in Powershell

Domain Enumeration w/Netonly

It is common on an internal engagement for my team to be provided network access for our vulnerability scanning and penetration testing activities. One of the first things we always like to do when gaining initial access to a host is utilize the target to conduct domain enumeration actions with hopes of laterally spreading to additional systems. We have traditionally done this enumeration from a compromised host to ensure we were running in the context of a domain user. Usually we will use the PowerShell functionality in Beacon or Meterpreter to run PowerView. Harmj0y has a usage guide on this functionality and tradecraft is far beyond the scope of this post.

Recently, with the help of Chris Truncer, I stumbled upon a method to use PowerView to enumerate the target domain directly from our team’s Windows assessment VMs instead of through a compromised host. The trick I learned is quite old and has been described on pentester blogs previously BUT not within the context of using it for PowerView enumeration.

How Do I Do This?

For the purpose of this post, I will assume you have obtained plaintext credentials. This could have be done maliciously using mimikatz on an initial access target or via the POC during the pentest.

The key trick we will use is the /netonly flag with runas.exe. Netonly allows us to launch a command prompt in a different user context and the authentication will only be checked during network use. I utilized other resources to learn this trick and apply it. This allows you to launch a domain user command prompt from a non-domain joined system, making it quite simple to utilize PowerView without using a compromised host. Here are the steps I used to do this:

  1. Launch a command prompt on your assessment VM
  2. runas.exe /netonly /user:<DOMAIN>\Username cmd.exerunas
  3. Enter the password. *The password will not be verified at this time and the command prompt will launch
  4. Powershell.exe -exec bypass 
  5. Import-module powerview.ps1
  6. Verify you have authenticated access via Get-NetDomainControllers command. If output successfully returns, you have authenticated to the domain controller!Screen Shot 2015-04-09 at 1.51.09 PM
  7. Profit

Why Work From Windows?

There are a ton of reasons I enjoy working from a Windows VM in the case of domain enumeration and exploitation. For a quick summary:

  • Easier use of common protocols with target servers and workstations
  • Easier to browse file shares or utilize remote desktop
  • Better interface and output with PowerShell. No need to leverage a weaponization vector
  • No need to dump output files to disk

Hope you try this out and find it useful. Obviously this is limited and wouldn’t work for external or blackbox assessments. In that case, RDP, Beacon, or Meterpreter might be your weapon of choice to enumerate the domain.

Happy hacking!

Write a Comment