Active Directory Domain Enumeration

4 minute read

Domain enumeration will require the use of either PowerView.ps1 or the Active Directory PowerShell Module.

Enumeration

Get Current Domain


Get-NetDomain // PowerView.ps1

Get-ADDomain // ADModule


Get Object of another Domain


Get-NetDomain -Domain <target-domain>

Get ADDomain -Identity <target-domain>


Get Domain SID for the current Domain


Get-DomainSID

(Get-ADDomain).DomainSID


Get Domain Policy for the current Domain


Get-DomainPolicy

(Get-DomainPolicy)."system access"
(Get-DomainPolicy)."kerberos Policy" 


Get Domain Policy for another Domain


(Get-DomainPolicy -domain <target-domain>)."system access" // ADModule


Get Domain Controllers for the current Domain


Get-NetDomainController

Get-ADDomainController


Get Domain Controllers for another Domain


Get-NetDomainController -Domain <target-domain>

Get-ADDomainController -DomainName <target-domain> -Discover


Get list of users in the current Domain


Get-NetUser
Get-NetUser | select cn
Get-NetUser -Username <username>

Get-ADUser -Filter * -Properties *
Get-ADUser -Filter * -Properties * | select Name 
Get-ADUser -Identity <username>
Get-ADUser -Identity <username> -Properties * 


Get list of all properties for users in the current Domain


Get-UserProperty
Get-UserProperty -Properties pwdlastset
Get-UserProperty -Properties logoncount     // Small logon account is not actively used or it is a decoy account 
Get-UserProperty -Properties badpwdcount    // These properties can be used to identify a honeyuser/decoy user from a legit one 

Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset}}


Search for particular string in a user’s attributes


Find-UserField -SearchField Description -SearchTerm "built"

Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name, Description 


Get a list of computers in the current Domain


Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData

Get-ADComputer -Filter *
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties Operating System | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_DNSHostName}
Get-ADComputer -Filter * -Properties * 


Get all the groups in the current Domain


Get-NetGroup
Get-NetGroup -Domain <target-domain>
Get-NetGroup -FullData

Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *


Get all groups containing the word ‘admin’ in the Group name


Get-NetGroup
Get-NetGroup -GroupName *admin*
Get-NetGroup -GroupName *admin* -Domain <target-domain>
Get-NetGroup -FullData
Get-NetGroup "admin"
Get-NetGroup 'Domain Admins'
Get-NetGroup 'Domain Admins' -FullData

Get-ADGroup -Filter *
Get-ADGroup -Filter * | select name
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name


Get all members of the Domain Admin’s Group


Get-NetGroupMember -GroupName 'Domain Admins'
Get-NetGroupMember -GroupName 'Enterprise Admins' -Domain <domain>
Get-NetGroupMember -GroupName 'Domain Admins' -Recurse
Get-NetGRoupMember -GroupName 'Administrators' -Recurse

Get-ADGroupMember -Identity 'Domain Admins' -Recursive 


Get all Group Memberships for a user


Get-NetGroup -UserName "<username>"

Get-ADPrincipalGroupMembership -Identity <username>


List all the Local Groups on a machine


Get-NetLocalGroup -ComputerName <computer-name>   
Get-NetLocalGroup -ComputerName <computer-name> -ListGroups  


Get members of all the Local Groups on a machine


// needs admin privs 
Get-NetLocalGroup -ComputerName <computer> -Recurse


Get actively logged on users on a computer


// needs local admin rights on target
Get-NetLoggedon -ComputerName <computer-name>


Get locally logged on users on a computer


// needs remote registry on target/local admin rights
Get-LoggedonLocal -ComputerName <computer-name>


Get last logged on users on a computer


// needs admin rights and remote registry on target 
Get-LastLoggedOn -ComputerName <computer-name>


Find shares on hosts in current Domain


Invoke-ShareFinder -Verbose
Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -Exclude IPC


Find sensitive files on computers in the Domain


Invoke-FileFinder -Verbose  // Need read/write privs on a share


Get all fileservers of the Domain


Get-NetFileServer -Verbose   // Looks for high value targets - where lots of users connect/authenticate


Get list of GPOs in current Domain


Get-NETGPO
Get-NETGPO | select displayname     // Default domain policy & default domain controllers policy - same in all domains
Get-NETGPO -ComputerName <computer-name>

gpresult /R /V 

Get-GPO -All      // GroupPolicy module
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\users\administrator\report.html    // Provides RSoP


Get GPO(s) which use Restricted Groups or groups.xml for interesting users


Get-NetGPOGroup


Get users which are in a local group of a machine using GPO


Find-GPOComputerAdmin -ComputerName <computer-name>


Get machines where the given user is a member of a specific group


Find-GPOLocation -Username <username> -Verbose 


Get OUs in a Domain


Get-NetOU
Get-NetOU -FullData

Get-ADOrganizationalUnit -Filter * -Properties *


Get GPO applied on an OU


//Read GPOName from gplink attribute from Get-NetOU^
Get-NetGPO -GPOname "{ab30...}"

Get-GPO -Guid ab30... 


Get ACLs associated with the specified object


Get-ObjectAcl -SamAccountName <student1> -ResolveGUIDS



Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose


Enumerate ACLs using ADModule but without resolving GUIDs


(Get-Acl 'AD:\CN=Administrator, CN=Users, DC=<>, DC=<>, DC=<>').Access



Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins, CN=Users, DC=<>, DC=<>, DC=<>" -ResolveGUIDs -Verbose


Search for interesting ACEs - write/modify rights etc.


Invoke-ACLScanner -ResolveGUIDs


Get ACLs associated with the specified path


Get-PathAcl -Path "\\<path>\"


Get a list of all Domain Trusts for the current Domain


Get-DomainTrust
Get-DomainTrust -API
Get-DomainTrustMapping
Get-NetDomainTrust
Get-NetDomainTrust -Domain <domain>

Get-ADTrust
Get-ADTrust -Filter *  
Get-ADTrust -Identity <domain>


Get details about the current Forest


Get-NetForest
Get-NetForest -Forest <forest-name>

Get-ADForest
Get-ADForest -Identity <forest-name>


Get all Domains in the current Forest


Get-NetForestDomain
Get-NetForestDomain -Forest <forest-name>

(Get-ADForest).Domains


Get all Global Catalogs for the current Forest


Get-NetForestCatalog
Get-NetForestCatalog -Forest <forest-name>

Get-ADForest | select -ExpandProperty GlobalCatalogs


Map trusts of a Forest


Get-ForestTrust
Get-NetForestTrust
Get-NetForestTrust -Forest <forest-name>

Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'


Find all machines on current Domain where current user has local admin access


Find-LocalAdminAccess -Verbose  


Find computers where a Domain admin (or specified user/group) has sessions


Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"


Confirm admin access


Invoke-UserHunter -CheckAccess 


Find all computers where a domain admin is logged-in


Invoke-UserHunter -Stealth