Basic Enumeration
We can use either PowerView.ps1 or the Active Directory Module to do domain enumeration from PowerShell.
For basic enumeration, the AD Module may be better since it uses Microsoft tools. PowerView could potentially be blocked.
PowerView commands will appear first in each code block, AD Module commands second if there are two different commands in a block. Otherwise, I will indicate which module to use.
Go here to grab the AD Module: https://github.com/samratashok/ADModule
Some commands also utilize PowerView_dev.ps1 which can be grabbed here: https://github.com/lucky-luk3/ActiveDirectory/blob/master/PowerView-Dev.ps1
Importing PowerView and the AD Module
Import-Module .\PowerView.ps1
Import-Module .\Microsoft.ActiveDirectory.Management.dll
Import-Module .\ActiveDirectory.psd1Enumerating the domain
Get the Current Domain
Get-NetDomain
Get-ADDomainGet the Object of Another Domain
Get-NetDomain -Domain bizcorp.local
Get-ADDomain -Identity bizcorp.localGet Domain SID's
Get-DomainSID
(Get-ADDomain).DomainSIDGet Domain Policy for the Current Domain
Get-DomainPolicyGet Domain Policy for Another Domain (AD Module)
(Get-DomainPolicy -domain bizcorp.local)."system access"Dump the Password Policy
(Get-DomainPolicy)."system access"
Get-ADDefaultDomainPasswordPolicyUsing crackmapexec
crackmapexec smb <target> -u <user> -p <pass> --pass-polGet Domain Controllers for the Current Domain
Get-NetDomainController
Get-ADDomainControllerGet Domain Controllers for Another Domain
Get-NetDomainController -Domain bizcorp.local
Get-ADDomainController - DomainName bizcorp.local -DiscoverEnumerating Users in the Domain
Get Users for the Current Domain
I should note that I find the AD Module to be more informative.
Get-NetUser [-Username <username>]
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity <username> -Properties *Using crackmapexec
crackmapexec smb/ldap <target> -u <user> -p <pass> --usersGet All Property Names for Users in the Current Domain
Get-UserProperty
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select NameSelecting a Specific Property to Examine
Get-UserProperty -Properties pwdlastset
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
Interesting Properties To Examine:
pwdlastset
badpwdcount
logoncount
OfficePhone/HomePhone/MobilePhone/Fax
any properites that give away location info like POBox
EmailAddress
Description (may find credentials)Searching For a String in a User's Attributes
Find-UserField -SearchField Description -SearchTerm "built"
Get-ADUser -Filter 'Description -Like "*built*"' -Properties Description | select name,DescriptionEnumerating Computers
Listing the Computers in the Current Domain
Get-NetComputer
Get-NetComputer –OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -
Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-
Connection -Count 1 -ComputerName $_.DNSHostName}
Get-ADComputer -Filter * -Properties *Using crackmapexec
crackmapexec smb <target> -u <user> -p <pass> --computersEnumerating Groups
List All the Groups in the Current Domain
Get-NetGroup
Get-NetGroup –Domain <targetdomain>
Get-NetGroup –FullData
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *Using crackmapexec
crackmapexec smb/ldap <target> -u <user> -p <pass> --groupsSearching for Groups With a Particular Word in the Name
Get-NetGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select NameFind All Domain Admins
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -RecursiveEnumerate Group Memberships of a User
Get-NetGroup –UserName <username>
Get-ADPrincipalGroupMembership -Identity <username>List All Local Groups on the Current Machine (on non-DC machines it requires admin privileges) (PowerView)
Get-NetLocalGroup -ComputerName bizcorp.local -ListGroupsList All Local Groups on Another Machine (on non-DC machines it requires admin privileges) (PowerView)
Get-NetLocalGroup -ComputerName bizcorp.local -RecurseUsing crackmapexec
crackmapexec smb <target> -u <user> -p <pass> --local-groupsFinding Logged-On Users
Get Active Users on a Machine (requires local admin rights on the target) (PowerView)
Get-NetLoggedon –ComputerName <servername>Using crackmapexec
crackmapexec smb <target> -u <user> -p <pass> --loggedon-usersGet Local Logged-On Users on Another Machine (needs remote registry on the target - started by-default on server OS) (PowerView_dev)
Get-LoggedonLocal -ComputerName dc.bizcorp.localGet the Last Logged-On User on a Computer (needs admin privileges and remote registry on the target) (PowerView)
Get-LastLoggedOn –ComputerName <servername>Finding Interesting Files and Shares (PowerView)
Invoke-ShareFinder –Verbose
Invoke-FileFinder –VerboseUsing crackmapexec
crackmapexec smb <target> -u <user> -p <pass> --shares/--disksFind All File Servers on the Domain With a Focus on High Value Targets (PowerView)
Get-NetFileServerGroup Policy Objects (GPO's)
Find GPO's in the Current Domain
Get-NetGPO [-ComputerName dc.bizcorp.local]
Get-GPO -AllFind GPO's Which Use Restricted Groups or groups.xml for Interesting Users
Get-Net-GPOGroup # PowerViewFind Users Which Are in a Local Group of a Machine Using a GPO
Find-GPOComputerAdmin -ComputerName bizcorp.localFind Machines Where a User is a Member of a Specific Group
Find-GPOLocation -Username <user> -VerboseGet OU's in a Domain
Get-NetOU -FullData
Get-ADOrganizationalUnit -Filter * -Properties *Get-GPO Applied on an OU and Read GPO Name from the GPLink Attribute
1) Get-ADOrganizationalUnit -Filter * -Properties * | select gplink
2) Get-NetGPO -GPOName <{AB306569....}> # PowerView
Get-GPO -Guid <gplink> # AD ModuleEnumeration From Outside of the Network
I included some commands using crackmapexec.
In addition, many of these commands can be replicated from outside the network using pywerview.py.
Last updated