Beyond Net User – Part 1: Limitations of the “Net” commands

By Tim Medin | January 30, 2018

I’ve had a number of cases where the Windows “net user”, “net group”, and “net localgroup” have failed me. I’ve had SQLMap fail to give the last line of “net user” output, I’ve had “net group /domain” not give me the full names (I still don’t get how that failed!). On top of that, the commands don’t support wildcards. Also, the output of those commands is a pain to parse due to the columns. I’d much prefer to use the AD PowerShell cmdlets, but those aren’t always available. I set to find other ways to get the same data. First, let’s look at the limitations of the “net” commands.

Net command limitations

Hiding Groups in Groups

Often when pen testing and red teaming, we would like to figure out information about the domain, most notably the members of the Domain Admins group. Output of the net group "domain admins" command as shown below.

It shows three members: Administrator, sqlagent, and sqlengine. Let’s compare this with the view from the GUI on the Domain Controller.

The GUI shows a group “Ha Ha You Can’t See This Group N00b” as a member of the other group. Unfortunately, net group doesn’t show this information. The net group command will only show users in the group. Let’s look in inner group:

This doesn’t have any members, but if we look in the GUI it does!

What To Do

First off, incident responders need to be aware of this limitation. If you are simply looking at the group memberships with “net group” you don’t get the full picture.

This can be an interesting method for hiding in plain sight. If you have a user you want to hide, create group, add the user to the group, then start adding the user all over the place.

We’ll discuss better ways to look at this information in future posts.

Searching

The Net commands don’t offer us a way to search using wildcards. I’ve seen a number of environments where admin accounts are in the same OU or they have a common naming structure, such as appending -admin. The Net command don’t provide us a way to flexibly search in this way. In future posts we’ll cover some ways command line ways to get around these limitations.

Attacking SAML implementations

By Red Siege | November 2, 2021

SAML and SAML Attacks Recently a client mentioned that they wanted me to pay particular attention to the SAML authentication on an app I was going to be testing. It’s […]

Learn More
Attacking SAML implementations

Bypassing Signature-Based AV

By Red Siege | August 25, 2021

If you want to execute arbitrary code on an endpoint during a penetration test, red team, or assumed breach, chances are you’ll have to evade some kind of antivirus solution. […]

Learn More
Bypassing Signature-Based AV

Sans Core Netwars Tournament of Champions Europe

By Red Siege | August 9, 2021

From Justin Palk, Security Consultant: I’ll be honest, it feels good to win. Popping a shell sends a shiver down my spine. But getting into a duel with another team […]

Learn More
Sans Core Netwars Tournament of Champions Europe

Find Out What’s Next

Stay in the loop with our upcoming events.