Active Directory

Users & Groups

Net.exe

Net.exe installed by default on all Windows operating system, Therefore it would be the first go to in domain enumeration.

Note: The Net.exe misses subgroups memberships

Enumerate domain users.

net user /domain

Enumerate information of specific user such as group membership, password last set or whether if the account is active.

net user <user> /domain

Enumerate domain groups.

net group /domain

Enumerate group members.

net group <group> /domain

PowerShell and .NET Classes

Basic function which retrieve LDAP Queries using .NET Classes.

The Function uses two important .NET Classes:

System.DirectoryServices.DirectoryEntry: This class represents a node or object in an Active Directory hierarchy
System.DirectoryServices.DirectorySearcher: This class is used to perform queries against Active Directory.

ldap.ps1

function LDAPSearch {
    param (
        [string]$LDAPQuery
    )
    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
    $DistinguishedName = ([adsi]'').distinguishedName
    $DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$PDC/$DistinguishedName")
    $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)

    return $DirectorySearcher.FindAll()
}

Enumerate domain users.

LDAPSearch -LDAPQuery "(objectClass=user)"

Enumerate specific user properties.

(LDAPSearch -LDAPQuery "(sAMAccountName=<username>)") | ForEach-Object { $_.Properties }

Enumerate domain groups.

LDAPSearch -LDAPQuery "(objectClass=group)"

Enumerate specific group properties.

(LDAPSearch -LDAPQuery "(cn=<group_name>)") | ForEach-Object { $_.Properties }

Enumerate specific group members.

(LDAPSearch -LDAPQuery "(cn=<group_name>)").Properties["member"]

Enumerate specific domain user memberships.

(LDAPSearch -LDAPQuery "(sAMAccountName=<username>)").Properties["memberOf"]

Enumerate specific domain group membership

LDAPSearch -LDAPQuery "(memberOf=CN=<group_name>,OU=Groups,DC=domain,DC=com)"

SPN

lists all the Service Principal Names (SPNs) that are registered for the specified user account in Active Directory.

setspn -L <user>

Active Sessions

.\PsLoggedon.exe \<computer>

Domain Controller

Retrieve the Domain Controller with the PdcRoleOwner which indicates its the main DC.

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

PowerView

PowerView is a PowerShell toolset for AD enumeration, useful for penetration testing. It helps gather domain info, user/group details, inspect permissions, and identify network shares. Commonly used in Active Directory enumeration.

PreviousLocal Enumeration NextPowerView

Last updated 7 months ago

Active Directory

Users & Groups

Net.exe

Net.exe installed by default on all Windows operating system, Therefore it would be the first go to in domain enumeration.

Note: The Net.exe misses subgroups memberships

Enumerate domain users.

net user /domain

Enumerate information of specific user such as group membership, password last set or whether if the account is active.

net user <user> /domain

Enumerate domain groups.

net group /domain

Enumerate group members.

net group <group> /domain

PowerShell and .NET Classes

Basic function which retrieve LDAP Queries using .NET Classes.

The Function uses two important .NET Classes:

System.DirectoryServices.DirectoryEntry: This class represents a node or object in an Active Directory hierarchy
System.DirectoryServices.DirectorySearcher: This class is used to perform queries against Active Directory.

ldap.ps1

function LDAPSearch {
    param (
        [string]$LDAPQuery
    )
    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
    $DistinguishedName = ([adsi]'').distinguishedName
    $DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$PDC/$DistinguishedName")
    $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)

    return $DirectorySearcher.FindAll()
}

Enumerate domain users.

LDAPSearch -LDAPQuery "(objectClass=user)"

Enumerate specific user properties.

(LDAPSearch -LDAPQuery "(sAMAccountName=<username>)") | ForEach-Object { $_.Properties }

Enumerate domain groups.

LDAPSearch -LDAPQuery "(objectClass=group)"

Enumerate specific group properties.

(LDAPSearch -LDAPQuery "(cn=<group_name>)") | ForEach-Object { $_.Properties }

Enumerate specific group members.

(LDAPSearch -LDAPQuery "(cn=<group_name>)").Properties["member"]

Enumerate specific domain user memberships.

(LDAPSearch -LDAPQuery "(sAMAccountName=<username>)").Properties["memberOf"]

Enumerate specific domain group membership

LDAPSearch -LDAPQuery "(memberOf=CN=<group_name>,OU=Groups,DC=domain,DC=com)"

SPN

lists all the Service Principal Names (SPNs) that are registered for the specified user account in Active Directory.

setspn -L <user>

Active Sessions

Shows users logged onto the specific computer using the tool from sysinternals.

.\PsLoggedon.exe \<computer>

Domain Controller

Retrieve the Domain Controller with the PdcRoleOwner which indicates its the main DC.

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

PowerView

PreviousLocal Enumeration NextPowerView

Last updated 7 months ago