πŸ› οΈ
CRTP Notes
  • πŸ› οΈCRTP Notes
  • βš™οΈCRTP Methodology
  • πŸ’‘Misc
    • PowerShell Basics
    • Bypass defenses
    • Transfer files
  • πŸ”¨Basic enumeration
    • General
    • Network
    • Protection
  • ⛏️AD Enumeration
    • Gnereral
    • ACL
    • Forests and Trusts
  • πŸ”ͺPrivilege Escalation
    • Local Privilege Escalation
    • Domain Privilege Escalation
      • Kerberoast
      • AS-REP Roasting
      • Delegations
    • Cross Domain Privilege Escalation
      • Trusts
      • AD CS
      • MSSQL Servers
  • 🏎️Lateral Movement
    • WinRM
    • Credentials Dumping
    • DC Sync
    • Over Pass The Hash
    • Runas
  • πŸ”§Persistence
    • Kerberos
      • Golden Ticket
      • Silver Ticket
      • Diamond Ticket
    • Skeleton Key
    • DSRM
    • Custom SSP
    • AdminSDHolder
    • Security Descriptors
    • ACL
  • πŸ›‘οΈMitigations
  • πŸ“šResources
    • AD attacking overall
    • Rubeus Guide
    • The Hacker Recipes
Powered by GitBook
On this page
  • Tools
  • BloodHound
  • Domain
  • Domain controller
  • Domain users
  • Domain Computers
  • Domain Groups
  • Group Policy
  • Organization Units
  • Local Groups
  • Shares
  • User Hunting

Was this helpful?

  1. AD Enumeration

Gnereral

Last updated 7 months ago

Was this helpful?

Tools

. C:\AD\Tools\PowerView.ps1

- MS singed

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

BloodHound

BloodHound Versions:

# start db server
sudo neo4j console

# run bloodhound
bloodhound 

SharpHound collector:

# PowerShell
. SharpHound.ps1

Invoke-BloodHound -CollectionMethod All 
Invoke-BloodHound –Steatlh # Remove noisy collections like RDP,DCOM,PSRemote and Local Admin
Invoke-BloodHound -ExcludeDCs # Avoid MDI


# executable
SharpHound.exe
SharpHound.exe –-steatlh # Remove noisy collections like RDP,DCOM,PSRemote and Local Admin

Domain

Get Current domain

Get-Domain

Get Object of another domain

Get-Domain -Domain moneycorp.local

Get domain SID for the current domain

Get-DomainSID

Get domain policy for the current domain

Get-DomainPolicyData
(Get-DomainPolicyData).systemaccess

Get domain policy for another domain

(Get-DomainPolicyData -domain moneycorp.local).systemaccess

Get Current domain

Get-ADDomain

Get Object of another domain

Get-ADDomain -Identity moneycorp.local

Get domain SID for the current domain

(Get-ADDomain).DomainSID

Domain controller

Get domain controllers for the current domain

Get-DomainController

Get domain controllers for another domain

Get-DomainController -Domain moneycorp.local

Get domain controllers for the current domain

Get-ADDomainController

Get domain controllers for another domain

Get-ADDomainController -DomainName moneycorp.local -Discover

Domain users

Get a list of users in the current domain

Get-DomainUser
Get-DomainUser -Identity student1

Get list of all properties for users in the current domain

Get-DomainUser -Identity student1 -Properties * 
Get-DomainUser -Properties samaccountname,logonCount

Search for a particular string in a user's attributes

Get-DomainUser -LDAPFilter "Description=*built*" | Select name,Description

Get actively logged users on a computer (requires local admin privileges)

Get-NetLoggedon -ComputerName dcorp-adminsrv

Get locally logged users on a computer (requires remote registry)

Get-LoggedonLocal -ComputerName dcorp-adminsrv

Get the last logged user on a computer (requires admin privileges and remote registry)

