📚
Notes
  • Welcome
    • Intro
    • My OSCP Exam Adventure
  • Security Blogs
    • Initial Access 101
      • Spring Cloud Function CVE-2022-22963
    • Bug Hunting
      • XSS
        • Blog site search field
  • Active Directory
    • Tools
    • Common built-in AD groups
    • Identifying Users
    • LLMNR/NBT-NS Poisoning
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Making a Target User list
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
    • Credentialed Enumeration
      • Linux
      • Windows
      • Living Off the Land
    • Kerberoasting
      • Linux
      • Windows
    • ACL
      • Enumeration
      • Abusing ACLs
      • DCSync
    • Privileged Access
    • AS-REP Roasting
    • Attacking Trusts
      • Enumerating Trust Relationships
      • Child -> Parent Trusts
      • Cross-Forest Trust Abuse
  • Enumeration
    • SMB, RPC - 137,138,139,445,111
    • MYSQL - 3306
    • MSSQl - 1433
    • FTP - 21
    • RPC - 111
    • DNS - 53
    • NFS - 2049
    • SMTP - 25
    • IMAP, POP3 - 110,143,993,995
    • SNMP - 161
    • SVN - 3690
    • IRC - 8067
    • Oracle TNS - 1521
    • LDAP
    • Linux Remote Management Protocols
    • Windows Remote Management Protocols
    • Fuzzing
    • IPMI - 623(UDP)
  • Common Applications
    • Application Enumeration
    • CMS (Content Management System)
      • Wordpress
      • Joomla
      • Drupal
    • Servlet Containers/Software Development
      • Tomcat
      • Jenkins
    • Customer Service Mgmt & Configuration Management
      • Gitlab
  • Shells
    • Reverse Shells
    • Bind Shells
    • Spawning a TTY Shell
    • Web Shells
  • Privilege Escalation
    • Other Resources
    • Linux PrivEsc
    • Windows PrivEsc
      • Windows Users Privileges
      • Information Gatthering & Enumeration
      • Privilege Escalation Techniques
  • File Transfers
    • Quick Cheatsheet
    • Windows File Transfer
    • Linux File Transfer
  • Password Attacks
    • Linux Local Password Attacks
      • Credential Hunting in Linux
      • Passwd, Shadow & Opasswd
    • Windows Local Password Attacks
      • Attacking SAM
      • Attacking LSASS
      • Attacking Active Directory & NTDS.dit
      • Credential Hunting in Windows
    • Pass-the-Hash (PtH)
    • Cracking Files
    • Remote Password Attacks
  • SIde Notes
    • Pivoting, Tunneling, and Port Forwarding
    • File Encryption
  • Programming
    • Downloading Files
Powered by GitBook
On this page
  • ActiveDirectory PowerShell Module
  • PowerView
  • Snaffler
  • Sharphound
  1. Active Directory
  2. Credentialed Enumeration

Windows

ActiveDirectory PowerShell Module

# Discover Modules
Get-Module

# Load ActiveDirectory Module
Import-Module ActiveDirectory
Get-Module

# Get Domain Info
Get-ADDomain

# Get-ADUser with SPN to get accounts that may be susceptible to a Kerberoasting attack
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

# Checking For Trust Relationships
Get-ADTrust -Filter *

# Group Enumeration
Get-ADGroup -Filter * | select name

# Detailed Group Info
Get-ADGroup -Identity "Backup Operators"

# Group Membership
Get-ADGroupMember -Identity "Backup Operators"

PowerView

 # load the module
.\powerview.ps1

# Domain User Information
Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol

# Recursive Group Membership
Get-DomainGroupMember -Identity "Domain Admins" -Recurse

# Trust Enumeration
Get-DomainTrustMapping

# Testing for Local Admin Access
Test-AdminAccess -ComputerName ACADEMY-EA-MS01

# Finding Users With SPN Set
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName


#############---  Domain Enumeration domains, users, groups, shares   ---##############

