Basic Enumeration
We can use either PowerView.ps1 or the Active Directory Module to do domain enumeration from PowerShell.
For basic enumeration, the AD Module may be better since it uses Microsoft tools. PowerView could potentially be blocked.
PowerView commands will appear first in each code block, AD Module commands second if there are two different commands in a block. Otherwise, I will indicate which module to use.
Go here to grab the AD Module: https://github.com/samratashok/ADModule
Some commands also utilize PowerView_dev.ps1 which can be grabbed here: https://github.com/lucky-luk3/ActiveDirectory/blob/master/PowerView-Dev.ps1
Importing PowerView and the AD Module
Import-Module .\PowerView.ps1
Import-Module .\Microsoft.ActiveDirectory.Management.dll
Import-Module .\ActiveDirectory.psd1
Enumerating the domain
Get the Current Domain
Get-NetDomain
Get-ADDomain
Get the Object of Another Domain
Get-NetDomain -Domain bizcorp.local
Get-ADDomain -Identity bizcorp.local
Get Domain SID's
Get-DomainSID
(Get-ADDomain).DomainSID
Get Domain Policy for the Current Domain
Get-DomainPolicy
Get Domain Policy for Another Domain (AD Module)
(Get-DomainPolicy -domain bizcorp.local)."system access"
Dump the Password Policy
(Get-DomainPolicy)."system access"
Get-ADDefaultDomainPasswordPolicy
Using crackmapexec
crackmapexec smb <target> -u <user> -p <pass> --pass-pol
Get Domain Controllers for the Current Domain
Get-NetDomainController
Get-ADDomainController
Get Domain Controllers for Another Domain
Get-NetDomainController -Domain bizcorp.local
Get-ADDomainController - DomainName bizcorp.local -Discover
Enumerating Users in the Domain
Get Users for the Current Domain
I should note that I find the AD Module to be more informative.
Get-NetUser [-Username <username>]
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity <username> -Properties *
Using crackmapexec
crackmapexec smb/ldap <target> -u <user> -p <pass> --users
Get All Property Names for Users in the Current Domain
Get-UserProperty
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
Selecting a Specific Property to Examine
Get-UserProperty -Properties pwdlastset
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
Interesting Properties To Examine:
pwdlastset
badpwdcount
logoncount
OfficePhone/HomePhone/MobilePhone/Fax
any properites that give away location info like POBox
EmailAddress
Description (may find credentials)
Searching For a String in a User's Attributes
Find-UserField -SearchField Description -SearchTerm "built"
Get-ADUser -Filter 'Description -Like "*built*"' -Properties Description | select name,Description
Enumerating Computers
Listing the Computers in the Current Domain
Get-NetComputer
Get-NetComputer –OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -
Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-
Connection -Count 1 -ComputerName $_.DNSHostName}
Get-ADComputer -Filter * -Properties *
Using crackmapexec
crackmapexec smb <target> -u <user> -p <pass> --computers
Enumerating Groups
List All the Groups in the Current Domain
Get-NetGroup
Get-NetGroup –Domain <targetdomain>
Get-NetGroup –FullData
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *
Using crackmapexec
crackmapexec smb/ldap <target> -u <user> -p <pass> --groups
Searching for Groups With a Particular Word in the Name
Get-NetGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
Find All Domain Admins
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Enumerate Group Memberships of a User
Get-NetGroup –UserName <username>
Get-ADPrincipalGroupMembership -Identity <username>
List All Local Groups on the Current Machine (on non-DC machines it requires admin privileges) (PowerView)
Get-NetLocalGroup -ComputerName bizcorp.local -ListGroups
List All Local Groups on Another Machine (on non-DC machines it requires admin privileges) (PowerView)
Get-NetLocalGroup -ComputerName bizcorp.local -Recurse
Using crackmapexec
crackmapexec smb <target> -u <user> -p <pass> --local-groups
Finding Logged-On Users
Get Active Users on a Machine (requires local admin rights on the target) (PowerView)
Get-NetLoggedon –ComputerName <servername>
Using crackmapexec
crackmapexec smb <target> -u <user> -p <pass> --loggedon-users
Get Local Logged-On Users on Another Machine (needs remote registry on the target - started by-default on server OS) (PowerView_dev)
Get-LoggedonLocal -ComputerName dc.bizcorp.local
Get the Last Logged-On User on a Computer (needs admin privileges and remote registry on the target) (PowerView)
Get-LastLoggedOn –ComputerName <servername>
Finding Interesting Files and Shares (PowerView)
Invoke-ShareFinder –Verbose
Invoke-FileFinder –Verbose
Using crackmapexec
crackmapexec smb <target> -u <user> -p <pass> --shares/--disks
Find All File Servers on the Domain With a Focus on High Value Targets (PowerView)
Get-NetFileServer
Group Policy Objects (GPO's)
Find GPO's in the Current Domain
Get-NetGPO [-ComputerName dc.bizcorp.local]
Get-GPO -All
Find GPO's Which Use Restricted Groups or groups.xml for Interesting Users
Get-Net-GPOGroup # PowerView
Find Users Which Are in a Local Group of a Machine Using a GPO
Find-GPOComputerAdmin -ComputerName bizcorp.local
Find Machines Where a User is a Member of a Specific Group
Find-GPOLocation -Username <user> -Verbose
Get OU's in a Domain
Get-NetOU -FullData
Get-ADOrganizationalUnit -Filter * -Properties *
Get-GPO Applied on an OU and Read GPO Name from the GPLink Attribute
1) Get-ADOrganizationalUnit -Filter * -Properties * | select gplink
2) Get-NetGPO -GPOName <{AB306569....}> # PowerView
Get-GPO -Guid <gplink> # AD Module
Enumeration From Outside of the Network
I included some commands using crackmapexec.
In addition, many of these commands can be replicated from outside the network using pywerview.py.
Last updated