├── Basic_Active_Directory_Users_and_Computers.md └── README.md /Basic_Active_Directory_Users_and_Computers.md: -------------------------------------------------------------------------------- 1 | Living-off-the-land (LOTL) technique to access basic Active Directory Users and Computers. 2 | 3 | While this is an interesting technique, it’s not that useful as it only appears to reveal one domain group per username, but it does allow you to enumerate all machine names, usernames within Active Directory. 4 | 5 | The testing account. 6 | 7 | ``` 8 | User name g.white 9 | Full Name 10 | Comment 11 | User's comment 12 | Country/region code 000 (System Default) 13 | Account active Yes 14 | Account expires Never 15 | 16 | Password last set 21/11/2024 20:56:33 17 | Password expires 02/01/2025 20:56:33 18 | Password changeable 22/11/2024 20:56:33 19 | Password required Yes 20 | User may change password Yes 21 | 22 | Workstations allowed All 23 | Logon script 24 | User profile 25 | Home directory 26 | Last logon 10/12/2024 21:01:20 27 | 28 | Logon hours allowed All 29 | 30 | Local Group Memberships 31 | Global Group memberships *Domain Users 32 | The command completed successfully. 33 | 34 | ``` 35 | 36 | 1. Right click on any folder and select Properties. 37 | 38 | ![image](https://github.com/user-attachments/assets/1fbc8cf5-f6e7-4cac-93ec-bfb4b2623c07) 39 | 40 | 2. Click on the Security tab followed by Advanced. 41 | 42 | ![image](https://github.com/user-attachments/assets/09764bfd-f177-4957-8cfc-6d7792ecbdff) 43 | 44 | 3. Click on Add. 45 | 46 | ![image](https://github.com/user-attachments/assets/fc6d1d2b-7f88-458e-89c1-83ae664adeef) 47 | 48 | 4. Click on Select a principal. 49 | 50 | ![image](https://github.com/user-attachments/assets/f6437fa7-adae-4a11-a632-1ea07bfbe2b1) 51 | 52 | 5. This loads the basic Active Directory Users and Computers search menu. 53 | 54 | ![image](https://github.com/user-attachments/assets/3b188497-58f9-4ed1-90ff-0ca316cdb975) 55 | 56 | 6. If you click on locations you can see the basic OU's. 57 | 58 | ![image](https://github.com/user-attachments/assets/876ddfa6-4428-451a-b3bf-1601163d7241) 59 | 60 | 7. Click on Advanced, which opens up a basic search feature, which enables slightly more granular controller. 61 | 62 | ![image](https://github.com/user-attachments/assets/38a86bff-33cc-42a3-8442-28291c228395) 63 | 64 | 8. Click on Columns, highlight “Member Of”, Click Add, Click OK. 65 | 66 | ![image](https://github.com/user-attachments/assets/86dac1b5-abdd-4c8c-a803-404a2e7562ec) 67 | 68 | 9. Type in an accounts name you wish to enumerate and click Find Now. 69 | 70 | ![image](https://github.com/user-attachments/assets/e476c061-a03d-41fa-862a-523357aa0df8) 71 | 72 | You can only see the first domain group the account is associated with from this limited search function. 73 | 74 | ![image](https://github.com/user-attachments/assets/5ba938c4-31e5-46fa-8f3a-9b25945492ba) 75 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Hunt 2 | 3 | **All tests were conducted using the following account to help replicate minimum domain user privileges.** 4 | 5 | ``` 6 | PS C:\Users\g.white> net user /domain g.white 7 | The request will be processed at a domain controller for domain hacklab.local. 