Active Directory domain enumeration without leveraging PowerView or the Active Directory PowerShell module, will be continuously adding to this.
adsisearcher
[adsisearcher]
is a Windows PowerShell type accelerator for seaching Active Directory Domain Services, allowing PowerShell to access the system.directoryservices.directorysearcher
.NET class with ease.
The DirectorySearcher
class as described in the Microsoft documentation:
Use a DirectorySearcher object to search and perform queries against an Active Directory Domain Services hierarchy using Lightweight Directory Access Protocol (LDAP). LDAP is the only system-supplied Active Directory Service Interfaces (ADSI) provider that supports directory searching. An administrator can make, alter, and delete objects that are found in the hierarchy.
List All Users
1
| ([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties.samaccountname
|
List Admins
1
| ([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname
|
List Info of Specific User
1
| ([adsisearcher]"(&(objectClass=User)(samaccountname=<username>))").FindAll().Properties
|
View Users with Description Field
1
| ([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description }
|
Get Users
1
2
3
| $ADSISearcher = [ADSISearcher]'(objectclass=user)'
$ADSISearcher.SearchRoot = [ADSI]"LDAP://OU=,OU=,DC=,DC="
$ADSISearcher.FindAll()
|
Search Single User
1
2
3
| ([adsisearcher]'samaccountname=nigel').FindOne()
[adsi]'LDAP://CN=nigel,OU=Users,DC=domain,DC=local'
|
Authenticated Search
1
| (New-Object adsisearcher((New-Object adsi("LDAP://example.com","domain\username","password")),"(info=*pass*)")).FindAll()
|
Search for Keyword
1
2
| ([adsisearcher]"(info=*pass*)").FindAll()
([adsisearcher]"(info=*pass*)").FindAll() | %{ $_.GetDirectoryEntry() } | Select-Object sAMAccountName, info
|
DNS
Get DC Info
nslookup can be used to get basic information from a DC like the hostname and IP address:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| C:\>nslookup
nslookup
DNS request timed out.
timeout was 2 seconds.
Default Server: UnKnown
Address: 172.16.249.200
> set type=all
> _ldap._tcp.dc._msdcs.htb.local
Server: UnKnown
Address: 172.16.249.200
_ldap._tcp.dc._msdcs.htb.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = DC.htb.local
DC.htb.local internet address = 172.16.249.200
|
The domain is appended to the end of the _ldap._tcp.dc._msdcs.
string. e.g. In this case the domain is htb.local
so as one line you can use the following command and get the same output as shown above:
1
| C:\> nslookup -querytype=all _ldap._tcp.dc._msdcs.htb.local
|
dsquery
Queries the directory by using search criteria that you specify. Each of the dsquery commands finds objects of a specific object type, with the exception of dsquery *, which can query for any type of object
For more information click here
Get Users
1
2
3
4
5
| > dsquery user -name *
"CN=Administrator,CN=Users,DC=MEGACORP,DC=LOCAL"
"CN=Guest,CN=Users,DC=MEGACORP,DC=LOCAL"
"CN=DefaultAccount,CN=Users,DC=MEGACORP,DC=LOCAL"
...
|
Get User Group Memberships
1
2
3
4
| > dsquery user -samid "nigel" | dsget user -memberof -expand
"CN=Remote Management Users,CN=Builtin,DC=MEGACORP,DC=LOCAL"
"CN=Domain Users,CN=Users,DC=MEGACORP,DC=LOCAL"
"CN=Users,CN=Builtin,DC=MEGACORP,DC=LOCAL"
|
Get Trusted Domains
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| > dsquery * -filter "(objectClass=trustedDomain)" -attr *
objectClass: top
objectClass: leaf
objectClass: trustedDomain
cn: <REDACTED>
distinguishedName: <REDACTED>
instanceType: 4
whenCreated: 01/05/2020 16:27:58
whenChanged: 03/06/2020 13:34:11
uSNCreated: 21252
uSNChanged: 131946
showInAdvancedViewOnly: TRUE
name: <REDACTED>
objectGUID: <REDACTED>
securityIdentifier: <REDACTED>
trustDirection: 2
trustPartner: <REDACTED>
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: <REDACTED>
objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,<REDACTED>
isCriticalSystemObject: TRUE
dSCorePropagationData: 01/01/1601 00:00:00
msDS-TrustForestTrustInfo: <REDACTED>
ADsPath: <REDACTED>
|
Find DCs in Forest
1
| > dsquery server -Forest
|
Find Users with Sensitive Descriptions
This is an interesting parameter to play with as some users/administrators will configure accounts with the password in the description because as far as they’re aware the description is not visible to anyone.
