Thursday, November 18, 2010

network enumeration

 

 

OK, just wanted to go over some Windows Active Directory tools found in the Windows 2003 Admin Pack.  These are basic tools that often get overlooked in favor of massive VB scripts.  I use them daily to pull reports on users, groups, or computers.  The Active Directory tool in Windows is very limited, and with these commands you can pipe, output, parse, and loop to your heart's content.   So lets just start off with some one-liners. 

Need a list of all the PC’s in the Domain?

dsquery computer –limit 0 | dsget computer –name

What we are doing here is using dsquery to query the Domain Controller for computers with no limit on the results, chaining it to dsget, which is used for grabbing specific bits of information, this time a computer’s name.  If we were to omit the dsget command, it would return the Fully Qualified Domain Name of all the computers in the domain, which is nice for some things, like chaining dsmod commands, but not for human readable results. 

Working in the registry and need a SID?

dsquery user –name “*NAME*” | dsget user –sid –display

Here we are querying for user information, and using the wild cards (*) to allow for information to the left or right of the name variable, which could be a first name, last name or both.  Using dsget switches we are grabbing the user’s SID as well as the display name.  Grabbing the display name as well helps us to differentiate any false positiees you may have if you are using just a First Name in the query command.

Does your boss need all the users of a group in a text file with their telephone number?

dsquery group -name "GROUP_NAME" | dsget group –members | dsget user –display –tel>c:\file-for-boss.txt

Here we are querying for the group information, notice no wild cards.  This would be the case if we new exactly what group we are looking for.  Chaining the query to dsget, we grab the members, but remember since we are looking for user information and not group, we pipe once more into a dsget user, grabbing display name and telephone number which will actually output very nicely.

Most of these one liners I wrap into small shell scripts so I can fire them off with little typing involved.  Here’s one that takes care of a pet peeve of mine; AD’s refusal to perform wildcard searches, i.e. having to know the exact spelling of a group in order to search for it.  This will allow you to search for a group name with just a partial keyword:

for /f “tokens=1,2 delims==,” %%i in (‘dsquery group -name “*%1*” ^| sort’) do @echo %%j

Here I am wrapping the command that’s in the parenthesis around a for loop to parse it out nicely.  The %1 allows you to run the script with an argument, in this case the name of the group you are looking for. So if I were calling this script from the Command Line, I would do this:

script_name [group name]

So far I’ve only talked about using these tools for reporting, but there are also dsmod, dsadd, and dsrm.  Using dsmod and dsadd, I’ve written scripts to build PC’s that mirror other workstations already in the domain, and used dsrm to perform bulk removes of stale accounts.