color:#f92672">-</span>Namespace root<span style="color:#960050;background-color:#1e0010">\</span>directory<span style="color:#960050;background-color:#1e0010">\</span>ldap <span style="color:#f92672">-</span><span style="color:#66d9ef">Class</span> ds_<span style="color:#f92672">*</span> <span style="color:#f92672">-</span>List </span></span></code></pre></div> <img src="classes.png" alt="classes" class="center" /> <p>Let’s get started!</p> <h3 id="finding-the-domain-name"> Finding the domain name <a href="#finding-the-domain-name" class="h-anchor" aria-hidden="true">#</a> </h3> <p>After gaining access to a box on a domain, one of the first steps in basic reconnaissance would be to try to figure out the domain name on which we are on:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#66d9ef">Get</span><span style="color:#f92672">-</span>WmiObject <span style="color:#f92672">-</span>Namespace root<span style="color:#960050;background-color:#1e0010">\</span>directory<span style="color:#960050;background-color:#1e0010">\</span>ldap <span style="color:#f92672">-</span><span style="color:#66d9ef">Class</span> ds_domain <span style="color:#f92672">|</span> <span style="color:#66d9ef">select</span> ds_dc, </span></span><span style="display:flex;"><span> ds_distinguishedname, pscomputername </span></span></code></pre></div> <img src="basic.png" alt="basic" class="center" /> <p>In the above command, we fetched the domain name, the FQDN, and the name of the computer we’re currently on.</p> <h3 id="getting-the-domain-policy"> Getting the domain policy <a href="#getting-the-domain-policy" class="h-anchor" aria-hidden="true">#</a> </h3> <p>Now, let’s try to look at the current domain policy. The same class <code>ds_domain</code> can help us out with additional information about the policy:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#66d9ef">Get</span><span style="color:#f92672">-</span>WmiObject <span style="color:#f92672">-</span>Namespace root<span style="color:#960050;background-color:#1e0010">\</span>directory<span style="color:#960050;background-color:#1e0010">\</span>ldap <span style="color:#f92672">-</span><span style="color:#66d9ef">Class</span> ds_domain <span style="color:#f92672">|</span> <span style="color:#66d9ef">select</span> ds_lockoutduration, </span></span><span style="display:flex;"><span> ds_lockoutobservationwindow, ds_lockoutthreshold, ds_maxpwdage, </span></span><span style="display:flex;"><span> ds_minpwdage, ds_minpwdlength, ds_pwdhistorylength, ds_pwdproperties </span></span></code></pre></div> <img src="policy.png" alt="policy" class="center" /> <blockquote> <p><strong>NOTE:</strong> As you might have noticed, the output of the above command includes a lot of negative values. All the timestamps in the above output are stored as <strong>negative “filetimes”</strong>, i.e. represented as negative integers of 100 nanosecond timeslices. For example, a time period of 20 minutes would be represented as <code>-12000000000</code>.</p> </blockquote> <p>We can fairly derive that both the lockout duration and lockout observation window is set at 30 mins, while the password expiry duration is infinite, i.e. never expires. The minimum password length is 7, while, the password history length is 24.</p> <h3 id="finding-the-domain-controller"> Finding the domain controller <a href="#finding-the-domain-controller" class="h-anchor" aria-hidden="true">#</a> </h3> <p>Cool, let us try to find out the domain controller. Before that, we should keep in mind that in WMI, different UAC (User Account Control) values are defined via constants. The table below presents a mapping of the UAC values to user types:</p> <table> <thead> <tr> <th>User Type</th> <th>Hex Value</th> <th>Constants</th> </tr> </thead> <tbody> <tr> <td>Normal User</td> <td>0x200</td> <td>512</td> </tr> <tr> <td>Workstation/Server</td> <td>0x1000</td> <td>4096</td> </tr> <tr> <td>Domain Controller</td> <td>0x82000</td> <td>532480</td> </tr> </tbody> </table> <p>Now that we know the values, we can easily query the <code>ds_computer</code> class with the following command. Note the usage of the <code>where</code> Powershell utility to find the domain controller via the piped variable.