8 | 9 | User name g.white 10 | Full Name 11 | Comment 12 | User's comment 13 | Country/region code 000 (System Default) 14 | Account active Yes 15 | Account expires Never 16 | 17 | Password last set 07/06/1841 11:29:03 18 | Password expires Never 19 | Password changeable 08/06/21841 11:29:03 20 | Password required Yes 21 | User may change password Yes 22 | 23 | Workstations allowed All 24 | Logon script 25 | User profile 26 | Home directory 27 | Last logon 07/06/1841 11:29:11 28 | 29 | Logon hours allowed All 30 | 31 | Local Group Memberships 32 | Global Group memberships *Domain Users 33 | The command completed successfully. 34 | 35 | PS C:\Users\g.white> 36 | ``` 37 | 38 | **Local hosts netsetup log file** 39 | 40 | Review The Netsetup log file on the local host which contains information for helping to troubleshooting domain joining issue. 41 | The log file contains the host build information, the full domain name and domain controller’s host name. 42 | 43 | ``` 44 | type C:\Windows\debug\NetSetup.LOG 45 | ``` 46 | 47 | **Demo** 48 | 49 | ``` 50 | PS C:\Users\g.white> type C:\Windows\debug\NetSetup.LOG 51 | 04/15/1748 13:12:46:983 ----------------------------------------------------------------- 52 | 04/15/1748 13:12:46:983 NetpDoDomainJoin 53 | 04/15/1748 13:12:46:983 NetpDoDomainJoin: using new computer names 54 | 04/15/1748 13:12:46:983 NetpDoDomainJoin: NetpGetNewMachineName returned 0x0 55 | 04/15/1748 13:12:46:983 NetpMachineValidToJoin: 'WIN-60SQ84GOA6K' 56 | 04/15/1748 13:12:46:983 OS Version: 10.0 57 | 04/15/1748 13:12:46:983 Build number: 19045 (19041.vb_release.191206-1406) 58 | 04/15/1748 13:12:46:983 SKU: Windows 10 Enterprise Evaluation 59 | 04/15/1748 13:12:46:983 Architecture: 64-bit (AMD64) 60 | 04/15/1748 14:28:36:638 NetpDoDomainJoin 61 | 04/15/1748 14:28:36:638 NetpDoDomainJoin: using new computer names 62 | 04/15/1748 14:28:36:638 NetpDoDomainJoin: NetpGetNewMachineName returned 0x0 63 | 04/15/1748 14:28:36:638 NetpDoDomainJoin: NetpGetNewHostName returned 0x0 64 | 04/15/1748 14:28:36:638 NetpMachineValidToJoin: 'WIN-10-LAB' 65 | 04/15/1748 14:28:36:638 OS Version: 10.0 66 | 04/15/1748 14:28:36:638 Build number: 19045 (19041.vb_release.191206-1406) 67 | 04/15/1748 14:28:36:638 SKU: Windows 10 Enterprise Evaluation 68 | 04/15/1748 14:28:36:638 Architecture: 64-bit (AMD64) 69 | 04/15/1748 14:28:36:654 NetpMachineValidToJoin: status: 0x0 70 | 04/15/1748 14:28:36:654 NetpJoinDomain 71 | 04/15/1748 14:28:36:654 HostName: Win-10-lab 72 | 04/15/1748 14:28:36:654 NetbiosName: WIN-10-LAB 73 | 04/15/1748 14:28:36:654 Domain: hacklab.local 74 | 04/15/1748 14:28:36:654 MachineAccountOU: (NULL) 75 | 04/15/1748 14:28:36:654 Account: hacklab.local\g.white 76 | 04/15/1748 14:28:36:654 Options: 0x425 77 | 78 | ``` 79 | 80 | **Local log file for Windows Malicious Software Removal Tool (Defender)** 81 | 82 | ``` 83 | type C:\Windows\debug\mrt.log 84 | ``` 85 | 86 | **Demo** 87 | 88 | ``` 89 | PS C:\Users\g.white> type C:\Windows\debug\mrt.log 90 | 91 | --------------------------------------------------------------------------------------- 92 | Microsoft Windows Malicious Software Removal Tool v5.123, (build 5.123.24040.1001) 93 | Started On Wed Apr 17 15:42:27 1748 94 | 95 | Engine: 1.1.24020.9 96 | Signatures: 1.407.485.0 97 | MpGear: 1.1.16330.1 98 | Run Mode: Scan Run From Windows Update 99 | 100 | Results Summary: 101 | ---------------- 102 | No infection found. 