In this section, we will discuss the domain hierarchies that can be manipulated so that we can take advantage of the features that are being implemented on Active Directory.
We will utilize the Empire tool to harvest all of the domain-level information and trust relationships between the systems. To understand the current situation of the system that is being compromised, attackers can now perform different types of queries by using the Empire tool. The following table provides a list of the most effective modules that are typically used during a RTE/pentesting activity:
Module Name |
Description |
situational_awareness/network/sharefinder |
This modules provides a list of network file shares on the given network. |
situational_awareness/network/arpscan |
Testers can perform an arpscan to the reachable IP v4 range. |
situational_awareness/network/reverse_dns |
This module provides the reverse IP lookup and finds the DNS hostname. |
situational_awareness/network/portscan |
Similar to nmap, you can use this module to perform host scans, but this is not stealthy. |
situational_awareness/network/netview |
This module helps the attackers to enumerate shares, logged on users, and sessions on a given domain. |
situational_awareness/network/userhunter situational_awareness/network/stealth_userhunter |
Attackers always use this user hunter to identify how many more systems they can log in to with the acquired credentials. Since this will hunt for the user, its sets are logged into a given network. |
situational_awareness/network/powerview/get_forest |
Successful execution of this module will return the forest details. |
situational_awareness/network/get_exploitable_system |
Identifies the vulnerable systems on the network, providing an additional entry point. |
situational_awareness/network/powerview/ find_localadmin_access get_domain_controller get_forest_domain get_fileserver find_gpo_computer_admin |
All of these modules are used to harvest more details on the domain trusts, objects, and file servers. |
In this example, we will use the situational_awareness/network/powerview/get_forest module to extract the forest details of a connected domain. A successful run of the modules should disclose the details that are shown in the following screenshot:
In another example, the attacker will always locate systems that have ADMIN$ and C$ in them so that it can plant a backdoor or gather information. It can then use these credentials to run the commands remotely.
This can be achieved by using the situational_awareness/network/powerview/share_finder module, as shown in the following screenshot: