Johnermac
  • About me
  • Active Directory
    • PowerShell
      • Customize
      • Notes
      • ETW
      • AMSI Bypass
      • Obfuscation
    • Enumeration
      • Domain
      • GPO
      • ACL
      • Domain Trusts
      • Forest
      • Extra
      • BloodHound
      • BloodHound CE
  • Tunneling
    • Tools
      • Udp2Raw
      • Fraud Bridge
      • Chisel
      • SSF
      • Egress-Assess
      • Ligolo-ng
      • Sshutle
      • Rpivot
      • Tunna
      • reGeorg
      • Neo-reGeorg
      • PivotSuite
  • Post-Exploitation
    • Data Exfiltration
      • HTTP
        • Cancel
        • wget
        • bash
        • busybox
        • IRB
        • PHP
        • Ruby
      • ICMP
        • XXD
        • Ruby
        • Python
      • UDP
        • Netcat
      • TCP
        • Netcat
        • KSH
        • whois
        • Finger
      • HTTPS
        • Python
        • OpenSSL
  • BLOG
    • Articles
      • Pivoting for Red Teaming
Powered by GitBook
On this page
  • ADModule
  • PowerView
  1. Active Directory
  2. Enumeration

Domain

PreviousEnumerationNextGPO

Last updated 1 year ago

Show domain info:

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.',',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot=$objDomain
$Searcher.filter="samAccountType=805306369"
$Searcher.FindAll()
$Result=$Searcher.FindAll()
Foreach($obj in $Result){
Foreach($prop in $obj.Properties) {$prop}
Write-Host "---------"}

Source:

Convert Hex to Decimal:

805306369 = enum all user accounts

805306368 = enum all machines

ADModule

Import-Module Microsoft.ActiveDirectory.Management.dll

Get-ADDomain
Get-ADDomain -Identity <domain>
(Get-ADDomain).DomainSID
Get-ADDomainController [-DomainName <domain>]
Get-ADUser -Filter * -Properties * [-Server <domain>]
	Get-ADUser -Identity <user>
	Get-ADUser | gm -MemberType *Property | select name
	Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
	Get-ADUser -Filter ‘Description -like "*pass*” ’-Properties * | select name
Get-ADGroup -Filter * -Properties * | fl name //.count
	Get-ADPrincipalGroupMembership -Identity <user>
	Get-ADGroup -Filter “Name -like ‘*admin*’” | select name
Get-ADGroupMember -Identity “Domain Admins” -Recursive
Get-ADComputer -Filter * -Properties *

PowerView

dot source to import = . .\powerview.ps1

Get-NetDomain
Get-NetDomain -Domain <domain>
Get-DomainSID
Get-DomainController [-Domain <domain>]
Get-DomainPolicy
	(Get-DomainPolicy).SystemAccess
	((Get-DomainPolicy).KerberosPolicy

Get-NetUser [(-Domain <domain>) | select name]
	Get-NetUser -Identity <user>
	Get-NetUser | gm //Get-Member
	Get-NetUser | ?{$_.admincount -eq 1} | select name
	Get-NetUser | ?{$_.logoncount -gt 0} | select name
	Get-NetUser 	-Filter “(description=*)” | select name,description

Get-NetGroup [-Domain <domain>]
	Get-NetGroup -UserName <user>
	Get-NetGroup *admin* | select cn
Get-NetGroupMember “Administrators” [-Recurse]

Get-NetLoggedon [-ComputerName <computer>] *admin required
Get-LastLoggedOn [-ComputerName <computer>] *admin required

Get-NetComputer [-Domain] [-Ping] [-OperatingSystem “*Server*”]
Invoke-ShareFinder -verbose //find open shares
Invoke-FileFinder -verbose  // find sensitive info

# requires admin priv
Find-LocalAdminAccess -verbose
Invoke-EnumerateLocalADmin 

Get-NetSession
query session

#search where the admin is logged and if the curent user has access
 Invoke-UserHunter -Check Access

https://learn.microsoft.com/en-us/windows/win32/adschema/a-samaccounttype
https://www.rapidtables.com/convert/number/hex-to-decimal.html