AD Enum

Live Host Enumeration

• Conduct a ping sweep on the IP range

• Use NetExec on the IP range (better information)

• Use Responder to catch IP addresses

Be sure to properly understand the role of each host. Do your service enumeration.

User Enumeration

With foothold

• Get user list via SMB

Without foothold

• Attempt to get user list via SMB Null Authentication

• Attempt to get user list via LDAP Anonymous Bind

• Attempt to get user list via RPCClient

• Attempt to get user list via RID brute-forcing

• Attempt to get user list via Kerbruting

Some of these techniques are not guaranteed to discover all users. At least try the SMB, LDAP, RPCClient and RID methods.

Get Foothold

• Find Kerberoastable users from the user list

• Find ASREProastable users from the user list

• Use Responder to catch credential hashes

• Try SMB Null Authentication to spider through SMB shares looking for credentials

• Get SYSTEM / root on Domain connected host to get a Computer account

• As a last resource, try password spraying with the user list

Password spraying can lock accounts due to repeated failed attempts and should be used cautiously.

Enumeration

Hack Responsibly.

Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.

Without Active Directory module installed

Get Current Domain Info

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Get Domain Trusts

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

Get Forest Info

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

Get Forest Trust Relationships

([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships()

Enumerate Domain Users

Get User-related Environment Variables (cmd.exe)

set u

List all Usernames

([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties.samaccountname

List Administrators

([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname

List all Info about specific user

PowerShell

([adsisearcher]"(&(objectClass=User)(samaccountname=$UserName))").FindAll().Properties

cmd.exe

View All Users with Description Field Set

([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description }

Using Active Directory PowerShell module

View all Active Directory commands

Get-Command -Module ActiveDirectory

Display Basic Domain Information

Get-ADDomain

Get Domain SID

Get-DomainSID

Enumerate other Domains:

Get-ADDomain -Identity $DomainName

List Domain Controllers

Get-ADDomainController
Get-ADDomainController -Identity $DomainName

Get all Domain Controllers by Hostname and Operating System

Get-ADDomainController -filter * | select hostname, operatingsystem

Enumerate Domain Computers:

Get-ADComputer -Filter * -Properties *
Get-ADGroup -Filter *

Enumerate Domain Trust:

Get-ADTrust -Filter *
Get-ADTrust -Identity $DomainName

Enumerate Forest Trust:

Get-ADForest
Get-ADForest -Identity $ForestName

#List Domains in a Forest
(Get-ADForest).Domains

Enumerate Local AppLocker Effective Policy:

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Get all Fine Grained Password Policies

Get-ADFineGrainedPasswordPolicy -filter *

Get Domain Default Password Policy

Gets the password policy from the logged in domain

Get-ADDefaultDomainPasswordPolicy

Backup Active Directory System State Remotely

This will back up the domain controllers system state data. Change DC-Name to your server name and change the Backup-Path. The backup path can be a local disk or a UNC path

Invoke-Command -ComputerName $DC_Name -scriptblock {wbadmin start systemstateback up -backupTarget:"Backup-Path" -quiet}

AD User Enumeration

Get User and List All Properties (attributes)

For the variable $username use the samAccountName of the account

Get-ADUser $username -Properties *

Get User and list only specific properties

Get-ADUser $username -Properties * | Select name, department, title

Find a specific string in a certain user's attribute

Get-ADUser -Filter 'Description -like "*pass*"' -Properties Description | select Name, Description

Get All Active Directory Users in Domain

Get-ADUser -Filter *

Get All Users From a Specific OU

OU = Full distinguished path of the OU

Get-ADUser -SearchBase “OU=Domain Users,dc=test,dc=local” -Filter *

Get AD Users by Name

This command will find all users that have the word bob in the name.

Get-Aduser -Filter {name -like "*bob*"}

Get All Disable User Accounts

Search-ADAccount -AccountDisabled | select name

Disable User Account

Disable-ADAccount -Identity $UserName

Enable User Account

Enable-ADAccount -Identity $UserName

Get All Accounts with Password Set to Never Expire

Get-Aduser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | Select-Object DistinguishedName,Name,Enabled

Find All Locked User Accounts

Search-ADAccount -LockedOut

Unlock User Account

Unlock-ADAccount –Identity $UserName

List all Disabled User Accounts

Search-ADAccount -AccountDisabled

Force Password Change at Next Login

Set-ADUser -Identity $UserName -ChangePasswordAtLogon $true

Move a Single User to a New OU

You will need the distinguishedName of the user and the target OU

Move-ADObject -Identity "CN=bob,OU=Users,DC=ad,DC=test,DC=local" -TargetPath "OU=HR,OU=Users,DC=ad,DC=ad,DC=com"

Move Users from one OU to another using a CSV file

Create a csv with a name field containing a list of the users SamAccountName's. Then just change the target OU path to move the users.

