Beyond Net User – Part 1: Limitations of the “Net” commands

By Tim Medin | January 30, 2018

I’ve had a number of cases where the Windows “net user”, “net group”, and “net localgroup” have failed me. I’ve had SQLMap fail to give the last line of “net user” output, I’ve had “net group /domain” not give me the full names (I still don’t get how that failed!). On top of that, the commands don’t support wildcards. Also, the output of those commands is a pain to parse due to the columns. I’d much prefer to use the AD PowerShell cmdlets, but those aren’t always available. I set to find other ways to get the same data. First, let’s look at the limitations of the “net” commands.

Net command limitations

Hiding Groups in Groups

Often when pen testing and red teaming, we would like to figure out information about the domain, most notably the members of the Domain Admins group. Output of the net group "domain admins" command as shown below.

It shows three members: Administrator, sqlagent, and sqlengine. Let’s compare this with the view from the GUI on the Domain Controller.

The GUI shows a group “Ha Ha You Can’t See This Group N00b” as a member of the other group. Unfortunately, net group doesn’t show this information. The net group command will only show users in the group. Let’s look in inner group:

This doesn’t have any members, but if we look in the GUI it does!

What To Do

First off, incident responders need to be aware of this limitation. If you are simply looking at the group memberships with “net group” you don’t get the full picture.

This can be an interesting method for hiding in plain sight. If you have a user you want to hide, create group, add the user to the group, then start adding the user all over the place.

We’ll discuss better ways to look at this information in future posts.

Searching

The Net commands don’t offer us a way to search using wildcards. I’ve seen a number of environments where admin accounts are in the same OU or they have a common naming structure, such as appending -admin. The Net command don’t provide us a way to flexibly search in this way. In future posts we’ll cover some ways command line ways to get around these limitations.

Adventures in Shellcode Obfuscation! Part 1: Overview

By Red Siege | June 17, 2024

by Mike Saunders, Principal Security Consultant This blog is the first in a series of articles on methods for obfuscating shellcode. I’ll be focusing on how to obfuscate shellcode to […]

Learn More
Adventures in Shellcode Obfuscation! Part 1: Overview

Fun With JWT X5u

By Red Siege | May 30, 2024

by Senior Security Consultant Douglas Berdeaux On a recent web application penetration test engagement, I came across a JSON Web Token (JWT) that contained an x5u header parameter. I almost […]

Learn More
Fun With JWT X5u

Extend Your Browser

By Red Siege | May 9, 2024

by Ian Briley, Security Consultant In my last blog, I discussed using only a browser for web application testing, emphasizing how useful built-in browser tools like the Inspector and Console […]

Learn More
Extend Your Browser

Find Out What’s Next

Stay in the loop with our upcoming events.