Get-LastLoggedOn -ComputerName dcorp-adminsrv

Get a list of users in the current domain

Get-ADUser -Filter * -Properties *
Get-ADUser -Identity student1 -Properties *

Get list of all properties for users in the current domain

Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
Get-ADUser -Filter * -Properties * | select name,logoncount,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}

Search for a particular string in a user's attributes

Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Desc

Domain Computers

Get a list of computers in the current domain

Get-DomainComputer | select Name
Get-DomainComputer -OperatingSystem "*Server 2022*"
Get-DomainComputer -Ping

Get a list of computers in the current domain

Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter * -Properties *
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{TestConnection -Count 1 -ComputerName $_.DNSHostName}

Domain Groups

Get all the groups

Get-DomainGroup | select Name
Get-DomainGroup -Domain <targetdomain>

Get all groups containing the word "admin" in group name

Get-DomainGroup *admin*

Get all the members of the Domain Admins group

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

Get the group membership for a user

Get-DomainGroup -UserName "student1"

Get all the groups

Get-ADGroup -Filter * | select Name 
Get-ADGroup -Filter * -Properties *

Get all groups containing the word "admin" in group name

Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

Get all the members of the Domain Admins group

Get-ADGroupMember -Identity "Domain Admins" -Recursive

Get the group membership for a user

Get-ADPrincipalGroupMembership -Identity student1

Group Policy

Get list of GPO in current domain

Get-DomainGPO
Get-DomainGPO -ComputerIdentity dcorp-student1

Get GPO(s) which use Restricted Groups

Get-DomainGPOLocalGroup

Get users which are in a local group of a machine using GPO

Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity dcorp-student1

Get machines where the given user is member of a specific group

Get-DomainGPOUserLocalGroupMapping -Identity student1 -Verbose 

Organization Units

Get OUs in a domain

# Get all domain OUs
Get-DomainOU

# Get all computers inside an OU
(Get-DomainOU -Identity StudentMachines).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

Using Get-NetOU

# Get all computers inside an OU
(Get-NetOU -Identity StudentMachines).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

# Get GPO applied on an OU 
Get-NetOU -Identity "StudentMachines" | select gplink # Get GPO ID
Get-DomainGPO -Identity "{0D1CC23D-1F20-4EEE-AF64-D99597AE2A6E}" # Get GPO Info

Get OUs in a domain

Get-ADOrganizationalUnit -Filter * -Properties *

Local Groups

List all the local groups on a machine (requires admin privileges)

Get-NetLocalGroup -ComputerName dcorp-dc

Get members of the local group "Administrators" on a machine (requires admin privileges)

Get-NetLocalGroupMember -ComputerName dcorp-dc -GroupName Administrators

Shares

Find shares on hosts in current domain.

Invoke-ShareFinder -Verbose


Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

Get all file servers of the domain

Get-NetFileServer

User Hunting

Find Local group members of RDP or WinRM of specific machine

Get-NetLocalGroupMember -ComputerName COMPUTER_NAME -GroupName "Remote Desktop Users"
Get-NetLocalGroupMember -ComputerName COMPUTER_NAME -GroupName "Remote Management Users"

Find all machines on the current domain where the current user has local admin access

# Very noisy
Find-LocalAdminAccess -Verbose

# Very noisy
# When SMB and RPC are blocked

# Load
. C:\AD\Tools\Find-WMILocalAdminAccess.ps1
# execute
Find-WMILocalAdminAccess

#Load
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
# execute
Find-PSRemotingLocalAdminAccess.ps1



Find machines where a domain admin has sessions

# Very noisy
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"
Find-DomainUserLocation -CheckAccess 
Find-DomainUserLocation -Stealth # less noisy, targeting file servers



# Doesn’t need admin access on remote machines. 
# Uses Remote Registry and queries HKEY_USERS hive.
Invoke-SessionHunter -FailSafe

# Opsec friendly
Invoke-SessionHunter -NoPortScan -Targets C:\AD\Tools\servers.txt

List sessions on remote machines ()

⛏️
PowerView
AD module
BloodHound Legacy
BloodHound
SharpHound PowerShell
SharpHound executable
source