Miscellaneous Misconfigurations
This section covers various misconfigurations that can be leveraged for enumeration and privilege escalation within a Windows domain environment.
. Import Security Assessment Module
Command:
Import-Module .\SecurityAssessment.ps1Description: Used to import the SecurityAssessment module for security auditing. Performed from a Windows-based host.
2. Check Spooler Service Status
Command:
Get-SpoolStatus -ComputerName ACADEMYEA-DC01.INLANEFREIGHT.LOCALDescription: SecurityAssessment.ps1 tool used to check for the MS-PRN Printer bug. Performed from a Windows-based host.
3. Enumerate DNS Records via LDAP
Command:
adidnsdump -u inlanefreight\\forend ldap://172.16.5.5Description: Resolves all records in a DNS zone over LDAP. Performed from a Linux-based host.
Command:
adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -rDescription: Resolves unknown records in a DNS zone by performing an A query (-r). Performed from a Linux-based host.
4. Retrieve User Descriptions
Command:
Get-DomainUser * | Select-Object samaccountname,descriptionDescription: PowerView command used to display the description field of domain users. Performed from a Windows-based host.
5. Check for Password Not Required Accounts
Command:
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrolDescription: PowerView tool used to identify domain users with the
PASSWD_NOTREQDflag. Performed from a Windows-based host.
6. List SYSVOL Scripts
Command:
ls \\academy-eadc01\SYSVOL\INLANEFREIGHT.LOCAL\scriptsDescription: Lists the contents of the SYSVOL scripts folder, which may contain sensitive scripts with credentials. Performed from a Windows-based host.
Last updated