Johnermac
  • About me
  • Active Directory
    • PowerShell
      • Customize
      • Notes
      • ETW
      • AMSI Bypass
      • Obfuscation
    • Enumeration
      • Domain
      • GPO
      • ACL
      • Domain Trusts
      • Forest
      • Extra
      • BloodHound
      • BloodHound CE
  • Tunneling
    • Tools
      • Udp2Raw
      • Fraud Bridge
      • Chisel
      • SSF
      • Egress-Assess
      • Ligolo-ng
      • Sshutle
      • Rpivot
      • Tunna
      • reGeorg
      • Neo-reGeorg
      • PivotSuite
  • Post-Exploitation
    • Data Exfiltration
      • HTTP
        • Cancel
        • wget
        • bash
        • busybox
        • IRB
        • PHP
        • Ruby
      • ICMP
        • XXD
        • Ruby
        • Python
      • UDP
        • Netcat
      • TCP
        • Netcat
        • KSH
        • whois
        • Finger
      • HTTPS
        • Python
        • OpenSSL
  • BLOG
    • Articles
      • Pivoting for Red Teaming
Powered by GitBook
On this page
  1. Active Directory
  2. Enumeration

Extra

PreviousForestNextBloodHound

Last updated 1 year ago

PowerView

*local admin required
this goes through RPC and SMB ports:
Find-LocalAdminAccess -Verbose [-Thread <int>]
Invoke-CheckLocalAdminAccess

Invoke-EnumerateLocalAdmin -Verbose
Get-NetLocalGroup
using WMI is more stealthy:
Find-WMILocalAdminAccess.ps1

source: 

find where the domain admin has an open session:
Invoke-UserHunter [-GroupName <name> -Domain <domain> -CheckAccess -Stealth]
Get-NetSession
Get-NetLoggedOn

enum without PowerShell:

PywerView = https://github.com/the-useless-one/pywerview
WindapSearch = https://github.com/ropnop/windapsearch

https://github.com/admin0987654321/admin1/blob/master/Find-WMILocalAdminAccess.ps1