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#66d9ef">Get</span><span style="color:#f92672">-</span>WmiObject <span style="color:#f92672">-</span>Namespace root<span style="color:#960050;background-color:#1e0010">\</span>directory<span style="color:#960050;background-color:#1e0010">\</span>ldap <span style="color:#f92672">-</span><span style="color:#66d9ef">Class</span> ds_computer <span style="color:#f92672">|</span> <span style="color:#66d9ef">where</span> <span style="color:#960050;background-color:#1e0010">{</span> </span></span><span style="display:flex;"><span> <span style="color:#960050;background-color:#1e0010">$</span>_.ds_useraccountcontrol <span style="color:#f92672">-</span><span style="color:#66d9ef">match</span> <span style="color:#ae81ff">532480</span> </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">}</span> <span style="color:#f92672">|</span> <span style="color:#66d9ef">select</span> ds_cn, ds_dnshostname, ds_operatingsystem, ds_lastlogon, ds_pwdlastset </span></span></code></pre></div> <img src="dc.png" alt="policy" class="center" /> <p>The output gives us a lot of data about the domain controller (DC), including its name, DNS hostname, OS, last logon timestamp and even the DC’s last password update timestamp. All time-based properties in the output are filetimes. You can use <a href="https://www.silisoftware.com/tools/date.php">this neat converter</a> to convert filetimes into human-readable datetime format.</p> <p>That’s a lot of information that we can enumerate with just an ordinary domain user account without admin privileges!</p> <h3 id="searching-user-accounts"> Searching user accounts <a href="#searching-user-accounts" class="h-anchor" aria-hidden="true">#</a> </h3> <p>How about user accounts in the domain as well as other domains in trust relationship with the current domain? It is as simple as querying users using the <code>Win32_UserAccount</code> class:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#66d9ef">Get</span><span style="color:#f92672">-</span>WmiObject <span style="color:#f92672">-</span><span style="color:#66d9ef">Class</span> win32_useraccount <span style="color:#f92672">|</span> <span style="color:#66d9ef">select</span> name, <span style="color:#66d9ef">domain</span>, accounttype </span></span></code></pre></div> <img src="users.png" alt="policy" class="center" /> <p>As you might have already guessed, the <code>AccountType</code> property is a constant value depicting the user type. The table below defines the type of accounts with their constant values:</p> <table> <thead> <tr> <th>Account Type</th> <th>Identifier</th> <th>Constant</th> </tr> </thead> <tbody> <tr> <td>Temporary Duplicate Account</td> <td><code>UF_TEMP_DUPLICATE_ACCOUNT</code></td> <td>256</td> </tr> <tr> <td>Normal Account</td> <td><code>UF_NORMAL_ACCOUNT</code></td> <td>512</td> </tr> <tr> <td>Interdomain Trust Account</td> <td><code>UF_INTERDOMAIN_TRUST_ACCOUNT</code></td> <td>2048</td> </tr> <tr> <td>Workstation Trust Account</td> <td><code>UF_WORKSTATION_TRUST_ACCOUNT</code></td> <td>4096</td> </tr> <tr> <td>Server Trust Account</td> <td><code>UF_SERVER_TRUST_ACCOUNT</code></td> <td>8192</td> </tr> </tbody> </table> <p>In case we want to filter out just the user accounts for a single domain, we can use the <code>-Filter</code> switch of the cmdlet like this:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#66d9ef">Get</span><span style="color:#f92672">-</span>WmiObject <span style="color:#f92672">-</span><span style="color:#66d9ef">Class</span> win32_useraccount <span style="color:#f92672">-</span>Filter <span style="color:#e6db74">'domain="infected"'</span> <span style="color:#f92672">|</span> <span style="color:#66d9ef">select</span> caption </span></span></code></pre></div> <img src="filteruser.png" alt="policy" class="center" /> <h3 id="enumerating-currently-logged-on-users"> Enumerating currently logged-on users <a href="#enumerating-currently-logged-on-users" class="h-anchor" aria-hidden="true">#</a> </h3> <p>The <code>Win32_LoggedOnUser</code> classes provide information about the logged-on users in that system as well as the domain. To filter out logged-on local users, we can use the following command:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#66d9ef">Get</span><span style="color:#f92672">-</span>WmiObject <span style="color:#f92672">-</span><span style="color:#66d9ef">Class</span> win32_loggedonuser <span style="color:#f92672">|</span> <span style="color:#66d9ef">where</span> <span style="color:#960050;background-color:#1e0010">{</span> </span></span><span style="display:flex;"><span> <span style="color:#960050;background-color:#1e0010">$</span>_ <span style="color:#f92672">-</span><span style="color:#66d9ef">match</span> <span style="color:#e6db74">'infected'</span> </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">}</span> <span style="color:#f92672">|</span> foreach <span style="color:#960050;background-color:#1e0010">{</span>[wmi]<span style="color:#960050;background-color:#1e0010">$</span>_.antecedent<span style="color:#960050;background-color:#1e0010">}</span> </span></span></code></pre></div> <img src="log.png" alt="policy" class="center" /> <h3 id="fetching-groups"> Fetching groups <a href="#fetching-groups" class="h-anchor" aria-hidden="true">#</a> </h3> <p>Fetching the groups for a domain is simple as querying the <code>Win32_GroupInDomain</code> class. We’ll use a bit of Powershell magic to give us a cleaner output.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#66d9ef">Get</span><span style="color:#f92672">-</span>WmiObject <span style="color:#f92672">-</span><span style="color:#66d9ef">Class</span> win32_groupindomain <span style="color:#f92672">|</span> foreach <span style="color:#960050;background-color:#1e0010">{</span>[wmi]<span style="color:#960050;background-color:#1e0010">$</span>_.partcomponent<span style="color:#960050;background-color:#1e0010">}</span> </span></span></code></pre></div> <img src="groups.png" alt="policy" class="center" /> <p>The same could be done with the <code>Win32_Group</code> class, but the output would include the local groups as well.</p> <h3 id="figuring-out-group-memberships"> Figuring out group memberships <a href="#figuring-out-group-memberships" class="h-anchor" aria-hidden="true">#</a> </h3> <p>Group membership data is provided by the <code>Win32_GroupUser</code> class. The output obtained includes all membership information for the current domain, the trusted domains as well as the trusted forest with bi-directional trust. For our example, let’s say we want to fetch the accounts from the “Domain Admins” group:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#66d9ef">Get</span><span style="color:#f92672">-</span>WmiObject <span style="color:#f92672">-</span><span style="color:#66d9ef">Class</span> win32_groupuser <span style="color:#f92672">|</span> <span style="color:#66d9ef">where</span> <span style="color:#960050;background-color:#1e0010">{</span> </span></span><span style="display:flex;"><span> <span style="color:#960050;background-color:#1e0010">$</span>_.groupcomponent <span style="color:#f92672">-</span><span style="color:#66d9ef">match</span> <span style="color:#e6db74">'domain admins'</span> </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">}</span> <span style="color:#f92672">|</span> foreach <span style="color:#960050;background-color:#1e0010">{</span>[wmi]<span style="color:#960050;background-color:#1e0010">$</span>_.partcomponent<span style="color:#960050;background-color:#1e0010">}</span> </span></span></code></pre></div> <img src="groupuser.png" alt="policy" class="center" /> <p>This is equally applicable for the reverse use case. If we want to enumerate the groups that a particular user is in (<code>Administrator</code> in this case), then we can do something like:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#66d9ef">Get</span><span style="color:#f92672">-</span>WmiObject <span style="color:#f92672">-</span><span style="color:#66d9ef">Class</span> win32_groupuser <span style="color:#f92672">|</span> <span style="color:#66d9ef">where</span> <span style="color:#960050;background-color:#1e0010">{</span> </span></span><span style="display:flex;"><span> <span style="color:#960050;background-color:#1e0010">$</span>_.partcomponent <span style="color:#f92672">-</span><span style="color:#66d9ef">match</span> <span style="color:#e6db74">'Administrator'</span> </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">}</span> <span style="color:#f92672">|</span> foreach <span style="color:#960050;background-color:#1e0010">{</span>[wmi]<span style="color:#960050;background-color:#1e0010">$</span>_.groupcomponent<span style="color:#960050;background-color:#1e0010">}</span> </span></span></code></pre></div> <img src="usergroup.png" alt="policy" class="center" /> <blockquote> <p><strong>NOTE</strong>: Since we’re using Powershell’s <code>Where-Object</code> cmdlet, we can use the <code>-match</code> argument efficiently to find any substring within a property. This helps in exploring a lot of possibilities in creatively filtering out things on specific criteria.