m8r0wn
Blog  |  Walkthroughs  |  Talks  |  About
menu

Enumerating Windows with the Linux "net" Commands

June 08, 2018
There are several situations in penetration testing when all you have is your Linux machine against a Windows Active Directory environment. In that situation, it is helpful to know the various ways to interact with AD through the Linux net commands.

The net tool comes part of the Samba suite, designed to replicate Windows functionality and provide remote management. The examples below demonstrate how this can be used to enumerate Windows environments, assuming valid domain credentials:

List all users in the current domain

# Windows:
net user /domain

# Linux:
echo "user list" | net rpc shell -U "[Username]"%"[Password]" -S [DC-IP]

List all groups in the current domain

# Windows:
net groups /domain

# Linux:
net rpc group list -U "[Username]"%"[Password]" -S [DC-IP]

Listing members of a specific group

# Windows:
net group "Domain Admins" /domain

# Linux:
net rpc group members 'Domain Admins' -U "[Username]"%"[Password]" -S [DC-IP]

Check the domain's password policy

# Windows:
net accounts /domain

# Linux:
echo "account show" | net rpc shell -U "[Username]"%"[Password]" -S [DC-IP]

Identify open shares on a domain computer

# Windows:
net view \\computer

# Linux:
net rpc share list -U "[Username]"%"[Password]" -S [DC-IP]

Lookup domain user

Looking up details about a specific domain user requires multiple command variations that I have turned into a bash script to save time. This is available on my Github Gist page.
# Windows:
net user m8r0wn /domain

# Linux:
./aduser_lookup.sh [Username] [Password] [DC-IP] [Lookup_User]

To further enumerate Windows from a Linux host, checkout the following tools:
https://github.com/m8r0wn/nullinux
https://github.com/portcullislabs/enum4linux
https://github.com/SecureAuthCorp/impacket

Still looking for more? At the time of writing, @ropnop recently introduced some creative strategies for Windows enumeration in his latest talk worth checking out:
- "Fun with LDAP, Kerberos (and MSRPC) in AD Environments"