theAwful
  • Introduction
  • INTERNALS
    • Responder
      • NBNS/LLMNR
    • mitm6
    • Password Spraying
    • CME/NXC Cheatsheet
    • Kerberoasting
    • AS-REP Roasting
    • Dumping NTDS
  • Metasploit Payload and Listener
    • Encoder
    • Word Macros
    • Payloads
      • Earlybird
    • Metasploit Modules
  • OSEP Cheat Sheet
  • OSEP Challenges
    • Challenge 6
  • C2
    • Sliver
  • Privilege Escalation
    • PowerUp
    • Privilege Escalation
      • Internal Privilege Escalation (Linux)
  • Windows Local Recon
    • SQL Server
    • Application Whitelisting and Credentials
  • Linux Local Recon
  • File Transfer & Execution
  • Phishing
  • Ansible/Jfrog
  • Pivoting
  • Pass-the-hash
  • Remote Access
  • Post-Exploitation
    • Add User
    • AMSI, CLM, AppLocker
  • Credentials
  • Lateral Movement
  • Domain Enumeration
    • Users and Computers
    • ACLs
    • BloodHound
    • GPO
    • Trusts
    • User Hunting
  • Active Directory
    • Domain Recon - Kali
    • Domain Recon - Windows
    • Trusts
    • ADCS
      • ESC3
  • Web Application Testing
    • Host Headers
    • WAF Bypasses
    • Template Injection
    • Prototype Pollution
      • Client-side Prototype Pollution
    • Autorize
    • SQLmap
    • SSRF
    • File Uploads
    • Command Injection
    • XXE
      • Blind XXE
    • CSRF
    • XSS
      • XSS Methodology
      • Bypass WAF
  • MOBILE APPS
    • iOS
      • Install Tools
      • SSL Killswitch
    • Android
      • Install Tools
      • Setting up Burp
      • Red Teaming
  • Exploit Dev
    • AMSI Bypass
      • AMSI OpenSession
      • AMSI ScanBuffer
    • VBA Obfsu
    • APC Injection
    • EarlyBird Injection
  • DFIR
    • Malware Analysis
    • Memory Analysis
      • Volatility
    • Registry Analysis
      • RegRipper
    • Behavior Analysis
      • ShellBags
      • UserAssist
    • Filesystems
  • VISUAL STUDIO
    • Tricks
  • Scripts and Tools
    • Grep IPs from DNS ping
    • OSINT.sh
Powered by GitBook
On this page
  1. Domain Enumeration

Users and Computers

ADmodule - works in CLM and is MS signed

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

Get current domain

Get-Domain (PowerView)
Get-ADDomain (ActiveDirectory Module)

Get object of another domain

Get-Domain -Domain moneycorp.local
Get-ADDomain -Identity moneycorp.local

Get domain SID for the current domain

Get-DomainSID
(Get-ADDomain).DomainSID

Get domain policy for the current domain

Get-DomainPolicyData
(Get-DomainPolicyData).systemaccess

Get domain controllers for the current domain

Get-DomainController
Get-ADDomainController

Get domain controllers for another domain

Get-DomainController -Domain moneycorp.local
Get-ADDomainController -DomainName moneycorp.local -
	Discover

Get a list of users in the current domain

Get-DomainUser
Get-DomainUser -Identity student1
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity student1 -Properties *

Get list of all properties for users in the current domain

Get-DomainUser -Identity student1 -Properties *
Get-DomainUser -Properties samaccountname,logonCount
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -
	MemberType *Property | select Name
	Get-ADUser -Filter * -Properties * | select
	name,logoncount,@{expression={[datetime]::fromFileTime($_.pwdlastset
	)}}

Get a list of computers in the current domain

Get-DomainComputer | select Name
Get-DomainComputer -OperatingSystem "*Server 2022*"
Get-DomainComputer -Ping
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter * -Properties *
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -
	Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-
	Connection -Count 1 -ComputerName $_.DNSHostName}

Get all the groups in the current domain

Get-DomainGroup | select Name
Get-DomainGroup -Domain <targetdomain>
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *

Get all groups containing the word "admin" in group name

Get-DomainGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

Get all the members of the Domain Admins group

Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -Recursive

Get the group membership for a user:

Get-DomainGroup -UserName "student1"
Get-ADPrincipalGroupMembership -Identity student1

List all the local groups on a machine (needs administrator privs on non-dc machines) :

Get-NetLocalGroup -ComputerName dcorp-dc

Get members of the local group "Administrators" on a machine (needs administrator privs on non-dc machines) :

Get-NetLocalGroupMember -ComputerName dcorp-dc -GroupName
	Administrators

Get actively logged users on a computer (needs local admin rights on the target)

Get-NetLoggedon -ComputerName dcorp-adminsrv

Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)

Get-LoggedonLocal -ComputerName dcorp-adminsrv

Get the last logged user on a computer (needs administrative rights and remote registry on the target)

Get-LastLoggedOn -ComputerName dcorp-adminsrv

Find shares on hosts in current domain.

Invoke-ShareFinder -Verbose

Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

Get all fileservers of the domain

Get-NetFileServer
PreviousLateral MovementNextACLs

Last updated 1 year ago