By leveraging wildcards you can create some interesting search queries that may present you with some low hanging fruit.
1
2
3
| > dsquery user -desc *pass*
> dsquery user -desc *cred*
> dsquery user -desc *key*
|
Worth noting that the dsquery computer
and server
commands both support the -desc
parameter.
nltest
You can use nltest
to:
- Get a list of domain controllers
- Force remote shutdown
- Query the status of a trust
- Test trust relationships and the state of domain controller replication in a Windows domain
- Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers
For full list of parameters click here.
Get Trusted Domains
1
2
3
4
| > nltest /trusted_domains
List of domain trusts:
0: <REDACTED> (NT 5) (Direct Outbound) ( Attr: foresttrans )
1: <REDACTED> (NT 5) (Forest Tree Root) (Primary Domain) (Native)
|
Get Parent Domain
PowerShell and .NET
Get Domain Controllers
1
| [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers
|
Get Current Domain
1
| [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
|
Get Domain Trusts
1
| ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
|
Get Forest
1
| [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
|
Get Forest Trusts
1
| ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()
|
Get Local SQL Server
1
| [System.Data.Sql.SqlDataSourceEnumerator]::Instance.GetDataSources()
|
WMI Cmdlets
Get Local Route Table
1
2
| Get-WmiObject -Class Win32_IP4RouteTable
Get-WmiObject -Class Win32_IP4RouteTable | select description, nexthop
|
Get Local Users
1
2
| Get-WmiObject -Class Win32_UserAccount
Get-WmiObject -Class Win32_UserAccount | select caption,SID,name
|
Get Local Groups
1
| Get-WmiObject -Class Win32_Group
|
Get Current Domain
1
2
| Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select -ExpandProperty ds_dc
(Get-WmiObject -Class Win32_ComputerSystem).Domain
|
Get Current Domain Policy
1
| Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | select DS_lockoutDuration, DS_lockoutObservationWindows, DS_lockoutThreshold, DS_maxPwdAge, DS_minPwdAge, DS_minPwdLength, DS_pwdHistoryLength, DS_pwdProperties
|
Get Domain Controller
1
2
| Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where-object {$_.ds_userAccountControl -eq 532480}
Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where-object {$_.ds_userAccountControl -eq 532480} | select ds_cn
|
Get Domain Users
1
2
3
| Get-WmiObject -Class Win32_UserAccount
Get-WmiObject -Class Win32_UserAccount | select name
Get-WmiObject -Class Win32_UserAccount -Filter "Domain = 'targetdomain'"
|
Get Domain Groups
1
2
3
4
| Get-WmiObject -Class Win32_Group
Get-WmiObject -Class Win32_GroupInDomain | fl *
Get-WmiObject -Class Win32_GroupInDomain | Foreach-Object {[wmi]$_.PartComponent}
Get-WmiObject -Class Win32_GroupInDomain | where-object {$_.GroupComponent -match “domain”} | foreach-object {[wmi]$_.PartComponent}
|
Get Domain Admins Group Members
1
2
| Get-WmiObject -Class Win32_GroupUser | where-object {$_.GroupComponent -match "Domain Admins"} | foreach-object {[wmi]$_.PartComponent}
Get-WmiObject -Class Win32_GroupUser | where-object {$_.GroupComponent -match "domain" -and $_.GroupComponent -match "Domain Admins" | foreach-object {[wmi]$_.PartComponent}
|
Get User Group Memberships
1
| Get-WmiObject -Class Win32_GroupUser | where-object {$_.PartComponent -match "nigel"} | foreach-object {[wmi]$_.GroupComponent}
|
Get Domain Computers
1
2
3
| Get-WmiObject -Namespace root\directory\ldap -Class ds_computer
Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select -ExpandProperty ds_cn
(Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | where-object {$_ds_cn -eq "DC-Name"}).Properties | foreach-object {If($_.value -AND $_.name -notmatch "__"){@{$($_.name) = $($_.value)}}}
|