☠️
Pentesting Articles and Notes
  • Welcome!
  • Windows
    • Active Directory
      • Kerberos Authentication
      • Enumeration
        • Basic Enumeration
        • Access Control Lists
        • Domain Trusts and Forests Enumeration
        • User Hunting
        • Domain Enumeration With BloodHound
      • Credential Dumping
        • DCSync Attack
      • Privilege Escalation
        • AS-REP Roasting
        • Kerberoasting
        • DNS Administrators
        • Setting Object SPN's
        • Unconstrained Delegation
        • Constrained Delegation
      • Persistence
        • Abusing ACLs
        • AdminSDHolder
        • Custom Security Service Providers (SSP's)
        • Directory Services Restore Mode (DSRM)
        • Modifying Remote Protocol Security Descriptors
        • Golden Tickets
        • Silver Tickets
        • Skeleton Keys
      • Powershell Remoting
      • Lateral Movement
        • Child to Parent Movement Across Trusts
        • Trust Abuse Between Forests
        • MSSQL Server Trust Abuse
        • Overpass the Hash
  • Coding
    • Pentesting With Python
      • Basic Threading
  • Network Attacks
    • Man-In-The-Middle Attacks
      • ARP Spoofing
      • DNS Spoofing Attacks
Powered by GitBook
On this page
  • Find Machines in the Current Domain Where the Current User Has Local Admin Access
  • Find Local Admins on All Machines in the Domain (needs local admin privs on non-DC machines)
  • Find a Computer Where a Domain Admin (or a Specified User) Has a Session
  1. Windows
  2. Active Directory
  3. Enumeration

User Hunting

Find Machines in the Current Domain Where the Current User Has Local Admin Access

  • I should note that Find-LocalAdminAccess can be quite noisy...

Find-LocalAdminAccess -Verbose # PowerView
Invoke-CheckLocalAdminAccess -ComputerName <target-computer> # PowerView

. .\Find-WMILocalAdminAccess.ps1
Find-WMILocalAdminAccess [-ComputerFile <file>]

. .\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess

  • Using pywerview.py

python pywerview.py Invoke-CheckLocalAdminAccess -w bizcorp.local -u <user> -p <pass> --computername <target-computer> [--check-access]

Find Local Admins on All Machines in the Domain (needs local admin privs on non-DC machines)

Invoke-EnumerateLocalAdmin -Verbose # PowerView)

Find a Computer Where a Domain Admin (or a Specified User) Has a Session

  • This command can be quite noisy as well...

Invoke-UserHunter [-GroupName "<group>"] [-Stealth] # PowerView
Invoke-UserHunter -CheckAccess [-UserName <user>]

# If you check all computers EXCEPT the DC, you should be able to bypass ATA if sessions to the DC do not matter to you
Invoke-UserHunter -ComputerFile <computers_except_DC.txt> [-GroupName "<group>"] [-UserName <user>]

  • Using Pywerview.py

python pywerview.py invoke-userhunter -w <domain> -u <user> -p <pass> -t <dc> [--groupname <group>] [--computername <computer>] [--computerfile <list-of-computers>]
PreviousDomain Trusts and Forests EnumerationNextDomain Enumeration With BloodHound

Last updated 3 years ago