Domain

Show domain info:

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.',',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot=$objDomain
$Searcher.filter="samAccountType=805306369"
$Searcher.FindAll()

$Result=$Searcher.FindAll()
Foreach($obj in $Result){
Foreach($prop in $obj.Properties) {$prop}
Write-Host "---------"}

Source: https://learn.microsoft.com/en-us/windows/win32/adschema/a-samaccounttype

Convert Hex to Decimal: https://www.rapidtables.com/convert/number/hex-to-decimal.html

805306369 = enum all user accounts

805306368 = enum all machines

ADModule

Import-Module Microsoft.ActiveDirectory.Management.dll

Get-ADDomain
Get-ADDomain -Identity <domain>
(Get-ADDomain).DomainSID
Get-ADDomainController [-DomainName <domain>]
Get-ADUser -Filter * -Properties * [-Server <domain>]
	Get-ADUser -Identity <user>
	Get-ADUser | gm -MemberType *Property | select name
	Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
	Get-ADUser -Filter ‘Description -like "*pass*” ’-Properties * | select name
Get-ADGroup -Filter * -Properties * | fl name //.count
	Get-ADPrincipalGroupMembership -Identity <user>
	Get-ADGroup -Filter “Name -like ‘*admin*’” | select name
Get-ADGroupMember -Identity “Domain Admins” -Recursive
Get-ADComputer -Filter * -Properties *

PowerView

dot source to import = . .\powerview.ps1

Get-NetDomain
Get-NetDomain -Domain <domain>
Get-DomainSID
Get-DomainController [-Domain <domain>]
Get-DomainPolicy
	(Get-DomainPolicy).SystemAccess
	((Get-DomainPolicy).KerberosPolicy

Get-NetUser [(-Domain <domain>) | select name]
	Get-NetUser -Identity <user>
	Get-NetUser | gm //Get-Member
	Get-NetUser | ?{$_.admincount -eq 1} | select name
	Get-NetUser | ?{$_.logoncount -gt 0} | select name
	Get-NetUser 	-Filter “(description=*)” | select name,description

Get-NetGroup [-Domain <domain>]
	Get-NetGroup -UserName <user>
	Get-NetGroup *admin* | select cn
Get-NetGroupMember “Administrators” [-Recurse]

Get-NetLoggedon [-ComputerName <computer>] *admin required
Get-LastLoggedOn [-ComputerName <computer>] *admin required

Get-NetComputer [-Domain] [-Ping] [-OperatingSystem “*Server*”]
Invoke-ShareFinder -verbose //find open shares
Invoke-FileFinder -verbose  // find sensitive info

# requires admin priv
Find-LocalAdminAccess -verbose
Invoke-EnumerateLocalADmin 

Get-NetSession
query session

#search where the admin is logged and if the curent user has access
 Invoke-UserHunter -Check Access

PreviousEnumeration NextGPO

Last updated 1 year ago

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $PDC = ($domainObj.PdcRoleOwner).Name $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($domainObj.Name.Replace('.',',DC='))" $SearchString += $DistinguishedName $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) $objDomain = New-Object System.DirectoryServices.DirectoryEntry $Searcher.SearchRoot=$objDomain $Searcher.filter="samAccountType=805306369" $Searcher.FindAll()

ADModule

Import-Module Microsoft.ActiveDirectory.Management.dll

Get-ADDomain
Get-ADDomain -Identity <domain>
(Get-ADDomain).DomainSID
Get-ADDomainController [-DomainName <domain>]
Get-ADUser -Filter * -Properties * [-Server <domain>]
	Get-ADUser -Identity <user>
	Get-ADUser | gm -MemberType *Property | select name
	Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
	Get-ADUser -Filter ‘Description -like "*pass*” ’-Properties * | select name
Get-ADGroup -Filter * -Properties * | fl name //.count
	Get-ADPrincipalGroupMembership -Identity <user>
	Get-ADGroup -Filter “Name -like ‘*admin*’” | select name
Get-ADGroupMember -Identity “Domain Admins” -Recursive
Get-ADComputer -Filter * -Properties *

PowerView

dot source to import = . .\powerview.ps1

Get-NetDomain
Get-NetDomain -Domain <domain>
Get-DomainSID
Get-DomainController [-Domain <domain>]
Get-DomainPolicy
	(Get-DomainPolicy).SystemAccess
	((Get-DomainPolicy).KerberosPolicy

Get-NetUser [(-Domain <domain>) | select name]
	Get-NetUser -Identity <user>
	Get-NetUser | gm //Get-Member
	Get-NetUser | ?{$_.admincount -eq 1} | select name
	Get-NetUser | ?{$_.logoncount -gt 0} | select name
	Get-NetUser 	-Filter “(description=*)” | select name,description

Get-NetGroup [-Domain <domain>]
	Get-NetGroup -UserName <user>
	Get-NetGroup *admin* | select cn
Get-NetGroupMember “Administrators” [-Recurse]

Get-NetLoggedon [-ComputerName <computer>] *admin required
Get-LastLoggedOn [-ComputerName <computer>] *admin required

Get-NetComputer [-Domain] [-Ping] [-OperatingSystem “*Server*”]
Invoke-ShareFinder -verbose //find open shares
Invoke-FileFinder -verbose  // find sensitive info

# requires admin priv
Find-LocalAdminAccess -verbose
Invoke-EnumerateLocalADmin 

Get-NetSession
query session

#search where the admin is logged and if the curent user has access
 Invoke-UserHunter -Check Access