Domain Enumerations
Using Powerview.ps and the AD Module
Checking for Domain Connections
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
net user /domain
net user atlante.phillis /domain
net group /domain
net group "IT Admins" /domainCurrent Domain
Get-NetDomain
Get-ADDomainAnother Domain:
Get-NetDomain -Domain name
Get-ADDomain -Identity nameDomain SID:
Get-DomainSIDDomain Policy
get-domainpolicyDomain controler
get-netdomaincontroller
get-netdomaincontroller -Domain name
get-addomaincontrolerUser Enumeration
Get-NetUser
Get-NetUser -Username name
Get-NetUser | select * (any property)
get-aduser -Filter * -property *
get-aduser -identity name -property *
Get-userproperty #not working
Get-userProperty -Properties
get-aduser -filter -properties * | select * | select -first 1 | getmember -membertype * prperty |select name
very Importtant
Find-UserField -SearchField Description -SearchTerm "built"
get-aduser -Filter 'Description -like "*bulid"' -Properties Description | select name,Description
Computer Enum:
get-netComputer
get-netcomputer -operatingsystem "*Server 2016*"
get-netcomputer -Ping
get-netComputer -FullData
get-adcomputer -Filter * | Select name
get-adcomputer -Filter 'operatingSystem -like "*server 2016*"' - properties operatingsystem | select name,operating,system
get-adcomputer -filter * - properties DNSHostName | %{Test-Connection -count 1 -computername $_.DNSHostName}
get-adcomputer -Filter * -Properties group Enum
get-netgroup
get-netgroup -domain <target>
get-netgroup -Fulldata
get-netgroup *admin*
get-netgroupmember -GroupName "domain Admins" - Recurse
get-netgroup -username "student1"
get-adgroup -filter * | select name
get-adgroup -filter * -Properties
get-adGroup -Filter 'Nmae -like "*admin*"' |select Name
get-adgroupmember -identity "Domain admins" -recursive
get-adprincipalgroupmembership -dentity student1
for local groups
get-netlocalgroup -computername {} -listgroup
get-netlocalgroup -computername {} -recurselogon check
get-netloggedon -computername <severname>
get-loggedonlocal -computername <severname>
get-lastloggedon -computernameShare enum important files
Find-DomainShare -CheckShareAccess
invoke-sharefinder -verbose
invoke-filefinder -verbose
get-netfileserver GPO Enumerations
get-netGPO
get-netGPO -Computername
get-netGPOGroup
gpresult /R
find-gpocomputeradmin -computername
find-gpolocation -usernmae <> -verboseOU Enums
get-netou -fulldata
get-netgop -gponameACL enumeration
get-objectAcl -SamAccountname <> -ResolveGUIDS
getObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -verbose
get-ObjectACL -ADSpath "LDAP://CN=Domain Admins,CN=Users,DC=Dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose
invoke-ACLScanner -ResolveGUIDs <- searchs for intersting ACL
get-pathAcl -Path "\\dcorp-dc.doolarcorp.moneycorp.local\sysvol"
Convert-SidToNameDomain Trust Enumeration
one way trust
Two Way trust
get-netdomaintrust
get-netdomaintrust -Domain
get-adtrust
get-adtrust -Identity Forest Enumeration
get-netForest
get-netforest -Forest
get-ADforest
get-ADforest -identity
# all domain in current forest
get-netforestdomain
get-netforestdomain -Forest Forest trust
get-netforestcatalog
get-netforestcatalog -forest
get-adforest | select -Expandproperty GlobalCatalog
get-netforesttrust
get-netforesttrust -forest
get-adtrust -filter 'msDS-TrustforestTrustInfo -ne "$null"'User Hunting
The permissions required to enumerate sessions with NetSessionEnum are defined in the SrvsvcSessionInfo registry key, which is located in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity
#PowerView
Find-LocaladminAccess -verbose
Get-NetComputer -> IMPT
Get-NetSession -> command uses the NetWkstaUserEnum and NetSessionEnum APIs under the hood
Invoke-CheckLocalAdminAccess
#use FIND-wmiLocalAdminAccess.ps1
Invoke-EnumarateLocalAdmin -Vervose // uses Get-NetLocalGroup
#Important
Invoke-UserHunter
Invoke-UserHunter -Stealth
Invoke-UserHunter -GroupName "RDPUsers"
//Uses Get-NetGroupMember
#Confirm admin access
Invoke-UserHunter -CheckAccess
Last updated