Exploiting the Windows Domain
A common recommendation I often come across is that Internet-facing systems should not be a part of an active Windows domain. As an exercise of interest, I have decided to look at this topic a little deeper and explore what advantage (if any) access to a domain member really provides. In this scenario I will demonstrate how to gain privilege within a Windows domain using only the tools available on a default Windows install. I will be working under the assumption that: I have access to a public terminal (or something similar) with up-to-date anti-virus. I do not have administrative access on the host. I do not have access to any third-party tools. Once connected to a Windows workstation, the first piece of information I want to find is the domain namespace. This can be done a couple of different ways: nbtstat –A <IP-Address> net config workstation Next, because I am working from a domain member, I can query the domain controller and check whether it’s aware of