103 | Successfully Submitted Heartbeat Report 104 | Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 17 15:45:13 1748 105 | ``` 106 | 107 | **Windows explorer search strings, mount a share with windows explorer and use these in the search option to hunt for keywords within documents.** 108 | 109 | Note: Wrapping the search keyword in double quotes (") will only reveal exact matches. For example, searching for "pass" will match only the word "pass" and not "password" in a document. To find partial matches, wrap your search keyword in single quotes ('). For instance, searching for 'pass' will match words like "pass," "password," or "passw." 110 | 111 | ``` 112 | content:'pass' 113 | content:"password" 114 | content:"cred" 115 | content:"password" AND *.txt 116 | content:"password" AND *.xls 117 | content:"password" AND *.bat 118 | content:"password" AND *.ini 119 | ``` 120 | 121 | **Windows explorer search string to hunt for network shares within documents.** 122 | 123 | ``` 124 | content:"\\" 125 | ``` 126 | 127 | **Windows explorer search string to hunt for author name (person who saved the file metadata) of a document. This is useful when you spot a user has stored credentials in a document, and you suspect they have a pattern of doing this, think IT engineers.** 128 | 129 | ``` 130 | author:"g.white" 131 | author:"Add domain name" 132 | ``` 133 | Or if the domain name is harry.pings you can just search for author:"harry" 134 | 135 | **Combing Windows explorer search strings, mount a share with windows explorer and use these in the search option to hunt for keywords within documents and file names.** 136 | 137 | ``` 138 | Groups.xml OR content:"password" OR password 139 | ``` 140 | 141 | **Mount a remote share** 142 | 143 | ``` 144 | pushd \\hacklab.local\SYSVOL\hacklab.local 145 | ``` 146 | 147 | **Demo** 148 | 149 | ``` 150 | PS C:\Users\g.white> pushd \\hacklab.local\SYSVOL\hacklab.local 151 | PS Microsoft.PowerShell.Core\FileSystem::\\hacklab.local\SYSVOL\hacklab.local> 152 | ``` 153 | 154 | **Search for file names, formats and locations on local or remote share, execute the command in CMD.** 155 | 156 | ``` 157 | dir /s *.xml *.ini .*bat > C:\Users\g.white\Desktop\Results1.txt 158 | ``` 159 | 160 | **Demo** 161 | 162 | ``` 163 | Microsoft Windows [Version 10.0.19045.4291] 164 | (c) Microsoft Corporation. All rights reserved. 165 | 166 | C:\Users\g.white>pushd \\hacklab.local\SYSVOL\hacklab.local 167 | 168 | Y:\hacklab.local>dir /s *.xml *.ini .*bat > C:\Users\g.white\Desktop\Results1.txt 169 | 170 | Y:\hacklab.local>type C:\Users\g.white\Desktop\Results1.txt 171 | Volume in drive Y has no label. 172 | Volume Serial Number is A45A-D553 173 | 174 | Directory of Y:\hacklab.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9} 175 | 176 | 15/04/2024 12:10 22 GPT.INI 177 | 1 File(s) 22 bytes 178 | 179 | Directory of Y:\hacklab.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9} 180 | 181 | 08/05/2024 10:29 22 GPT.INI 182 | 1 File(s) 22 bytes 183 | 184 | Directory of Y:\hacklab.