> For the complete documentation index, see [llms.txt](https://zeyad-abulaban.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://zeyad-abulaban.gitbook.io/notes/red-teaming/active-directory/domain-enumeration.md). # Phase 1: Domain Enumeration *** ## Preffered Tools: **Note:** This can be done with any other tool but we are presenting those only * [**PowerView**](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon) * [**ADModule**](https://github.com/samratashok/ADModule) ## Computers Enumeration ### Get alist of computers in the current domain ```powershell #Powerview Get-NetComputer Get-NetComputer -OperatingSystem Get-NetComputer -ping Get-NetComputer -FullData #ActiveDirectory Module Get-ADComputer -Filter * | select Name Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name,OperatingSystem Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -count 1 -ComputerName $_.DNSHostName} #May give false positives Get-ADComputer -Filter * -Properties * ``` *** ## Domain Name Enumeration ### Get current domain ```powershell #Using .NET classes $ADClass = [System.DirectoryServices.ActiveDirectory.Domain] $ADClass::GetCurrentDomain() #Powerview Get-NetDomain #ActiveDirectory Module Get-ADDomain ``` ### Get Object of another domain ```powershell #Powerview Get-NetDomain -Domain #ActiveDirectory Module Get-ADDomain -Identity ``` ### Get domain SID for the current domain ```powershell Get-DomainSID #(Active Directory module) (GET-ADDomain).DomainSID ``` *** ## Domain Policy Enumeration ### Get domain policy for the current domain ```powershell (Get-DomainPolicy)."system access" #(between quotes can be Kerberos policy ..etc) ``` ### Get domain policy for another domain ```powershell (Get-DomainPolicy -domain ."system access" #(between quotes can be Kerberos policy ..etc) ``` *** ## Domain Controller Enumeration ### Get domain controllers for the current domain ```powershell #Powerview Get-NetDomainController #ActiveDirectory Module Get-ADDomainController ``` ### Get domain controller for another domain ```powershell #Powerview Get-NetDomainController -Domain #ActiveDirectory Module Get-ADDomainController -DomainName -Discover ``` *** ## User Enumeration ### Get a list of users in the current domain ```powershell #Powerview Get-NetUser Get-NetUser -Username omar1 #ActiveDirectory Module Get-ADuser -Filter * -Properties * ``` ### Get list of all properties for users in the current domain ```powershell Get-UserProperty Get-UserProperty -Properties pwdlastset #(Active Directory module) Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name Get-ADUser -Filter * -Properties * | select name, @{expression {[datetime]::fromfiletime($_.pwdlastset)}} ``` ### Get information about passwords ```powershell #Last time a password was changed Get-UserProperty -Properties pwdlastset #Bad password count Get-UserProperty -Properties badpwdcount #Filtering inactive users Get-UserProperty -Properties logoncount #Searching for passwords in user's description Find-UserField -SearchField Description -SearchTerm "built" Get-ADUser - Filter 'Description -like "*built*"' -Properties Description | select name,Description ``` #### Note: * Searching for passwords in user's description is a thing because users may have to change their passwords frequently so they include it in the description so they don't have to memorize it. *** ## Groups Enumeration * [**Groups Explained**](http://www.harmj0y.net/blog/activedirectory/a-pentesters-guide-to-group-scoping/) ### Get all the groups in the current domain ```powershell #Powerview Get-NetGroup -Domain Get-NetGroup -FullData Get-NetGroup *admin* #Only containing admin in groupname #ActiveDirectory Module Get-ADGroup -Filter * | select Name Get-ADGroup -Filter * -Properties * Get-ADGroup -Filter 'Name -like "*admin*"' | select Name #Only containing admin in groupname ``` ### Get all memebers of the domain Admins group ```powershell #Powerview Get-NetGroupMember -GroupName "Domain Admins" -Recurse Get-NetGroupMember -Username "khaled1" #To get the group membership for a specific user #ActiveDirectory Module Get-ADGroupMember -Identity "Domain Admins" -Recursive Get-ADPrincipalGroupMembership -Identity khaled1 #To get the group membership for a specific user ``` ### List all local groups on a machine * Needs admin priviliges or non-dc machines ```powershell #Powerview Get-NetLocalGroup -ComputerName -ListGroups #To get member of all local groups on a machine Get-NetLocalGroup -ComputerName -Recurse ``` * Find shares on hosts in current domain ```powershell Invoke-ShareFinder -Verbose ``` * Find Sesitive files on computers in the domain ```powershell Invoke-FileFinder -Verbose ``` * Get all fileservers of the domain ```powershell Get-NetFileServer ``` *** ## Group Policy (GPO) #### Provides the ability to manage configuration and changes easily and centraly in AD. ### Allows control of: * Security settings. * Registery-based policy settings. * Group policy preferences like startup/shutdown/log-on/logff/scripts/settings **Note:** Can be abused for various attacks like PrivESC,backdoors,persistence ..etc. ### Get list of GPO in current domain ```powershell #Powerview Get-NetGPO Get-NetGPO -ComputerName #GroupPolicy module Get-GPO -All Get-GPReusltSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html #(Provides RSoP) ``` ### Get GPO(s) which user