☠️
Pentesting Articles and Notes
  • Welcome!
  • Windows
    • Active Directory
      • Kerberos Authentication
      • Enumeration
        • Basic Enumeration
        • Access Control Lists
        • Domain Trusts and Forests Enumeration
        • User Hunting
        • Domain Enumeration With BloodHound
      • Credential Dumping
        • DCSync Attack
      • Privilege Escalation
        • AS-REP Roasting
        • Kerberoasting
        • DNS Administrators
        • Setting Object SPN's
        • Unconstrained Delegation
        • Constrained Delegation
      • Persistence
        • Abusing ACLs
        • AdminSDHolder
        • Custom Security Service Providers (SSP's)
        • Directory Services Restore Mode (DSRM)
        • Modifying Remote Protocol Security Descriptors
        • Golden Tickets
        • Silver Tickets
        • Skeleton Keys
      • Powershell Remoting
      • Lateral Movement
        • Child to Parent Movement Across Trusts
        • Trust Abuse Between Forests
        • MSSQL Server Trust Abuse
        • Overpass the Hash
  • Coding
    • Pentesting With Python
      • Basic Threading
  • Network Attacks
    • Man-In-The-Middle Attacks
      • ARP Spoofing
      • DNS Spoofing Attacks
Powered by GitBook
On this page
  • Importing PowerView and the AD Module
  • Enumerating the domain
  • Get the Current Domain
  • Get the Object of Another Domain
  • Get Domain SID's
  • Get Domain Policy for the Current Domain
  • Get Domain Policy for Another Domain (AD Module)
  • Dump the Password Policy
  • Get Domain Controllers for the Current Domain
  • Get Domain Controllers for Another Domain
  • Enumerating Users in the Domain
  • Get Users for the Current Domain
  • Get All Property Names for Users in the Current Domain
  • Selecting a Specific Property to Examine
  • Searching For a String in a User's Attributes
  • Enumerating Computers
  • Listing the Computers in the Current Domain
  • Enumerating Groups
  • List All the Groups in the Current Domain
  • Searching for Groups With a Particular Word in the Name
  • Find All Domain Admins
  • Enumerate Group Memberships of a User
  • List All Local Groups on the Current Machine (on non-DC machines it requires admin privileges) (PowerView)
  • List All Local Groups on Another Machine (on non-DC machines it requires admin privileges) (PowerView)
  • Finding Logged-On Users
  • Get Active Users on a Machine (requires local admin rights on the target) (PowerView)
  • Get Local Logged-On Users on Another Machine (needs remote registry on the target - started by-default on server OS) (PowerView_dev)
  • Get the Last Logged-On User on a Computer (needs admin privileges and remote registry on the target) (PowerView)
  • Finding Interesting Files and Shares (PowerView)
  • Find All File Servers on the Domain With a Focus on High Value Targets (PowerView)
  • Group Policy Objects (GPO's)
  • Find GPO's in the Current Domain
  • Find GPO's Which Use Restricted Groups or groups.xml for Interesting Users
  • Find Users Which Are in a Local Group of a Machine Using a GPO
  • Find Machines Where a User is a Member of a Specific Group
  • Get OU's in a Domain
  • Get-GPO Applied on an OU and Read GPO Name from the GPLink Attribute
  • Enumeration From Outside of the Network
  1. Windows
  2. Active Directory
  3. Enumeration

Basic Enumeration

We can use either PowerView.ps1 or the Active Directory Module to do domain enumeration from PowerShell.

For basic enumeration, the AD Module may be better since it uses Microsoft tools. PowerView could potentially be blocked.

PowerView commands will appear first in each code block, AD Module commands second if there are two different commands in a block. Otherwise, I will indicate which module to use.

Go here to grab the AD Module: https://github.com/samratashok/ADModule

Some commands also utilize PowerView_dev.ps1 which can be grabbed here: https://github.com/lucky-luk3/ActiveDirectory/blob/master/PowerView-Dev.ps1

Importing PowerView and the AD Module

Import-Module .\PowerView.ps1

Import-Module .\Microsoft.ActiveDirectory.Management.dll
Import-Module .\ActiveDirectory.psd1

Enumerating the domain

Get the Current Domain

Get-NetDomain
Get-ADDomain

Get the Object of Another Domain

Get-NetDomain -Domain bizcorp.local
Get-ADDomain -Identity bizcorp.local

Get Domain SID's

Get-DomainSID
(Get-ADDomain).DomainSID

Get Domain Policy for the Current Domain

Get-DomainPolicy

Get Domain Policy for Another Domain (AD Module)

(Get-DomainPolicy -domain bizcorp.local)."system access"

Dump the Password Policy

(Get-DomainPolicy)."system access"
Get-ADDefaultDomainPasswordPolicy

  • Using crackmapexec

crackmapexec smb <target> -u <user> -p <pass> --pass-pol

Get Domain Controllers for the Current Domain

Get-NetDomainController
Get-ADDomainController

Get Domain Controllers for Another Domain

Get-NetDomainController -Domain bizcorp.local
Get-ADDomainController - DomainName bizcorp.local -Discover

Enumerating Users in the Domain

Get Users for the Current Domain

  • I should note that I find the AD Module to be more informative.