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE 185 | 186 | 12/04/2024 13:37 824 Groups.xml 187 | 1 File(s) 824 bytes 188 | ``` 189 | 190 | **Hunt for keywords within defined file formats using CMD** 191 | 192 | ``` 193 | findstr /si password *.bat *.xml *.ini *.txt > C:\Users\g.white\Desktop\findstr1.txt 194 | ``` 195 | 196 | **Demo** 197 | 198 | ``` 199 | Y:\hacklab.local>findstr /si password *.bat *.xml *.ini *.txt > C:\Users\g.white\Desktop\Output\findstr1.txt 200 | The system cannot find the path specified. 201 | 202 | Y:\hacklab.local>findstr /si password *.bat *.xml *.ini *.txt > C:\Users\g.white\Desktop\findstr1.txt 203 | 204 | Y:\hacklab.local> 205 | Y:\hacklab.local> 206 | Y:\hacklab.local>type C:\Users\g.white\Desktop\findstr1.txt 207 | scripts\Config.INI:password called Hello@1 208 | scripts\Pingy\Test.txt:This is a test as it contains a password called fishhead1scripts\Shares\Brandon_DiCam\Startup.bat: [string]$Password = 'Passw0rd!' 209 | ``` 210 | 211 | **Same as above but highlight matched filenames in red** 212 | 213 | ``` 214 | findstr /A:4 /spin "passw" *.txt* 215 | ``` 216 | 217 | 218 | **Hunt for the keyword of password within the following documents formats *.ini,*.txt,*.doc,*.docx,*.xml,*.config recursively across C:\ drive.** 219 | 220 | ``` 221 | Get-ChildItem -Path C:\ -Recurse -Include *.ini,*.txt,*.doc,*.docx,*.xml,*.config -File -ErrorAction SilentlyContinue | ForEach-Object { Select-String -Pattern 'password' -Path $_.FullName -ErrorAction SilentlyContinue } | ForEach-Object { Write-Output "File: $($_.Path)`nMatch: $($_.Line)" } 222 | ``` 223 | 224 | **Demo** 225 | 226 | ``` 227 | PS C:\Users\g.white> Get-ChildItem -Path C:\ -Recurse -Include *.ini,*.txt,*.doc,*.docx,*.xml,*.config -File -ErrorAction SilentlyContinue | ForEach-Object { Select-String -Pattern 'password' -Path $_.FullName -ErrorAction SilentlyContinue } | ForEach-Object { Write-Output "File: $($_.Path)`nMatch: $($_.Line)" } 228 | File: C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml 229 | Match: Du kan starte dit password med *. 230 | File: C:\Program Files\VMware\VMware Tools\open_source_licenses.txt 231 | Match: source code form), and must require no special password or key for 232 | PS C:\Users\g.white> 233 | ``` 234 | 235 | 236 | **Hunt for UNC paths within the following documents formats *.ini,*.txt,*.doc,*.docx,*.xml,*.config recursively across C:\ drive.** 237 | 238 | ``` 239 | Get-ChildItem -Path C:\ -Recurse -Include *.ini,*.txt,*.doc,*.docx,*.xml,*.config -File -ErrorAction SilentlyContinue | ForEach-Object { Select-String -Pattern '\\\\[a-zA-Z0-9_.-]+\\[a-zA-Z0-9$_.-]+' -Path $_.FullName -ErrorAction SilentlyContinue } | ForEach-Object { Write-Output "File: $($_.Path)`nMatch: $($_.Line)" } 240 | ``` 241 | 242 | **Demo** 243 | 244 | ``` 245 | PS C:\Users\g.white> Get-ChildItem -Path C:\ -Recurse -Include *.ini,*.txt,*.doc,*.docx,*.xml,*.config -File -ErrorAction SilentlyContinue | ForEach-Object { Select-String -Pattern '\\\\[a-zA-Z0-9_.-]+\\[a-zA-Z0-9$_.-]+' -Path $_.FullName -ErrorAction SilentlyContinue } | ForEach-Object { Write-Output "File: $($_.Path)`nMatch: $($_.Line)" } 246 | File: C:\Users\g.white\Desktop\Client_Tools\test.txt 247 | Match: \\WIN-8HPLF8PSHC1\HR - Read access 248 | File: C:\Users\g.white\Desktop\Client_Tools\test.txt 249 | Match: \\WIN-8HPLF8PSHC1\IT - Read access 250 | File: C:\Users\g.white\Desktop\Client_Tools\test.txt 251 | Match: \\WIN-8HPLF8PSHC1\NETLOGON - Read access 252 | PS C:\Users\g.white> 253 | ``` 254 | 255 | **Hunt for the keyword of password within the following documents formats *.ini,*.txt,*.doc,*.docx,*.xml,*.config recursively across network share.