Enumeration
Enumerating Active Directory
Current Domain info
info like Forest, DomainControllers
[System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
Enumeration Tools
Powerview - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Microsoft AD Module - https://github.com/samratashok/ADModule https://docs.microsoft.com/en-us/powershell/module/addsadministration/?view=win10-ps import Microsoft.ActiveDirectory.Management.dll and ActiveDirectory.psd1
Here Upper command is PowerView Lower Command is AD Module
Domain
Get current domain
Get-NetDomain
Get-ADDomain
Get Object of another domain(if trusts)
Get-NetDomain –Domain moneycorp.local
Get-ADDomain -Identity moneycorp.local
Get domain SID for the current domain
Get-DomainSID
(Get-ADDomain).DomainSID
Policy
Get domain policy for the current domain
Get-DomainPolicy
(Get-DomainPolicy)."System Access"
(Get-DomainPolicy)."Kerberos Policy"
Get domain policy for another domain
(Get-DomainPolicy –domain eurocorp.local)."system access"
Get domain controllers for the current domain and it's IP
Get-NetDomainController
Get-ADDomainController
Get domain controllers for another domain
Get-NetDomainController -Domain eurocorp.local
Get-ADDomainController -DomainName eurocorp.local -Discover
Users
Get a list of users in the current domain
Get-NetUser
Get-NetUser –Username student1
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity student1 -Properties *
net user /domain
net user student82 /domain
Get List of all properties for users in the current domain
pwdlastset, badpwdcounts property helps in understanding if the account id honeypot or decoy account users have bad passwords and pwdlastset is very old for decoy accounts
Get-UserProperty
Get-UserProperty –Properties pwdlastset
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
Search for a particular string in a user's attributes:
Find-UserField -SearchField Description -SearchTerm "built"
Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description
Computers
Get a list of computers in the current domain
These could be actual computes or VMs Ping ICMP Request is used to detect if host is online . If ICMP packets are didabled in firewall it could give false positives that machine is offline
Get-NetComputer
Get-NetComputer –OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData
Get-NetComputer -FullData | select operatingsystem
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}
Get-ADComputer -Filter * -Properties *
Groups
Get all the groups in the current domain
Get-NetGroup
Get-NetGroup –Domain <targetdomain>
Get-NetGroup –FullData
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *
net group /domain
net group "RDPUsers" /domain
Get all groups containing the word "admin" in group name
Get-NetGroup -GroupName *admin*
Get-NetGroup -GroupName *admin* -Domain eurocorp.local
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
Get all the members of the Domain Admins group
RID 500 denotes administrator
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-NetGroupMember -GroupName "Domain Admins" -Domain eurocorp.local
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get the group membership for a user:
RID 513 denotes a built-in group
Get-NetGroup –UserName "student1"
Get-ADPrincipalGroupMembership -Identity student1
List all the local groups on a machine (needs administrator privs on nondc machines)
Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -ListGroups
show membership of administrator groups
Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local
Get members of all the local groups on a machine (needs administrator privs on non-dc machines)
Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Recurse
Get actively logged users on a computer (needs local admin rights on
the target)
Get-NetLoggedon -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose
Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)
Get-LoggedonLocal -ComputerName dcorp-dc.dollarcorp.moneycorp.local
Get the last logged user on a computer (needs administrative rights and
remote registry on the target)
Get-LastLoggedOn –ComputerName <servername>
Shares
Find shares on hosts in current domain.
Invoke-ShareFinder –Verbose
Find sensitive files on computers in the domain
Invoke-FileFinder –Verbose
Get all fileservers of the domain
enumerates high-value targets
Get-NetFileServer
GPO
Get list of GPO in current domain
Get-WindowsOptionalFeature -Online -FeatureName Enable-WindowsOptionalFeature -Online -FeatureName RSAT Install-WindowsFeature -Name GPMC Import-Module grouppolicy
Get-NetGPO
Get-NetGPO -ComputerName dcorpstudent1.dollarcorp.moneycorp.local
Get-GPO -All (GroupPolicy module)
Get-GPResultantSetOfPolicy -ReportType Html -Path
C:\Users\Administrator\report.html (Provides RSoP)
Get GPO(s) which use Restricted Groups or groups.xml for interesting
users
List the restricted groups, if get access to one of the groups we can access all others as it might be pushed to all the machines
Get-NetGPOGroup
Get users which are in a local group of a machine using GPO
Find-GPOComputerAdmin –Computername dcorpstudent1.dollarcorp.moneycorp.local
Get machines where the given user is member of a specific group
Find-GPOLocation -UserName student1 -Verbose
Get OUs in a domain
Get-NetOU
Get-NetOU -FullData
Get-ADOrganizationalUnit -Filter * -Properties *
Get GPO applied on an OU. Read GPOname from gplink attribute from
Get-NetOU
gplink in get-netou is entered in -gponame
