🔴Domain Enumeration

Enumeration

domain , domain controller , domain policy , users , computers , groups , group members

Domain Enumeration

get current domain

get-netdomain

get all domain in current forest

get-forestdomain -verbose

User Enumeration

all users names

get-domainuser | select -expandproperty samaccountname

single user all properties

get-domainuser -identity unmae -properties *

specific properties

get-domainuser | select name,logoncount,memberof,description,useraccountcontrol

single user specific properties

get-domainuser -identity uname | select name,logoncount,memberof,description,useraccountcontrol

Computer Enumeration

get-domaincomputer

get-domaincomputer | select name,dnshostname,objectsid

Group Enumeration

get-domaingroup | select name

get-netgroup -domain <domain-name>

get-domaingroup -identity "Domain Admins"

get-domaingroup -identity "Domain Admins" | select samaccountname,member,memberof

list local groups as well

get-netlocalgroup

Note:- this needs admin privlidges to run the command

get-netlocalgroup -computername <name>

Group-Member Enumeration

get-domaingroupmember -identity "Domain Admins"

get-netgroupmember -identity "Domain Admins" -recurse

get-domaingroupmember -identity "Domain Admins" | select MemberName,MemberObjectClass,MemberSID

Note:- this needs admin privlidges to run the command list local group members as well

get-netlocalmember -computername <name> -group <name>

Get-DomainGroupMember -Identity "Enterprise Admins"

Note:- Enterprise admins are only present in root domain of forest , so we have to pecificy the domain to make this command work

Get-DomainGroupMember -Identity "Enterprise Admins" -domain moneycorp.local

Objects (OUs) & Policies (GPOs) Enumeration

get-domainou

check policies applied on specific OU

get-domainou | select name,gplink,ou

check all computers in specific OU

(Get-DomainOU -Identity StudentMachines).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

get-domaincomputer -searchbase 'OU=Domain Controllers,DC=dollarcorpDC=moneycorp,DC=local' | select name

get-domaingpo

check policy for specific computer

get-domaingpo -computeridentity <name>

get-domaingpo | select name,displayname,cn

check specific policy (identity

get-domaingpo -identity '{gpo-name}'

get-domaingpo -identity '{7478F170-6A0C-490C-B355-9E4618BC785D}'

check local group & computer as well

get-domaingpolocalgroup

get-domaingpocomputerlocalgroupmapping -identity <name>

get-domaingpocomputerlocalgroupmapping -computeridentity <name>

Logged on users

Note:- need local admin rights list logged on users

get-netloggedon -computername <name>

get-loggedonlocal -computername <name>

get-lastloggedon -computername <name>

Shares

find shares on host in current domain

invoke-sharefinder -verbose

find sensitives files

invoke-filefinder -verbose

get-file server

get-netfileserver

ACL enumeration

ACL is list of ACEs (access control entries) 2 types :- DACL & SACL DACL - define the access permission for user and group to access any file & folder (object) SACL - make logs of sucess or failuer when user try to access any object

get-objectacl -samaccountname <username> -resolveguids

get-objectacl -name Administrator -resolveguids | select acetype,objectdn,activedirectoryrights

prefix specified - user distinguishedname

get-objectacl -ADSprefix 'CN=Administrator,CN=Users' -verbose

path specified

get-objectacl -ADSpath "LDAP=://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -verbose -resolveguids

search intresting ACLs

invoke-ACLScanner -resolveguids

ACL associated with specified path

get-pathacl -path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"

Trust Enumeration

method of connecting two distinct Active Directory domains (or forests) to allow users in one domain to authenticate against resources in the other it can be automatic = (parent-child,same forest) or established = (external) 2 types of trust uni-directional = user in trusted domain can access the resources in trusting domain but reverse not possible bi-directional = user in both domains can access the resources of each other domain

get-netdomaintrust

get-netdomaintrust -domain EGOTISTICAL-BANK.LOCAL

get-netforest

get-netforestdomain

Forest Mapping

get-netforest -domain dollarcorp.moneycorp.local

get-netforesttrust

check global catalog

get-netforestcatalog -forest moneycorp.local

get-netforestcatalog

External Trust

external trust with current domain (moneycorp.local)

get-domaintrust | select sourcename,targetname,trustattributes

Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | 
?{$_.TrustAttributes -eq "FILTER_SIDS"}

NOTE:- check trustattributes #whether it is WITHIN_FOREST or FILTER_SIDS

User Hunting

Local/Domain Admin have Access or Session

Note:- this commands run with only local admin access

find all the machines where our user has local admin access

find-localadminaccess -verbose

check local admin access on all machines

invoke-localadminaccess

tool to enumerate local-admin-access

Note:- this commands run with only local admin access , this means if the command run we do have local-admin-access and else if it doesent give any result it means we dont have local-admin-access

Find-WMILocalAdminAccess.ps1

do 'get-netcomputer' and save it in a file computers.txt and then

Find-WMILocalAdminAccess.ps1 -computerfile computers.txt

check local admin access on all machines of the domain a

invoke-enumeratelocaladmin -verbose

find all the computers where domian admin has session

invoke-userhunter

this command checks session & loggegon only on high traffic server like (DC , file server , distributed file server)

invoke-userhunter -stealth

invoke-userhunter -groupname <name>

to confirm admin access

invoke-userhunter -checkaccess