** 256 | 257 | ``` 258 | Get-ChildItem -Path \\hacklab.local\SYSVOL\hacklab.local -Recurse -Include *.ini,*.txt,*.doc,*.docx,*.xml,*.config -File -ErrorAction SilentlyContinue | ForEach-Object { Select-String -Pattern 'password' -Path $_.FullName -ErrorAction SilentlyContinue } | ForEach-Object { Write-Output "File: $($_.Path)`nMatch: $($_.Line)" } 259 | ``` 260 | 261 | **Demo** 262 | 263 | ``` 264 | PS C:\Users\g.white> Get-ChildItem -Path \\hacklab.local\SYSVOL\hacklab.local -Recurse -Include *.ini,*.txt,*.doc,*.docx,*.xml,*.config -File -ErrorAction SilentlyContinue | ForEach-Object { Select-String -Pattern 'password' -Path $_.FullName -ErrorAction SilentlyContinue } | ForEach-Object { Write-Output "File: $($_.Path)`nMatch: $($_.Line)" } 265 | File: \\hacklab.local\SYSVOL\hacklab.local\scripts\Shares\Game1.txt 266 | Match: password = fishandchips1 267 | File: \\hacklab.local\SYSVOL\hacklab.local\scripts\Shares\Game2.txt 268 | Match: please use this username Admin2 and password of Password! 269 | File: \\hacklab.local\SYSVOL\hacklab.local\scripts\Shares\Script99.txt 270 | Match: Password Pasmeup1 271 | File: \\hacklab.local\SYSVOL\hacklab.local\scripts\Shares\Test2.txt 272 | Match: Password:football 273 | PS C:\Users\g.white> 274 | ``` 275 | 276 | **Hunt for UNC paths within the following documents formats *.ini,*.txt,*.doc,*.docx,*.xml,*.config recursively across network share.** 277 | 278 | ``` 279 | Get-ChildItem -Path \\hacklab.local\SYSVOL\hacklab.local -Recurse -Include *.ini,*.txt,*.doc,*.docx,*.xml,*.config -File -ErrorAction SilentlyContinue | ForEach-Object { Select-String -Pattern '\\\\[a-zA-Z0-9_.-]+\\[a-zA-Z0-9$_.-]+' -Path $_.FullName -ErrorAction SilentlyContinue } | ForEach-Object { Write-Output "File: $($_.Path)`nMatch: $($_.Line)" } 280 | ``` 281 | 282 | **Demo** 283 | 284 | ``` 285 | PS C:\Users\g.white> Get-ChildItem -Path \\hacklab.local\SYSVOL\hacklab.local -Recurse -Include *.ini,*.txt,*.doc,*.docx,*.xml,*.config -File -ErrorAction SilentlyContinue | ForEach-Object { Select-String -Pattern '\\\\[a-zA-Z0-9_.-]+\\[a-zA-Z0-9$_.-]+' -Path $_.FullName -ErrorAction SilentlyContinue } | ForEach-Object { Write-Output "File: $($_.Path)`nMatch: $($_.Line)" } 286 | File: \\hacklab.local\SYSVOL\hacklab.local\scripts\Shares\Deep\In\The\Cave\Script_remove1.txt 287 | Match: \\WIN-8HPLF8PSHC1\HR 288 | File: \\hacklab.local\SYSVOL\hacklab.local\scripts\Shares\Deep\In\The\Cave\Script_remove1.txt 289 | Match: \\WIN-8HPLF8PSHC1\IT 290 | File: \\hacklab.local\SYSVOL\hacklab.local\scripts\Shares\Game1.txt 291 | Match: try this share \\happy01\test\ 292 | File: \\hacklab.local\SYSVOL\hacklab.local\scripts\Config.INI 293 | Match: \\WIN-10-LAB\C$ 294 | File: \\hacklab.local\SYSVOL\hacklab.local\scripts\Config.INI 295 | Match: \\WIN-10-LAB-2\Fox 296 | PS C:\Users\g.white> 297 | ``` 298 | 299 | **VBA Script to be used with office documents to hunt for key words across a defined network share, tweak as required.