Get-NetUser [-Username <username>]
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity <username> -Properties *

  • Using crackmapexec

crackmapexec smb/ldap <target> -u <user> -p <pass> --users

Get All Property Names for Users in the Current Domain

Get-UserProperty
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name

Selecting a Specific Property to Examine

Get-UserProperty -Properties pwdlastset
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}

Interesting Properties To Examine:
pwdlastset
badpwdcount
logoncount
OfficePhone/HomePhone/MobilePhone/Fax
any properites that give away location info like POBox
EmailAddress
Description (may find credentials)

Searching For a String in a User's Attributes

Find-UserField -SearchField Description -SearchTerm "built"
Get-ADUser -Filter 'Description -Like "*built*"' -Properties Description | select name,Description

Enumerating Computers

Listing the Computers in the Current Domain

Get-NetComputer
Get-NetComputer –OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData

Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -
Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-
Connection -Count 1 -ComputerName $_.DNSHostName}
Get-ADComputer -Filter * -Properties *

  • Using crackmapexec

crackmapexec smb <target> -u <user> -p <pass> --computers

Enumerating Groups

List All the Groups in the Current Domain

Get-NetGroup
Get-NetGroup –Domain <targetdomain>
Get-NetGroup –FullData

Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *

  • Using crackmapexec

crackmapexec smb/ldap <target> -u <user> -p <pass> --groups

Searching for Groups With a Particular Word in the Name

Get-NetGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

Find All Domain Admins

Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -Recursive

Enumerate Group Memberships of a User

Get-NetGroup –UserName <username>
Get-ADPrincipalGroupMembership -Identity <username>

List All Local Groups on the Current Machine (on non-DC machines it requires admin privileges) (PowerView)

Get-NetLocalGroup -ComputerName bizcorp.local -ListGroups

List All Local Groups on Another Machine (on non-DC machines it requires admin privileges) (PowerView)

Get-NetLocalGroup -ComputerName bizcorp.local -Recurse

  • Using crackmapexec

crackmapexec smb <target> -u <user> -p <pass> --local-groups

Finding Logged-On Users

Get Active Users on a Machine (requires local admin rights on the target) (PowerView)

Get-NetLoggedon –ComputerName <servername>

  • Using crackmapexec

crackmapexec smb <target> -u <user> -p <pass> --loggedon-users

Get Local Logged-On Users on Another Machine (needs remote registry on the target - started by-default on server OS) (PowerView_dev)

Get-LoggedonLocal -ComputerName dc.bizcorp.local

Get the Last Logged-On User on a Computer (needs admin privileges and remote registry on the target) (PowerView)

Get-LastLoggedOn –ComputerName <servername>

Finding Interesting Files and Shares (PowerView)

Invoke-ShareFinder –Verbose
Invoke-FileFinder –Verbose

  • Using crackmapexec

crackmapexec smb <target> -u <user> -p <pass> --shares/--disks

Find All File Servers on the Domain With a Focus on High Value Targets (PowerView)

Get-NetFileServer

Group Policy Objects (GPO's)

Find GPO's in the Current Domain

Get-NetGPO [-ComputerName dc.bizcorp.local]
Get-GPO -All

Find GPO's Which Use Restricted Groups or groups.xml for Interesting Users

Get-Net-GPOGroup # PowerView

Find Users Which Are in a Local Group of a Machine Using a GPO

Find-GPOComputerAdmin -ComputerName bizcorp.local

Find Machines Where a User is a Member of a Specific Group

Find-GPOLocation -Username <user> -Verbose

Get OU's in a Domain

Get-NetOU -FullData
Get-ADOrganizationalUnit -Filter * -Properties *

Get-GPO Applied on an OU and Read GPO Name from the GPLink Attribute

1)  Get-ADOrganizationalUnit -Filter * -Properties * | select gplink
2) Get-NetGPO -GPOName <{AB306569....}> # PowerView
   Get-GPO -Guid <gplink> # AD Module

Enumeration From Outside of the Network

I included some commands using crackmapexec.

PreviousEnumerationNextAccess Control Lists

Last updated 3 years ago

In addition, many of these commands can be replicated from outside the network using .

pywerview.py