Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  • Group Policy objects
  • Get list of GPO in current domain(PowerView)
  • Get list of GPO for your own computer
  • Get GPO which uses restricted groups useful for extracting interesting users
  • Get users who are in local group of a machine using GPO
  • Get machines where the given user is member of using GPO
  • Get Organizational Units in a domain
  • Get Organizational UNits in a domain using AD module
  • List all computers which is part of certain OU
  • Since we might be interested to find out what are the GPO applied to certain OUs
  1. Active Directory Pentesting

group policy

Group Policy objects

GPO are applied on organizational units. Group policy objects are used to manage and configure user and computer settings across all user and computers objects in a network at once. With a GPO, sysadmins can manage and configure applications, software operations, and user settings throughout an entire organization.

  • Group Policy Objects can be abused for various attacks like privesc, backdoors, persistance, etc.

Get list of GPO in current domain(PowerView)

Get-DomainGPO

Get list of GPO for your own computer

Here, seeing exact policy for any other computer is not possible even with admin privilege

Get-DomainGPO -ComputerIdentity dcorp-student1
  • Use rsop.msc on command line to see exact set of policy setting for current machine.

Get GPO which uses restricted groups useful for extracting interesting users

Restricted Groups are mostly used to manage local groups on workstations, member servers, and domain controllers. One of the features within GPOs is the ability to configure Restricted Groups. This allows administrators to control the membership of local groups on target computers through GPO settings.

Get-DomainGPOLocalGroup
  • After getting the groups, query the members of these groups for interesting users.

Get users who are in local group of a machine using GPO

Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity dcorp-student1

Get machines where the given user is member of using GPO

Get-DomainGPOUserLocalGroupMapping -Identity student1 -Verbose

Get Organizational Units in a domain

Get-DomainOU

Get Organizational UNits in a domain using AD module

Get-ADOrganizationalUnit-Filter*-Properties*

List all computers which is part of certain OU

(Get-DomainOU -Identity <OU-Name>).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

Since we might be interested to find out what are the GPO applied to certain OUs

  • First find all the Ous => Get-DomainOU | select name

  • Then extract the cn from gplink, this is the policy name {...-...-...-...} => Get-DomainOU -Identity <OU-name>

  • See the GPO for that OU => Get-DomainGPO -Identity '{0D1C3BF-1F556-AF64-D999877JU}'

  • It is not possible to see exact GPO settings from the command line

PreviousUser HuntingNextMimikatz

Last updated 1 year ago