I’ve had a number of cases where the Windows “net user”, “net group”, and “net localgroup” have failed me. I’ve had SQLMap fail to give the last line of “net user” output, I’ve had “net group /domain” not give me the full names (I still don’t get how that failed!). On top of that, the commands don’t support wildcards. Also, the output of those commands is a pain to parse due to the columns. I’d much prefer to use the AD PowerShell cmdlets, but those aren’t always available. I set to find other ways to get the same data. First, let’s look at the limitations of the “net” commands.
Net command limitations
Hiding Groups in Groups
Often when pen testing and red teaming, we would like to figure out information about the domain, most notably the members of the Domain Admins group. Output of the
net group "domain admins" command as shown below.
It shows three members: Administrator, sqlagent, and sqlengine. Let’s compare this with the view from the GUI on the Domain Controller.
The GUI shows a group “Ha Ha You Can’t See This Group N00b” as a member of the other group. Unfortunately,
net group doesn’t show this information. The net group command will only show users in the group. Let’s look in inner group:
This doesn’t have any members, but if we look in the GUI it does!
What To Do
First off, incident responders need to be aware of this limitation. If you are simply looking at the group memberships with “net group” you don’t get the full picture.
This can be an interesting method for hiding in plain sight. If you have a user you want to hide, create group, add the user to the group, then start adding the user all over the place.
We’ll discuss better ways to look at this information in future posts.
The Net commands don’t offer us a way to search using wildcards. I’ve seen a number of environments where admin accounts are in the same OU or they have a common naming structure, such as appending
-admin. The Net command don’t provide us a way to flexibly search in this way. In future posts we’ll cover some ways command line ways to get around these limitations.
Related StoriesView More
Dumping LSASS Like it’s 2019
By Red Siege | March 4, 2024
By Alex Reid, Current Red Siege Intern A long-time tactic of threat actors and offensive security professionals alike, tampering with LSASS.exe in order to recover credentials remains a highly […]Learn More
Better Living Through OpenSSH Config Files
By Red Siege | February 15, 2024
By: Justin Palk, Senior Security Consultant SSH is an incredibly valuable tool for penetration testing. It provides us with a secure channel for administering machines, remotely executing tools, transferring […]Learn More
GraphStrike: Anatomy of Offensive Tool Development
By Red Siege | January 22, 2024
By: Alex Reid, Current Red Siege Intern Introduction This blog post accompanies the release of an open source tool called GraphStrike which can be found here. Those familiar with my […]Learn More