Restricted Groups or groups.xml for interesting users ```powershell #Powerview Get-NetGPOGroup ``` ### Get users in local group of machine using GPO ```powershell Find-GPOComputerAdmin -ComputerName ``` ### Get machines where the given user is member of a specific group ```powershell Find-GPOLocation -UserName -Verbose ``` ### Get OUs in domain ```powershell #Powerview Get-NetOU -FullData Get-ADorganizationalUnit -Filter * -Properties * ``` ### Get GPO applied on an OU \*\*Note:\*\*Read GPOname from gplink attribute from `Get-NetOU` ```powershell #Powerview Get-NetOU -GPOname "{STRING}" #GroupPoicy Module Get-GPO -Guid "STRING" #without brackets ``` *** ## Access Control Model #### Enabels control on the ability of a process to access objects and other resources in an AD based on: * Access Tokens (Security context of a process-identity and privs of a user) * Security Descriptors (SID of the owner,Discretionary ACL (DACL) and system ACL (SACl)) ![ACl](/files/W4a9cd4pQ8LSSySgnT9B) ### Get the ACLs associated with the specified object ```powershell Get-ObjectAcl -SamAccountName -ResloveGUIDs #Active Directory Module (Doesn't resolve GUIDs) (Get-ACL 'AD:\CN=Administrator,CN=Users,DC=,DC=,DC=local').Access ``` ### Get the ACLs associated with the specified prefix to be used for search ```powershell Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose ``` ### Get ACLs associated with the specified LDAP path to be used for search ```powershell Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,DC=,DC=,DC=local" -ResolveGUIDs -Verbose ``` ### Search for interesting ACEs ```powershell Invoke-ACLScanner -ResolveGUIDs ``` ### Get the ACLs associated with the specified path ```powershell Get-PathAcl -Path "\\ #Active Directory module Get-ADTrust Get-ADTrust -Identity ``` ## Forest mapping ### Get detail about thr current forest ```powershell #Powerview Get-NetForest Get-NetForest -Forest #Active Directory Module Get-ADForest Get-ADForest -Identity ``` ### Get all domoains in the current forest ```powershell GetNetForestDomain GetNetForestDomain -Forest #Active Directory Module (Get-ADForest).Domains ``` ### Get all global catalogs for the current forest ```powershell Get-NetForestCatalog Get-NetForestCatalog -Forest #Active Directory module Get-ADForest | select -ExpandProperty GlobalCatalogs ``` ### Map trusts of a forest ```powershell #Powerview Get-NetForest Get-NetForest -Forest #Active Directory module Get-ADTrust Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"' ``` *** ## User hunting ### Find all machines on the current domain (Where the current user has ***local admin access***) ```powershell Find-LocalAdminAccess -Verbose ``` Above function queries the DC the current or provided domain for a list of computers **Get-NetComputer** and then use multi-threaded \*\*Invoke-CheckLocalAdminAccess \*\*on each machine. (Very Noisy) ![enumeratelocaladmin](/files/f6163CzFugAiP3nynJQo) This can also be done with the help of remote administration tools like WMI and PowerShell remoting because when **SMB** and **RPC** are disabled the `FindLocalAdminAccess` is blocked. * Use [**Find-WMILocalAdminAccess.ps1**](https://github.com/admin0987654321/admin1/blob/master/Find-WMILocalAdminAccess.ps1) (Very Noisy) ```powershell Find-WMILocalAdminAccess.ps1 -ComputerFile #Get the list with Get-NetComputer ``` ### Find local admins on all machines of the domain (Needs admin privs for non-dc machines). ```powershell Invoke-EnumerateLocalAdmin -Verbose ``` Above function queries the DC the current or provided domain for a list of computers `Get-NetComputer` and then use multi-threaded `GetNetLocalGroup` on each machine. (Very Noisy) * Same concept as the above pic. ### Find Computers where a domain admin (or specified user/group) has sessions ```powershell Invoke-UserHunter INvoke-UserHunter -GroupName "RDPUsers" ``` Above function queries the DC the current or provided domain for given group (**Domain admin by default**) using **Get-NtGroupMember**, gets a list of computers (**Get-NetComputer**) and list sessions and logged on users (**Get-NetSession/GetNetLoggedon**) from each machine. (Very Noisy) ### To confirm admin access ```powershell Invoke-UserHunter -CheckAccess ``` ### Find computers where a domain admin is logged-in ```powershell Invoke-UserHunter -Stealth ``` Above option queries of the DC of the current or provided domain for members of the given group (Domain Admins by default) using **Get-NetGroupMember**,gets a list **only** of high traffic servers (DC,File Servers and Distributed File Servers) for less traffic generation and list sessions and logged on users (**Get-NetSession/Get-NetLoggedon**) for each machine. *** ## BloodHound * Supply data to BloodHound ```powershell C:\PATH\BloodHound-master\Ingestors\SharpHound.ps1 Invoke-BloodHound -CollectionMethod All -Verbose #If it didn't collect Sessions you can get them easily by: Invoke-BloodHound -CollectionMethod LoggedOn -Verbose #The generated archive can be uploaded to the BloodHound application #To avoid detections like ATA Invoke-BloodHound -CollectionMethod All -ExcludeDC -Verbose #From linux crackmapexec smb -u -p -d -M bloodhound ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://zeyad-abulaban.gitbook.io/notes/red-teaming/active-directory/domain-enumeration.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.