** 300 | 301 | ``` 302 | Sub SearchKeywordInNetworkFiles() 303 | Dim searchFolder As String 304 | Dim textToFind As String 305 | Dim fileExtensions As Variant 306 | Dim resultMessage As String 307 | Dim outputFilePath As String 308 | 309 | ' Add your keyword to search here. 310 | textToFind = "password" 311 | 312 | ' Add the network share folder path to search here. 313 | searchFolder = "\\hacklab.local\SYSVOL\hacklab.local\scripts" 314 | 315 | ' Add any extra file extensions to search here or keep the defaults below 316 | fileExtensions = Array("*.docx", "*.bat", "*.txt", "*.ini", "*.xml") 317 | 318 | resultMessage = "Keyword '" & textToFind & "' found in the following files:" & vbCrLf & vbCrLf 319 | 320 | ' Add your output file path here. 321 | outputFilePath = "C:\Users\g.white\Desktop\OutRun\Results.txt" 322 | 323 | Call RecursiveFileSearch(searchFolder, textToFind, fileExtensions, resultMessage) 324 | 325 | MsgBox resultMessage 326 | 327 | Call WriteResultsToFile(outputFilePath, resultMessage) 328 | End Sub 329 | 330 | Sub RecursiveFileSearch(folderPath As String, textToFind As String, fileExtensions As Variant, ByRef resultMessage As String) 331 | Dim fso As Object 332 | Dim folder As Object 333 | Dim subFolder As Object 334 | Dim file As Object 335 | Dim filePath As String 336 | Dim fileName As String 337 | Dim fileContent As String 338 | Dim doc As Object 339 | Dim ts As Object 340 | Dim i As Integer 341 | 342 | Set fso = CreateObject("Scripting.FileSystemObject") 343 | 344 | On Error GoTo ErrorHandler 345 | Set folder = fso.GetFolder(folderPath) 346 | 347 | For i = LBound(fileExtensions) To UBound(fileExtensions) 348 | fileName = Dir(folderPath & "\" & fileExtensions(i)) 349 | 350 | Debug.Print "Searching for files in: " & folderPath & "\" & fileExtensions(i) 351 | 352 | Do While fileName <> "" 353 | 354 | filePath = folderPath & "\" & fileName 355 | 356 | Debug.Print "Processing file: " & filePath 357 | 358 | If fileExtensions(i) = "*.docx" Then 359 | 360 | Set doc = GetObject(filePath) 361 | 362 | fileContent = doc.Content.Text 363 | 364 | doc.Close SaveChanges:=False 365 | Else 366 | 367 | Set file = fso.GetFile(filePath) 368 | Set ts = file.OpenAsTextStream(1) 369 | fileContent = ts.ReadAll 370 | ts.Close 371 | End If 372 | 373 | 374 | If InStr(1, fileContent, textToFind, vbTextCompare) > 0 Then 375 | 376 | resultMessage = resultMessage & filePath & vbCrLf 377 | End If 378 | 379 | fileName = Dir 380 | Loop 381 | Next i 382 | 383 | For Each subFolder In folder.SubFolders 384 | Call RecursiveFileSearch(subFolder.Path, textToFind, fileExtensions, resultMessage) 385 | Next subFolder 386 | 387 | Set folder = Nothing 388 | Set fso = Nothing 389 | Set file = Nothing 390 | Set ts = Nothing 391 | Exit Sub 392 | 393 | ErrorHandler: 394 | MsgBox "Error: " & Err.Description & " in folder: " & folderPath 395 | Resume Next 396 | End Sub 397 | 398 | Sub WriteResultsToFile(outputFilePath As String, resultMessage As String) 399 | Dim fso As Object 400 | Dim outputFile As Object 401 | 402 | Set fso = CreateObject("Scripting.FileSystemObject") 403 | 404 | Set outputFile = fso.CreateTextFile(outputFilePath, True) 405 | 406 | outputFile.WriteLine resultMessage 407 | 408 | outputFile.Close 409 | 410 | Set outputFile = Nothing 411 | Set fso = Nothing 412 | End Sub 413 | 414 | ``` 415 | 416 | --------------------------------------------------------------------------------