</p> </blockquote> <h3 id="finding-machines-in-the-domain"> Finding machines in the domain <a href="#finding-machines-in-the-domain" class="h-anchor" aria-hidden="true">#</a> </h3> <p>To get a list of all unique machines in our active directory environment, we can do something like:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#66d9ef">Get</span><span style="color:#f92672">-</span>WmiObject <span style="color:#f92672">-</span>Namespace root<span style="color:#960050;background-color:#1e0010">\</span>directory<span style="color:#960050;background-color:#1e0010">\</span>ldap <span style="color:#f92672">-</span><span style="color:#66d9ef">Class</span> ds_computer <span style="color:#f92672">|</span> <span style="color:#66d9ef">select</span> ds_cn </span></span></code></pre></div> <img src="pcs.png" alt="policy" class="center" /> <h3 id="enumerating-admin-privileges-across-ad"> Enumerating admin privileges across AD <a href="#enumerating-admin-privileges-across-ad" class="h-anchor" aria-hidden="true">#</a> </h3> <p>An important thing to remember is, by default WMI provides remote access only to local administrators. Already noticed the catch there? If we can run WMI commands against a remote computer, it means we have <em>local administrator</em> access on that computer. We can use this information to write a very simple script that can enumerate local administrator privileges on remote computers.</p> <p>We can chain the output of the last command with a bit of Powershell to achieve the above:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$pcs <span style="color:#f92672">=</span> Get-WmiObject -Namespace root<span style="color:#ae81ff">\d</span>irectory<span style="color:#ae81ff">\l</span>dap -Class ds_computer | <span style="color:#66d9ef">select</span> -ExpandProperty ds_cn </span></span><span style="display:flex;"><span>foreach <span style="color:#f92672">(</span>$pc in $pcs<span style="color:#f92672">)</span> <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">(</span>Get-WmiObject -Class win32_computersystem -ComputerName $pc -ErrorAction silentlycontinue<span style="color:#f92672">)</span>.name </span></span><span style="display:flex;"><span><span style="color:#f92672">}</span> </span></span></code></pre></div> <img src="admin.png" alt="policy" class="center" /> <p>Now we have all the boxes on which our user has admin privileges. With this information, things now become super easy for us in lateral movement.</p> <h2 id="conclusion"> Conclusion <a href="#conclusion" class="h-anchor" aria-hidden="true">#</a> </h2> <p>We saw how easily we could enumerate a lot of stuff from an Active Directory environment using a few WMI classes and some Powershell magic. Once again, this blog is not comprehensive and there are a lot of possibilities when it comes to reconnaissance. In our next blog, we’ll focus on lateral movement via WMI.</p> <p>That’s it for now folks. I hope you enjoyed reading the blog. Cheers! 🥂</p> </div> <div class="pagination"> <div class="pagination__title"> <span class="pagination__title-h" >Read other posts</span > <hr /> </div> <div class="pagination__buttons"> <span class="button previous"> <a href="https://0xinfection.github.io/posts/analyzing-freeswitch-vulns/"> <span class="button__icon">←</span> <span class="button__text">Analyzing two FreeSWITCH vulnerabilities -- CVE-2021-41157 & CVE-2021-37624</span> </a> </span> <span class="button next"> <a href="https://0xinfection.github.io/posts/wmi-recon-enum/"> <span class="button__text">Offensive WMI - Reconnaissance & Enumeration (Part 4)</span> <span class="button__icon">→</span> </a> </span> </div> </div> </article> </div> <footer class="footer"> <div class="footer__inner"> <div class="copyright copyright--user">© 0xInfection</div> </div> </footer> <script type="text/javascript" src="/bundle.min.js"></script> </div> </body> </html>