taibeihacker
Moderator
0x00 前言简介
Microsoft為Windows Server 2008 R2(以及更高版本)提供了多個Active Directory PowerShell cmdlet,這大大簡化了以前需要將涉及到的ADSI冗長代碼行放在一起的任務。在Windows客戶端上,需要安裝遠程服務器管理工具(RSAT)並確保已安裝Active Directory PowerShell模塊。而在Windows服務器(2008 R2或更高版本)上的PowerShell控制台(作為管理員)中運行如下命令:Import-Module ServerManager ; Add-WindowsFeature RSAT-AD-PowerShell。
0x01 AD的目录预览
AD PowerShell cmdlet和以下方式執行效果一樣:Import-module activeDirectory
$UserID=“JoeUser”
Get-ADUser $UserID –property *
需要值得注意的是使用PowerShell v3版本以及高版本,你無需運行第一行命令,因為PowerShell的將識別必要的模塊和自動加載它。一旦加載了Active Directory PowerShell模塊,就可以像瀏覽文件系統那樣瀏覽AD。命令如下:
Ps Import-module activeDirectory
Psdir ad:
Psset-location ad:
Ps set-location “dc=lab,dc=adsecurity,dc=org”
Psdir
0x02 查找有用的命令(Cmdlet)
1.基本的模块和统计發現可用的PowerShell模塊:Get-Module -ListAvailable在PowerShell模塊中發現cmdlet:Get-Command -module ActiveDirectory
PowerShell AD模塊的Cmdlet個數:
(Get-Command -module ActiveDirectory).count
Windows Server 2008 R2: 76 cmdlets
Windows Server 2012: 135 cmdlets
Windows Server 2012 R2: 147 cmdlets
Windows Server 2016:147 cmdlets
WINDOWS SERVER 2008 R2主要的cmdlets:
• Get/Set-ADForest
• Get/Set-ADDomain
• Get/Set-ADDomainController
• Get/Set-ADUser
• Get/Set-ADComputer
• Get/Set-ADGroup
• Get/Set-ADGroupMember
• Get/Set-ADObject
• Get/Set-ADOrganizationalUnit
• Enable-ADOptionalFeature
• Disable/Enable-ADAccount
• Move-ADDirectoryServerOperationMasterRole
• New-ADUser
• New-ADComputer
• New-ADGroup
• New-ADObject
• New-ADOrganizationalUnit
WINDOWS SERVER 2012含以版本一些新的cmdlets:
• *-ADResourcePropertyListMember
• *-ADAuthenticationPolicy
• *-ADAuthenticationPolicySilo
• *-ADCentralAccessPolicy
• *-ADCentralAccessRule
• *-ADResourceProperty
• *-ADResourcePropertyList
• *-ADResourcePropertyValueType
• *-ADDCCloneConfigFile
• *-ADReplicationAttributeMetadata
• *-ADReplicationConnection
• *-ADReplicationFailure
• *-ADReplicationPartnerMetadata
• *-ADReplicationQueueOperation
• *-ADReplicationSite
• *-ADReplicationSiteLink
• *-ADReplicationSiteLinkBridge
• *-ADReplicationSubnet
• *-ADReplicationUpToDatenessVectorTable
• Sync-ADObject
2.发现全局目录 GLOBAL CATALOGS (GCS)• Forest GCs(森林全局目錄):
import-module ActiveDirectory
$ADForest=Get-ADForest
$ADForestGlobalCatalogs=$ADForest.GlobalCatalogs
• Domain DCs that are GCs(以域DCS的全局目錄):
import-module ActiveDirectory
$DCsNotGCs=Get-ADDomainController -filter { IsGlobalCatalog -eq $True}
• Domain DCs that are not GCs(以非域DCS的全局目錄):
import-module ActiveDirectory
$DCsNotGCs=Get-ADDomainController -filter { IsGlobalCatalog -eq $False }
3.查找Active Directory灵活单主机操作(FSMO)角色活動目錄模塊:
(GET-ADForest).SchemaMaster
(GET-ADForest).DomainNamingMaster
(GET-ADDomain).InfrastructureMaster
(GET-ADDomain).PDCEmulator
(GET-ADDomain).RIDMaster
.NET調用:
•Get the Current Domain:
[System.DirectoryServices.ActiveDirectory.Domain]:GetCurrentDomain().Name
[System.DirectoryServices.ActiveDirectory.Domain]:GetComputerDomain().Name
• Get the Computer’s Site:[System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]:GetComputerSite()
• List All Domain Controllers in a Domain:[System.DirectoryServices.ActiveDirectory.Domain]:GetCurrentDomain().DomainControllers
• Get Active Directory Domain Mode:[System.DirectoryServices.ActiveDirectory.Domain]:GetCurrentDomain().DomainMode
• List Active Directory FSMOs
[System.DirectoryServices.ActiveDirectory.Forest]:GetCurrentForest()).SchemaRoleOwner([System.DirectoryServices.ActiveDirectory.Forest]:GetCurrentForest()).NamingRoleOwner
([System.DirectoryServices.ActiveDirectory.Domain]:GetCurrentDomain()).InfrastructureRoleOwner
([System.DirectoryServices.ActiveDirectory.Domain]:GetCurrentDomain()).PdcRoleOwner
([System.DirectoryServices.ActiveDirectory.Domain]:GetCurrentDomain()).RidRoleOwner