Get-NetGPO -GPOname "{AB306569-220D-43FF-B03B83E8F4EF8081}"
Get-GPO -Guid AB306569-220D-43FF-B03B-83E8F4EF8081
(GroupPolicy module)
Get the ACLs associated with the specified object
Get-ObjectAcl -SamAccountName student82 -ResolveGUIDs
Get the ACLs associated with the specified prefix to be used for search
Get-ObjectAcl -ADSprefix 'CN=student82,CN=Users' -Verbose
We can also enumerate ACLs using ActiveDirectory module but without
resolving GUIDs
Get the ACLs associated with the specified LDAP path to be used for search
Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose
Search for interesting ACEs
Invoke-ACLScanner -ResolveGUIDs
Get the ACLs associated with the specified path
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"
Trusts
Get a list of all domain trusts for the current domain
Get-NetDomainTrust
Get-NetDomainTrust -Domain eurocorp.local
Get-ADTrust
Get-ADTrust -Identity eurocorp.local
Get details about the current forest
Get-NetForest
Get-NetForest –Forest eurocorp.local
Get-ADForest
Get-ADForest –Identity eurocorp.local
Get all domains in the current forest
Get-NetForestDomain
Get-NetForestDomain –Forest eurocorp.local
(Get-ADForest).Domains
Get all global catalogs for the current forest
Get-NetForestCatalog
Get-NetForestCatalog –Forest eurocorp.local
Get-ADForest | select -ExpandProperty GlobalCatalogs
Map trusts of a forest
maps trust between forests, not domains or child entities.so no output
Get-NetForestTrust
Get-NetForestTrust –Forest eurocorp.local
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'
Enumerating computers from the trustee domain
Map domain trust
Sessions
Find all machines on the current domain where the current user has
local admin access
This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine.
Find-LocalAdminAccess -Verbose
This can also be done with the help of remote administration tools like WMI and PowerShell remoting. Pretty useful in cases ports (RPC and SMB) used by Find-LocalAdminAccess are blocked.
Find local admins on all machines of the domain (needs administrator
privs on non-dc machines).
This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded GetNetLocalGroup on each machine.
Invoke-EnumerateLocalAdmin –Verbose
Find computers where a domain admin (or specified user/group) has sessions
This function queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of computers (Get-NetComputer) and list sessions and logged on users (GetNetSession/Get-NetLoggedon) from each machine.
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
to check admin access
Invoke-UserHunter -CheckAccess
Find computers where a domain admin is logged-in.
performs only on high valued targets
This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list only of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine.
Invoke-UserHunter -Stealth
Get actively logged users on a computer (needs local admin rights on
the target)
Get-NetLoggedon -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Verbose
Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)
Get-LoggedonLocal -ComputerName dcorp-dc.dollarcorp.moneycorp.local
Get the last logged user on a computer (needs administrative rights and
remote registry on the target)
Get-LastLoggedOn –ComputerName <servername>
Defense
Netcease is a script which changes permissions on the NetSessionEnum method by removing permission for Authenticated Users group.
This fails many of the attacker's session enumeration and hence user hunting capabilities. .\NetCease.ps1 .\NetCease.ps1 -revert
Another interesting script from the same author is SAMRi10 which hardens Windows 10 and Server 2016 against enumeration which uses SAMR protocol (like net.exe) • https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote48d94b5b
find for sensitive texts like pass, password,etc in all files
search files in recycle bin also from shares
findstr.exe /spin "password" *.*
There are various ways of locally escalating privileges on Windows box: – Missing patches – Automated deployment and AutoLogon passwords in clear text – AlwaysInstallElevated (Any user can run MSI as SYSTEM) – Misconfigured Services – DLL Hijacking and more • We can use below tools for complete coverage – PowerUp: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc – BeRoot: https://github.com/AlessandroZ/BeRoot .\beRoot.exe – Privesc: https://github.com/enjoiz/Privesc Invoke-PrivEsc – WinPEAS: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
Services Issues using PowerUp • Get services with unquoted paths and a space in their name. Invoke-AllChecks Get-ServiceUnquoted -Verbose • Get services where the current user can write to its binary path or change arguments to the binary Get-ModifiableServiceFile -Verbose • Get the services whose configuration current user can modify. Get-ModifiableService -Verbose
Feature Abuse
You can miss-use Enterprise applications like Jenkins which mostly have admin privileges and find a way to run commands
Without logging in we can list users
Bloodhound
Bloodhound represents AD entities and relationships in the form of GUI
bloodhound requires ne04j use suitable version v3 and v2 are incompatible to each other
upload zip files in bloodhound start mapping you can use built-in queries you can mark users as owned you can find paths,etc
Invoke-BloodHound -CollectionMethod All -Verbose
Invoke-BloodHound -CollectionMethod LoggedOn -Verbose
Invoke-BloodHound -CollectionMethod All -ExcludeDC //less noisy
Last updated
Was this helpful?