# Get current Domain
Get-NetDomain

# Get domain SID
Get-DomainSID

# Get Domain Policy for current Domain
Get-DomainPolicy
(Get-DomainPloicy)."system access"
(Get-DomainPloicy)."Kerberos access"

# Get Domain Controllers for current Domain
Get-NetDomainController

# Get a list of users in current Domain
Get-NetUser
Get-NetUser | select cn # or any property you want to check
Get-NetUser -Username student1

# Get list of all properties for users in the current Domain
Get-UserProperty 
Get-UserProperty -Properties pwdlastset
Get-UserProperty -Properties badpwdcount 
Get-UserProperty -Properties logoncount 

# Search for a particular string in a user's attributes 
Find-UserField -SearchField Description -SearchTerm "built"

# Get a list of Computers in Current Domain
Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016"
Get-NetComputer -Ping
Get-NetComputer -FullData
Get-NetComputer -FullData | select operatinsystem

# Get all the groups in the current Doamin
Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
Get-NetGroup 'Domain Admins' -FullData

# Get all groups containing the word "admin" in group name
Get-NetGroup -GroupName *admin*

# Get all the members of Domain Admins Group
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-NetGroupMember -GroupName "Enterprise Admins" -Domain dashcorp.local

# Get the group membership for a user
Get-NetGroup -UserName "studen1"

# list all the local groups on a machine (needs administrator priv on non-dc machines)
Get-NetLocalGroup -ComputerName dcorp-dc.dlr.moneycorp.local -ListGroups

# get members of all the local groups on a machine (needs administrator priv on non-dc machines)
Get-NetLocalGroup -ComputerName dcorp-dc.dlr.moneycorp.local -Recurse

# Get actively logged users on a computer (need local admin rights on the target )
Get-NetLoggedon -ComputerName <servername>

# Get locally logged users on a computer (needs remote registry on the target- started by default on server OS )
Get-LoggedonLocal -ComputerName dcorp-dc.dlrcorp.moneycorp.local 

# Get the last logged user on a computer (needs administrative rights and remote registry on the target)
Get-LastLoggedOn -ComputerName <servername>

# Find shares on hosts in current domain
Invoke-ShareFinder -Verbose 
Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeTPC

# Find Sensitive files on computers in the domain
Invoke-FileFinder -Verbose

# Get all fileservers of the domain
Get-NetFileServer


######################------  Domain Enumeration - GPO   ------######################

# Get list of GPO in curree=nt Domain
Get-NetGPO
Get-NetGPO | select displayname
Get-NetGPO -ComputerName dcorp-sc.student1.dlrcorp.mcorp.local

# Get GPO(s) which use Restricted Groups or groups.xml for interesting users
Get-NetGPOGroup

# Get users which are in a local group of a machine using GPO 
Find-GPOComputerAdmin -ComputerName dcorp-stadmin.dlrcrp.mcrp.local

# Get machines where the given user is member of a specific group

Find-GPOLocation -Username student1 -Verbose


######################------  Domain Enumeration - OU    ------######################

# Get OUs in a domain
Get-NetOU 
Get-NetOU  -FullData 

# Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU
Get-NetGPO -GPOname "{AD68---881}"


######################------  Domain Enumeration - ACL    ------######################

# Get the ACLs associated with the specified object
Get-ObjectAcl -SamAccountName student1 -ResolvesGUIDs

# Get the ACLs associatedd with the specified prefix to be used for search
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose

# Get the ACLs associated with the specified LDAP path to be used for search
Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,Dc=dlrcorp,DC=mcorp,DC=local" -ResolveGUIDs -Verbose

# Search for Interesting ACEs 
Invoke-ACLScanner -ResolveGUIDs

# Get the ACls associated with the specified path
Get-PathAcl -Path "\\dcorpdc.dlrcrp.mcrp.local\sysvol"

# Snaffler Execution
Snaffler.exe -s -d domain.local -o snaffler.log -v data

Sharphound

PreviousLinuxNextLiving Off the Land

Last updated 2 years ago

Snaffler