-
Notifications
You must be signed in to change notification settings - Fork 494
new module: smb > presence #561
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
high privilege smb module that traces domain level admin presences in target
Quite a nice module, thanks for the contribution! Gonna take a closer look at it when i got the time |
added legacy windows support, changed logging style and tried to group hosts in latest update. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Really like the idea of the module, but i think we should try to accomplish it without command execution if possible. That way AVs will not detect/stop the execution that easy. Especially task listing is often kinda risky.
If you need help feel free to dm me or someone else on discord/twitter or reach out on here.
updated module with every request resolved. also, thank you for the help! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When you finished please check if your code matches the formatting/style guidelines: poetry run ruff check . --preview
done. |
…numerate domain groups on the DC
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fyi, also fixed a minor logging bug in the change-password module |
looks good, i will def need to try on a real world pentest. i hold the original in my arsenal. :)) thank you for your extended support on this. really appreciated. |
Thanks for the work! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Description
during my engagements, i hunt a lot of local administrators. both local administrator and local administrator privileged domain user. before seeking tokens, lsass dump or process injection; i always do "-x 'dir c:\users'" and "-x tasklist /v" for getting first level user information. if there is a domain admin user then the scenario is completed. but if not, there is a lot of work. grepping "-x tasklist /v" is time consuming and not a meta.
this module first executes 'net group "domain admins" /domain' and 'net group "enterprise admins" /domain'. then seeks domain level admin users in c:\users and tasklist /v command output. also:
-it seeks only dotted administrator folders in c:\users. ie. domainname.administrator (built in administrator will be not shown on dc -- we don't need it tho..)
-it seeks both dotted and non dotted domain level admin users in c:\users. ie. domainname.emreadmin and emreadmin.
-it seeks only domain named tasks in tasklist for administrator. ie. domainname\administrator is shown, localmachinename\administrator is not shown.
please note that i need help to improve this module. this is as far as i could get with my current knowledge.
Type of change
How Has This Been Tested?
tested on a dummy domain, a domain controller and a domain client machine.
Screenshots (if appropriate):
domain admin and enterprise admin users:

check on client with local admin creds:

opening a cmd as domain admin:

check again:

check after creating folder with admin name:

check on dc with domain admin creds:

Checklist:
poetry run python -m ruff check . --preview
, use--fix
to automatically fix what it can)