Active Directory Introduction and Enumeration 2-白鸢的笔记

环境

Active Directory Enumeration – Enumeration Using Legacy Windows Tools – VM Group 1

IP:192.168.169.70-76

首先连接192.168.169.75 Windows11环境

xfreerdp /u:stephanie /d:corp.com /v:192.168.169.75

密码:LegmanTeamBenzoin!!

1. 编写模块用来直接调用

编写LDAPSearch模块

function LDAPSearch {
	param (
		[string]$LDAPQuery
	)

	$PDC =[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
	$DistinguishedName = ([adsi]'').distinguishedName
	$DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$PDC/$DistinguishedName")
	$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)

	return $DirectorySearcher.FindAll()
}

导入模块

Import-Module .\function.ps1

调用模块

执行用户搜索

LDAPSearch -LDAPQuery "(samAccountType=805306368)"

2024-04-26_22-53

搜索 AD 中所有可能的组

LDAPSearch -LDAPQuery "(objectclass=group)"

2024-04-26_22-54

使用 “foreach” 遍历变量$group对象

foreach ($group in $(LDAPSearch -LDAPQuery "(objectCategory=group)")) {$group.properties | select {$_.cn}, {$_.member}}

2024-04-26_22-59

2024-04-26_23-06

在销售部门组对象上打印成员属性

$sales = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Sales Department))"
$sales.properties.member

2024-04-26_23-08

将上面的输出分行列出

在开发部门组对象上打印成员属性

$group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Development Department*))"
$group.properties.member

2024-04-26_23-11

在管理部门组对象上打印成员属性

$group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Management Department*))"
$group.properties.member

2024-04-26_23-13

文章版权归作者所有，未经允许请勿转载。

THE END

AD域渗透