I’ve had a number of cases where the Windows “net user”, “net group”, and “net localgroup” have failed me. I’ve had SQLMap fail to give the last line of “net user” output, I’ve had “net group /domain” not give me the full names (I still don’t get how that failed!). On top of that, the commands don’t support wildcards. Also, the output of those commands is a pain to parse due to the columns. I’d much prefer to use the AD PowerShell cmdlets, but those aren’t always available. I set to find other ways to get the same data. First, let’s look at the limitations of the “net” commands.
Net command limitations
Hiding Groups in Groups
Often when pen testing and red teaming, we would like to figure out information about the domain, most notably the members of the Domain Admins group. Output of the
net group "domain admins" command as shown below.
It shows three members: Administrator, sqlagent, and sqlengine. Let’s compare this with the view from the GUI on the Domain Controller.
The GUI shows a group “Ha Ha You Can’t See This Group N00b” as a member of the other group. Unfortunately,
net group doesn’t show this information. The net group command will only show users in the group. Let’s look in inner group:
This doesn’t have any members, but if we look in the GUI it does!
What To Do
First off, incident responders need to be aware of this limitation. If you are simply looking at the group memberships with “net group” you don’t get the full picture.
This can be an interesting method for hiding in plain sight. If you have a user you want to hide, create group, add the user to the group, then start adding the user all over the place.
We’ll discuss better ways to look at this information in future posts.
The Net commands don’t offer us a way to search using wildcards. I’ve seen a number of environments where admin accounts are in the same OU or they have a common naming structure, such as appending
-admin. The Net command don’t provide us a way to flexibly search in this way. In future posts we’ll cover some ways command line ways to get around these limitations.
Related StoriesView More
Introduction to Sliver
By Red Siege | November 7, 2022
By: Justin Palk, Security Consultant Around the time Tim decided he was going to give a Siegecast on selecting a C2, I finished building out a test Windows AD domain […]Learn More
Moving beyond T4 – Deconstructing Nmap Tuning
By Red Siege | July 6, 2022
by Alex Norman, Senior Security Consultant Nmap -T4 -iL targets.txt This is a very common scan string that many people use to get initial recon done on assessments and, to […]Learn More
Creating a Simple Windows Domain for Offensive Testing: Part 4
By Red Siege | June 23, 2022
By: Justin Palk, Security Consultant This is part four of my series of blog posts on creating a windows domain for offensive security testing. In part 1, I stood up […]Learn More