Security
  • IT Security Knowledge Base
  • Blue team
    • Linux System Hardening
    • Phishing Analysis
    • Snort
    • Yara
  • Capture the Flag
    • OverTheWire
      • Bandit
        • Bandit Level 0
        • Bandit Level 0 → Level 1
        • Bandit Level 1 → Level 2
        • Bandit Level 2 → Level 3
        • Bandit Level 3 → Level 4
        • Bandit Level 4 → Level 5
        • Bandit Level 5 → Level 6
        • Bandit Level 6 → Level 7
        • Bandit Level 7 → Level 8
        • Bandit Level 8 → Level 9
        • Bandit Level 9 → Level 10
        • Bandit Level 10 → Level 11
        • Bandit Level 11 → Level 12
        • Bandit Level 12 → Level 13
        • Bandit Level 13 → Level 14
        • Bandit Level 14 → Level 15
        • Bandit Level 15 → Level 16
        • Bandit Level 16 → Level 17
        • Bandit Level 17 → Level 18
        • Bandit Level 18 → Level 19
        • Bandit Level 19 → Level 20
        • Bandit Level 20→ Level 21
        • Bandit Level 21→ Level 22
        • Bandit Level 22 → Level 23
        • Bandit Level 23 → Level 24
        • Bandit Level 24 → Level 25
        • Bandit Level 25 → Level 26
        • Bandit Level 26 → Level 27
        • Bandit Level 27 → Level 28
        • Bandit Level 28 → Level 29
        • Bandit Level 29 → Level 30
        • Bandit Level 30 → Level 31
        • Bandit Level 31 → Level 32
        • Bandit Level 32 → Level 33
    • OWASP Juice Shop
      • Installation
      • Level 1 - Challenges
      • Level 2 - Challenges
    • TryHackMe Rooms
      • Anthem
      • Capture!
      • Corridor
      • Gotta Catch'em All!
      • Mustacchio
      • Neighbour
      • Opacity
      • Source
    • CEH v12 practical resources
  • Cryptology
    • CryptoHack
      • Course: Introduction to CryptoHack
        • Introduction - Challenges
        • General - Encoding
        • General - XOR
      • Course: Modular Arithmetic
        • General - Mathematics
        • Mathematics - Modular Math
        • Mathematics - Brainteasers Part 1
      • Course: Symmetric Cryptography
        • How AES Works
        • Symmetric Starter
        • Block Ciphers
        • Stream Ciphers
  • Red Team
    • Reconnaissance
      • Foot-printing
      • Scanning (Nmap)
      • Enumeration
    • Vulnerability Analysis
    • Initial Access
      • Obtaining credentials
      • Vulnerability Exploitation
        • Buffer Overflow
        • Metasploit and Armitage
        • Ninja Jonin
    • Active Directory
      • Connect to AD
      • AD Explore
      • CMD and PowerShell enumeration
      • Certificates in AD
      • LDAP Pass-back Attacks
      • Cracking NetNTLM Challenge with Responder
      • Exploring Configuration Files for AD Credentials
      • Pass the hash with evil WinRM
      • Understanding Runas
    • Malware
    • Sniffing
      • Intercept HTTP traffic - Hetty
      • Intercept HTTP traffic - Bettercap
      • Wireshark
    • Social Engineering
    • Denial of Service
    • Web Hacking
      • Burp Suite
      • OWASP ZAP
      • Web servers
      • Web Server Footprinting
      • Directory Enumeration
      • Session Hijacking
      • Web Shells
      • Web vulnerability scanners
      • SQL Injection
    • Cloud
    • Wireless Networks
      • Attacking WEP
      • Attacking WPA/WPA2
    • Mobile Devices
    • Network Security Evasion
    • Privileges Escalation
    • Maintain Access and Hide Malicious Activity
      • Backdooring
    • Cover your Tracks
  • Internet of Things
    • IoT in general
    • Common IoT Protocols
      • CoAP
      • MQTT
      • ZIGBEE
      • Bluetooth
    • Scapy
      • Sniffing and spoofing
      • ARP cache Poisoning
  • Projects
    • Cybersecurity Roadshow
Powered by GitBook
On this page
  • Command Prompt Enumeration
  • PowerShell Enumeration:
  1. Red Team
  2. Active Directory

CMD and PowerShell enumeration

Command Prompt Enumeration

User Enumeration:

  • To list all domain users:

    net user /domain

  • To retrieve detailed information for a specific user:

    net user [USER] /domain

Group Enumeration:

  • To list all domain groups:

    net group /domain

  • To view members of a specific group:

    net group "[Group]" /domain

Password Policy:

  • To access the domain's password policy:

    net accounts /domain

PowerShell Enumeration:

User Enumeration:

  • To list all domain users using PowerShell:

    Get-ADUser

  • To retrieve detailed information for a specific user on a specific domain controller:

    Get-ADUser -Identity [USER] -Server [DCHOST] -Properties *

  • To search for users whose names match a specific pattern:

    Get-ADUser -Filter 'Name -like "*[USER]"' -Server [DCHOST] | Format-Table Name, SamAccountName -AutoSize

  • To list all group memberships for a user:

    (Get-ADUser -Identity 'USERNAME' -Properties MemberOf | Select-Object MemberOf).MemberOf

Group Enumeration:

To list all domain groups using PowerShell:

Get-ADGroup

To retrieve information about a specific group on a specific domain controller:

Get-ADGroup -Identity Administrators -Server [DCHOST]

To list members of a specific group on a specific domain controller:

Get-ADGroupMember -Identity Administrators -Server [DCHOST]

Get Domain Admins

Get-ADGroupMember -Identity "Domain Admins" -Server [DCHOST]

Get groups that are members of Domain Admins. This script will look through all direct members and their group members. It will only show groups, not users (use Bloodhound).

# Authenticate against AD
$credentials = Get-Credential
$server = 'DC HOSTNAME'

# Get the 'Domain Admins' group from Active Directory
$domainAdminsGroup = Get-ADGroup -Identity "Domain Admins" -Server $server -Credential $credentials

# Retrieve all groups that are members of the 'Domain Admins' group
$memberOf = Get-ADGroup -LDAPFilter "(member:1.2.840.113556.1.4.1941:=$($domainAdminsGroup.DistinguishedName))" -Server $server -Credential $credentials

# Iterate through each found group and retrieve their member groups
foreach ($group in $memberOf) {
    Write-Host "`nGroups that are members of $($group.Name):"
    $memberGroups = Get-ADGroup -LDAPFilter "(member:1.2.840.113556.1.4.1941:=$($group.DistinguishedName))" -Server $server -Credential $credentials | Select Name, GroupCategory, GroupScope
    $memberGroups 
}

AD Objects:

  • To perform a generic search for AD objects based on a specified date:

    $ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server [DCHOST]

  • To enumerate accounts with a bad password count greater than 0:

    Get-ADObject -Filter 'badPwdCount -gt 0' -Server [DCHOST]

Domains:

  • To retrieve domain information on a specific domain controller:

    Get-ADDomain -Server [DCHOST]

For Comprehensive Enumeration:

For more comprehensive enumeration, consider using tools like Sharphound and Bloodhound.

PreviousAD ExploreNextCertificates in AD

Last updated 1 year ago