Basic Enumeration

We can use either PowerView.ps1 or the Active Directory Module to do domain enumeration from PowerShell.

For basic enumeration, the AD Module may be better since it uses Microsoft tools. PowerView could potentially be blocked.

PowerView commands will appear first in each code block, AD Module commands second if there are two different commands in a block. Otherwise, I will indicate which module to use.

Go here to grab the AD Module: https://github.com/samratashok/ADModule

Some commands also utilize PowerView_dev.ps1 which can be grabbed here: https://github.com/lucky-luk3/ActiveDirectory/blob/master/PowerView-Dev.ps1

Importing PowerView and the AD Module

Import-Module .\PowerView.ps1

Import-Module .\Microsoft.ActiveDirectory.Management.dll
Import-Module .\ActiveDirectory.psd1

Enumerating the domain

Get the Current Domain

Get-NetDomain
Get-ADDomain

Get the Object of Another Domain

Get-NetDomain -Domain bizcorp.local
Get-ADDomain -Identity bizcorp.local

Get Domain SID's

Get-DomainSID
(Get-ADDomain).DomainSID

Get Domain Policy for the Current Domain

Get-DomainPolicy

Get Domain Policy for Another Domain (AD Module)

(Get-DomainPolicy -domain bizcorp.local)."system access"

Dump the Password Policy

(Get-DomainPolicy)."system access"
Get-ADDefaultDomainPasswordPolicy

  • Using crackmapexec

crackmapexec smb <target> -u <user> -p <pass> --pass-pol

Get Domain Controllers for the Current Domain

Get-NetDomainController
Get-ADDomainController

Get Domain Controllers for Another Domain

Get-NetDomainController -Domain bizcorp.local
Get-ADDomainController - DomainName bizcorp.local -Discover

Enumerating Users in the Domain

Get Users for the Current Domain

  • I should note that I find the AD Module to be more informative.

Get-NetUser [-Username <username>]
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity <username> -Properties *

  • Using crackmapexec

crackmapexec smb/ldap <target> -u <user> -p <pass> --users

Get All Property Names for Users in the Current Domain

Get-UserProperty
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name

Selecting a Specific Property to Examine

Get-UserProperty -Properties pwdlastset
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}

Interesting Properties To Examine:
pwdlastset
badpwdcount
logoncount
OfficePhone/HomePhone/MobilePhone/Fax
any properites that give away location info like POBox
EmailAddress
Description (may find credentials)

Searching For a String in a User's Attributes

Find-UserField -SearchField Description -SearchTerm "built"
Get-ADUser -Filter 'Description -Like "*built*"' -Properties Description | select name,Description

Enumerating Computers

Listing the Computers in the Current Domain

Get-NetComputer
Get-NetComputer –OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData

Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -
Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-
Connection -Count 1 -ComputerName $_.DNSHostName}
Get-ADComputer -Filter * -Properties *

  • Using crackmapexec

crackmapexec smb <target> -u <user> -p <pass> --computers

Enumerating Groups

List All the Groups in the Current Domain

Get-NetGroup
Get-NetGroup –Domain <targetdomain>
Get-NetGroup –FullData

Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *

  • Using crackmapexec

crackmapexec smb/ldap <target> -u <user> -p <pass> --groups

Searching for Groups With a Particular Word in the Name

Get-NetGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

Find All Domain Admins

Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -Recursive

Enumerate Group Memberships of a User

Get-NetGroup –UserName <username>
Get-ADPrincipalGroupMembership -Identity <username>

List All Local Groups on the Current Machine (on non-DC machines it requires admin privileges) (PowerView)

Get-NetLocalGroup -ComputerName bizcorp.local -ListGroups

List All Local Groups on Another Machine (on non-DC machines it requires admin privileges) (PowerView)

Get-NetLocalGroup -ComputerName bizcorp.local -Recurse

  • Using crackmapexec

crackmapexec smb <target> -u <user> -p <pass> --local-groups

Finding Logged-On Users

Get Active Users on a Machine (requires local admin rights on the target) (PowerView)

Get-NetLoggedon –ComputerName <servername>

  • Using crackmapexec

crackmapexec smb <target> -u <user> -p <pass> --loggedon-users

Get Local Logged-On Users on Another Machine (needs remote registry on the target - started by-default on server OS) (PowerView_dev)

Get-LoggedonLocal -ComputerName dc.bizcorp.local

Get the Last Logged-On User on a Computer (needs admin privileges and remote registry on the target) (PowerView)

Get-LastLoggedOn –ComputerName <servername>

Finding Interesting Files and Shares (PowerView)

Invoke-ShareFinder –Verbose
Invoke-FileFinder –Verbose

  • Using crackmapexec

crackmapexec smb <target> -u <user> -p <pass> --shares/--disks

Find All File Servers on the Domain With a Focus on High Value Targets (PowerView)

Get-NetFileServer

Group Policy Objects (GPO's)

Find GPO's in the Current Domain

Get-NetGPO [-ComputerName dc.bizcorp.local]
Get-GPO -All

Find GPO's Which Use Restricted Groups or groups.xml for Interesting Users

Get-Net-GPOGroup # PowerView

Find Users Which Are in a Local Group of a Machine Using a GPO

Find-GPOComputerAdmin -ComputerName bizcorp.local

Find Machines Where a User is a Member of a Specific Group

Find-GPOLocation -Username <user> -Verbose

Get OU's in a Domain

Get-NetOU -FullData
Get-ADOrganizationalUnit -Filter * -Properties *

Get-GPO Applied on an OU and Read GPO Name from the GPLink Attribute

1)  Get-ADOrganizationalUnit -Filter * -Properties * | select gplink
2) Get-NetGPO -GPOName <{AB306569....}> # PowerView
   Get-GPO -Guid <gplink> # AD Module

Enumeration From Outside of the Network

I included some commands using crackmapexec.

In addition, many of these commands can be replicated from outside the network using pywerview.py.

PreviousEnumerationNextAccess Control Lists

Last updated