# Specify target OU. 
$TargetOU = "OU=HR,OU=Users,DC=ad,DC=test,DC=local"

# Read user SAMAccountNames from csv file (field labeled "Name"). 
Import-Csv -Path $csvFile | ForEach-Object { 

  # Retrieve the distinguishedName of the User. 
  $UserDN = (Get-ADUser -Identity $_.Name).distinguishedName 

  # Move user to target OU. 
  Move-ADObject -Identity $UserDN -TargetPath $TargetOU 
}

AD Group Commands

Get All members of a Security group

Get-ADGroupMember -identity $GroupName

Get All Security Groups

This will list all security groups in a domain

Get-ADGroup -filter *

Add User to Group

Add-ADGroupMember -Identity $GroupName -Members $user1, $user2

Export Users From a Group

This will export group members to a CSV, change group-name to the group you want to export.

Get-ADGroupMember -identity $GroupName | select name | Export-csv -Path $OutCsv -NoTypeInformation

Get Group by keyword

Get-AdGroup -filter * | Where-Object {$_.name -like "*$GroupName*"}

Import a List of Users to a Group

$members = Import-CSV $csvFile | Select-Object -ExpandProperty samaccountname | Add-ADGroupMember -Identity $GroupName -Members $members

AD Computer Commands

List All Computers

Get-AdComputer -filter *

List All Computers by Name

Get-ADComputer -filter * | select name

Get All Computers from a specific OU

Get-ADComputer -SearchBase "OU=$DistinguishedName" -Filter *

Get a Count of All Computers in Domain

Get-ADComputer -filter * | measure

Get all Windows 10 Computers

Get-ADComputer -filter {OperatingSystem -Like '*Windows 10*'} -property * | select name, operatingsystem

Get a Count of All computers by Operating System

This will provide a count of all computers and group them by the operating system. A great command to give you a quick inventory of computers in AD.

Get-ADComputer -Filter "name -like '*'" -Properties operatingSystem | group -Property operatingSystem | Select Name,Count

Delete a single Computer

Remove-ADComputer -Identity "$ComputerName"

Delete a List of Computer Accounts

Add the hostnames to a text file and run the command below.

Get-Content -Path $ComputerList | Remove-ADComputer

Delete Computers From an OU

Get-ADComputer -SearchBase "OU=$DistinguishedName" -Filter * | Remote-ADComputer

Using PowerView

• Get Current Domain: Get-NetDomain

• Enumerate other Domains: Get-NetDomain -Domain $DomainName

• Get Domain SID: Get-DomainSID

• Get Domain Policy:

  Get-DomainPolicy
  
  #Will show us the policy configurations of the Domain about system access or kerberos
  (Get-DomainPolicy)."system access"
  (Get-DomainPolicy)."kerberos policy"

• Get Domain Controllers:

  Get-NetDomainController
  Get-NetDomainController -Domain $DomainName

• Enumerate Domain Users:

  Get-NetUser
  Get-NetUser -SamAccountName $user
  Get-NetUser | select cn
  Get-UserProperty
  
  #Check last password change
  Get-UserProperty -Properties pwdlastset
  
  #Get a spesific "string" on a user's attribute
  Find-UserField -SearchField Description -SearchTerm "wtver"
  
  #Enumerate user logged on a machine
  Get-NetLoggedon -ComputerName $ComputerName
  
  #Enumerate Session Information for a machine
  Get-NetSession -ComputerName $ComputerName
  
  #Enumerate domain machines of the current/specified domain where specific users are logged into
  Find-DomainUserLocation -Domain $DomainName | Select-Object UserName, SessionFromName

• Enumerate Domain Computers:

  Get-NetComputer -FullData
  Get-DomainGroup
  
  #Enumerate Live machines 
  Get-NetComputer -Ping

• Enumerate Groups and Group Members:

