Basic Enumeration

We can use either PowerView.ps1 or the Active Directory Module to do domain enumeration from PowerShell.

For basic enumeration, the AD Module may be better since it uses Microsoft tools. PowerView could potentially be blocked.

PowerView commands will appear first in each code block, AD Module commands second if there are two different commands in a block. Otherwise, I will indicate which module to use.

Go here to grab the AD Module: https://github.com/samratashok/ADModule

Some commands also utilize PowerView_dev.ps1 which can be grabbed here: https://github.com/lucky-luk3/ActiveDirectory/blob/master/PowerView-Dev.ps1

Importing PowerView and the AD Module

Import-Module .\PowerView.ps1

Import-Module .\Microsoft.ActiveDirectory.Management.dll
Import-Module .\ActiveDirectory.psd1

Enumerating the domain

Get the Current Domain

Get-NetDomain
Get-ADDomain

Get the Object of Another Domain

Get Domain SID's

Get Domain Policy for the Current Domain

Get Domain Policy for Another Domain (AD Module)

Dump the Password Policy

  • Using crackmapexec

Get Domain Controllers for the Current Domain

Get Domain Controllers for Another Domain

Enumerating Users in the Domain

Get Users for the Current Domain

  • I should note that I find the AD Module to be more informative.

  • Using crackmapexec

Get All Property Names for Users in the Current Domain

Selecting a Specific Property to Examine

Searching For a String in a User's Attributes

Enumerating Computers

Listing the Computers in the Current Domain

  • Using crackmapexec

Enumerating Groups

List All the Groups in the Current Domain

  • Using crackmapexec

Searching for Groups With a Particular Word in the Name

Find All Domain Admins

Enumerate Group Memberships of a User

List All Local Groups on the Current Machine (on non-DC machines it requires admin privileges) (PowerView)

List All Local Groups on Another Machine (on non-DC machines it requires admin privileges) (PowerView)

  • Using crackmapexec

Finding Logged-On Users

Get Active Users on a Machine (requires local admin rights on the target) (PowerView)

  • Using crackmapexec

Get Local Logged-On Users on Another Machine (needs remote registry on the target - started by-default on server OS) (PowerView_dev)

Get the Last Logged-On User on a Computer (needs admin privileges and remote registry on the target) (PowerView)

Finding Interesting Files and Shares (PowerView)

  • Using crackmapexec

Find All File Servers on the Domain With a Focus on High Value Targets (PowerView)

Group Policy Objects (GPO's)

Find GPO's in the Current Domain

Find GPO's Which Use Restricted Groups or groups.xml for Interesting Users

Find Users Which Are in a Local Group of a Machine Using a GPO

Find Machines Where a User is a Member of a Specific Group

Get OU's in a Domain

Get-GPO Applied on an OU and Read GPO Name from the GPLink Attribute

Enumeration From Outside of the Network

I included some commands using crackmapexec.

In addition, many of these commands can be replicated from outside the network using pywerview.py.

PreviousEnumerationNextAccess Control Lists

Last updated