Miscellaneous Misconfigurations

This section covers various misconfigurations that can be leveraged for enumeration and privilege escalation within a Windows domain environment.

. Import Security Assessment Module

Command:

Import-Module .\SecurityAssessment.ps1

• Description: Used to import the SecurityAssessment module for security auditing. Performed from a Windows-based host.

---

2. Check Spooler Service Status

Command:

Get-SpoolStatus -ComputerName ACADEMYEA-DC01.INLANEFREIGHT.LOCAL

• Description: SecurityAssessment.ps1 tool used to check for the MS-PRN Printer bug. Performed from a Windows-based host.

---

3. Enumerate DNS Records via LDAP

Command:

adidnsdump -u inlanefreight\\forend ldap://172.16.5.5

• Description: Resolves all records in a DNS zone over LDAP. Performed from a Linux-based host.

Command:

adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -r

• Description: Resolves unknown records in a DNS zone by performing an A query (-r). Performed from a Linux-based host.

---

4. Retrieve User Descriptions

Command:

Get-DomainUser * | Select-Object samaccountname,description

• Description: PowerView command used to display the description field of domain users. Performed from a Windows-based host.

---

5. Check for Password Not Required Accounts

Command:

Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

• Description: PowerView tool used to identify domain users with the PASSWD_NOTREQD flag. Performed from a Windows-based host.

---

6. List SYSVOL Scripts

Command:

ls \\academy-eadc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts

• Description: Lists the contents of the SYSVOL scripts folder, which may contain sensitive scripts with credentials. Performed from a Windows-based host.