  Get-NetGroupMember -GroupName "$GroupName" -Domain $DomainName
  
  #Enumerate the members of a specified group of the domain
  Get-DomainGroup -Identity $GroupName | Select-Object -ExpandProperty Member
  
  #Returns all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences
  Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName

• Enumerate Shares

  #Enumerate Domain Shares
  Find-DomainShare
  
  #Enumerate Domain Shares the current user has access
  Find-DomainShare -CheckShareAccess

• Enumerate Group Policies:

  Get-NetGPO
  
  # Shows active Policy on specified machine
  Get-NetGPO -ComputerName $ComputerName
  Get-NetGPOGroup
  
  #Get users that are part of a Machine's local Admin group
  Find-GPOComputerAdmin -ComputerName $ComputerName

• Enumerate OUs:

  Get-NetOU -FullData 
  Get-NetGPO -GPOname $GPO_GUID

• Enumerate ACLs:

  # Returns the ACLs associated with the specified account
  Get-ObjectAcl -SamAccountName $AccountName -ResolveGUIDs
  Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose
  
  #Search for interesting ACEs
  Invoke-ACLScanner -ResolveGUIDs
  
  #Check the ACLs associated with a specified path (e.g smb share)
  Get-PathAcl -Path $Share_Path

• Enumerate Domain Trust:

  Get-NetDomainTrust
  Get-NetDomainTrust -Domain $DomainName

• Enumerate Forest Trust:

  Get-NetForestDomain
  Get-NetForestDomain Forest $ForestName
  
  #Domains of Forest Enumeration
  Get-NetForestDomain
  Get-NetForestDomain Forest $ForestName
  
  #Map the Trust of the Forest
  Get-NetForestTrust
  Get-NetDomainTrust -Forest $ForestName

• User Hunting:

  #Finds all machines on the current domain where the current user has local admin access
  Find-LocalAdminAccess -Verbose
  
  #Find local admins on all machines of the domain:
  Invoke-EnumerateLocalAdmin -Verbose
  
  #Find computers were a Domain Admin OR a spesified user has a session
  Invoke-UserHunter
  Invoke-UserHunter -GroupName "RDPUsers"
  Invoke-UserHunter -Stealth
  
  #Confirming admin access:
  Invoke-UserHunter -CheckAccess

  Escalate Privileges to Domain Admin with User Hunting:

  • If you have local admin access on a machine

  • If A Domain Admin has a session on that machine

  • Steal their token and impersonate them!

PowerView 3.0 Tricks

Using BloodHound

#Using .exe ingestor
.\SharpHound.exe --CollectionMethod All --LDAPUser $UserName --LDAPPass $Password --JSONFolder $OutFile_Path

#Using powershell module ingestor
.\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All  -LDAPUser $UserName -LDAPPass $Password -OutputDirectory $OutFile_Path

Group Policy

Get all GPO related commands

Get-Command -Module grouppolicy

Get all GPOs by status

Get-GPO -all | select DisplayName, gpostatus

Backup all GPOs in the Domain

Backup-Gpo -All -Path E:GPObackup

Enumeration using nltest and .Net

Get Domain Information

nltest /DCLIST:DomainName
nltest /DCNAME:DomainName
nltest /DSGETDC:DomainName

Get Current Domain Info

nltest /dsgetdc:test.local

set l

View Domain Forest Info

nltest /domain_trusts

View Domain Trust Information

PowerShell

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-name.local')))).GetAllTrustRelationships()

cmd.exe

View All Domain Controllers

nltest /dclist:$domainFQDN
net group "domain controllers" /domain

View DC for Current Session

nltest /dsgetdc:$domainFQDN

Kerberos

Get domain name and DC the user authenticated to

klist

Get All Logged on Sessions, Includes NTLM & Kerberos

klist sessions

View Current Kerberos Tickets

klist

View Cached Krbtgt

klist tgt

Other useful AD enumeration tools

• LDAPDomainDump Information dumper via LDAP, Gathers the AD schema details.

• adidnsdump Integrated DNS dumping by any authenticated user

• ACLight Advanced Discovery of Privileged Accounts

• ADRecon Detailed Active Directory Recon Tool

• ADExplorer easily navigate an AD database, save snapshots of an AD database for off-line viewing.