•Get Active Directory Forest Name:
[System.DirectoryServices.ActiveDirectory.Forest]:GetCurrentForest().Name
• Get a List of Sites in the Active
Directory Forest:
[array] $ADSites=
[System.DirectoryServices.ActiveDirectory.Forest]:GetCurrentForest().Sites
• Get Active Directory Forest Domains:
[System.DirectoryServices.ActiveDirectory.Forest]:GetCurrentForest().Domains
• Get Active Directory Forest Global
Catalogs:
[System.DirectoryServices.ActiveDirectory.Forest]:GetCurrentForest().GlobalCatalogs
• Get Active Directory Forest Mode:
[System.DirectoryServices.ActiveDirectory.Forest]:GetCurrentForest().ForestMode
• Get Active Directory Forest Root
Domain:
[System.DirectoryServices.ActiveDirectory.Forest]:GetCurrentForest().RootDomain
4.FSMO角色从一个DC移动到另一个DCget-command
-module activedirectory -noun *Master*
•Moving FSMO Roles:
Move-ADDirectoryServerOperationMasterRole
-Identity $DCName -OperationMasterRole RIDMaster
Move-ADDirectoryServerOperationMasterRole
-Identity $DCName -
OperationMasterRole
DomainNamingMaster
Move-ADDirectoryServerOperationMasterRole
-Identity $DCName -OperationMasterRole PDCEmulato
•Seizing FSMO Roles:
Move-ADDirectoryServerOperationMasterRole
-Identity $DCName -OperationMasterRole PDCEmulator –FORCE
0x03 Active Directory PowerShell模块Cmdlet示例
1.Get-RootDSE獲取有關LDAP服務器(域控制器)的信息並顯示其內容,結果中有一些有趣的信息,比如DC運行的操作系統信息。
2.Get-ADForest提供有關運行該命令計算機所在的Active
Directory森林信息。
3.Get-ADDomain提供有關當前所在域的信息
4.Get-ADDomainController提供特定於域控制器的計算機信息,通過cmdlet命令,可輕鬆查找到特定站點中的所有DC或運行OS版本信息。
5.Get-ADComputer提供了關於AD中大多數計算機對象的信息,使用“-Prop *”參數運行的命令可以顯示所有標準屬性信息。
6. AD计算机的统计$Time=(Measure-Command `
{[array] $AllComputers=
Get-ADComputer -filter * -properties
Name,CanonicalName,Enabled,passwordLastSet,SAMAccountName,LastLogonTimeSt
amp,DistinguishedName,OperatingSystem
}).TotalMinutes
$AllComputersCount=
$AllComputers.Count
Write-Output “There were
$AllComputersCount Computers discovered in
$DomainDNS in $Time minutes… `r “
7.Get-ADUser提供了想要了解有關AD用戶的大部分內容信息,使用“-Prop *”參數運行的命令可以顯示所有標準屬性信息。
8. AD用户的统计import-Module ActiveDirectory
$DomainDNS=
[System.DirectoryServices.ActiveDirectory.Domain]:GetCurrentDomain().Name
[array]$AllUsers=Get-ADUser
-filter * -properties
Name,DistinguishedName,Enabled,LastLogonDate,LastLogonTimeStamp,LockedOut,msExchHom
eServerName,SAMAccountName
$AllUsersCount=$AllUsers.Count
Write-Output “There were
$AllUsersCount user objects discovered in $ADDomainDNSRoot … “
[array] $DisabledUsers=
$AllUsers | Where-Object { $_.Enabled -eq $False }
$DisabledUsersCount=
$DisabledUsers.Count
[array] $EnabledUsers=$AllUsers
| Where-Object { $_.Enabled -eq $True }
$EnabledUsersCount=
$EnabledUsers.Count
Write-Output “There are
$EnabledUsersCount Enabled users and there are $DisabledUsersCount
Disabled users in $DomainDNS “
9.Get-ADGroup提供有關AD組的信息,運行如下命令可查找所有安全組:
Get-ADGroup -Filter {GroupCategory -eq ‘Security}
10.Get-ADGroupMember枚舉並返回組成員信息,使用”-Recursive”參數可包括嵌套組的所有成員。
Get-ADGroupMember ‘Administrators’ -Recursive
11.查找非活动计算机以下示例查找非活動(舊版本)計算機和用戶:在過去10天內未更改其密碼的帳戶。請注意,這是一個測試示例。對於實際的生產環境,將此建議更改為計算機的60到90天,用戶的180到365天的策略。
12.查找非活动用户
13.枚举域信任
14.获取活动目录的实施日期
15.获取AD密码策略
16.获取AD站点信息請注意Windows 2012模塊中包含站點的cmdlet(Get-ADReplicationSite*)。
17. 获得tombstonelifetime信息
18.AD的回收信息Requires Forest Functional Mode=
Windows Server 2008 R2
• Enable the Recycle Bin
(as Enterprise Admin)
Enable-ADOptionalFeature
–Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory
Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=COM’ –Scope
ForestOrConfigurationSet –Target
‘DOMAIN.COM’
• Find all Deleted Users
$DeletedUsers=Get-ADObject
-SearchBase “CN=Deleted Objects,DC=DOMAIN,DC=COM” -Filter
{ObjectC