Domain Enumeration Cheatsheet

By -

In this post, I am going to share a cheatsheet which you can use while doing domain enumeration in active directory environment. Let's begin. 

Always Enumerate following things first:
  1. Users
  2. Computers
  3. Domain Administrators
  4. Enterprise Administrators
  5. Shares

[*] Import Powerview
 

[*] Get current domain

 
1. Get-NetDomain   
 
 
[*] Get object of another domain

1. Get-NetDomain -Domain test.dc.com

 

[*] Get domain SID for the current domain

1. Get-DomainSID

 

[*] Get domain policy for the current domain


1. Get-DomainPolicy
2. Get-DomainPolicy."system access"

 

[*] Get Domain Controllers for the current domain

1. Get-NetDomainController

 

[*] Get a list of users in the current domain

1.  Get-NetUser


[*] Get list of all properties for users in the current domain


1.  Get-UserProperty
2.  Get-UserProperty -properties pwdlastset
3.  Get-UserProperty -Properties logoncount
4.  Get-UserProperty -Properties badpwdcount

 

[*] Search for a particular string in a user's attributes:

1. Find-UserField -SearchField Description -SearchTerm "built"

 

[*] Get a list of computers in the current domain


1. Get-NetComputer
2. Get-NetComputer -Ping
3. Get-NetComputer -OperatingSystem "*Server 2012*"
4. Get-NetComputer -FullData

 

[*] Get a list of groups in the current domain


1. Get-NetGroup
2. Get-NetGroup -FullData
3. Get-NetGroup 'Domain Admins' -FullData
4. Get-NetGroup *admin*

 

[*] Get all the members of the Domain Admins group

1. Get-NetGroupMember  -GroupName "Domain Admins" -Recurse

 

[*] Get the group membership for a user

1. Get-NetGroup -Username "Thanos"

 

[*] List all the local groups on the machine

1. Get-NetLocalGroup -ComputerName WIN-8542F7P0C5H.dc.com -ListGroups

 

[*] Find shares on hosts in current domain

1. Invoke-ShareFinder -Verbose

 

[*] Find sensitive files on computers in the doman

1. Invoke-FileFinder -Verbose

 

[*] Get all fileservers of the domain

1. Get-NetFileServer

 

[*] Get list of GPO in the current domain

1. Get-NetGPO
2. Get-NetGPO | select displayname
3. Get-NetGPO -ComputerName test.dc.com


[*] Get list of OU in the current domain

 1. Get-NetOU
 2. Get_NetOU -FullData


[*] Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU

1. Get-NetGPO -GPOname '{6AC1786C-016F-11D2-945F-00C04fB984F9}'


[*] Get a list of all domain trust for the current domain

1. Get-NetDomainTrust
2. Get-NetDomainTrust -Domain child.dc.com
  

[*] Get details about the current forest

1. Get-NetForest
2. Get-Forest -Forest dc1.com
    

[*] Get all domains in the current forest

 1. Get-NetForestDomain
 2. Get-NetForestDomain -Forest dc1.com


[*] Map trusts of a forest

1. Get-NetForestTrust
2. Get-NetForestTrust -Forest dc1.com


[*] Find all machines on the current domain where the current user has local admin access

1. Find-LocalAdminAccess -Verbose


[*] Find local admins on all machines of the domain

1. Invoke-EnumerateLocalAdmin -Verbose


[*] Find computers where a domain admin has sessions

1. Invoke-UserHunter
2. Invoke-UserHunter -GroupName "RDPUsers"

 

Do share if you like the post. Happy Hacking! 😊

 

 






Comments

Post a Comment

Popular posts from this blog

API Testing Checklist

By -
Checkpoints: 1. Older APIs versions tend to be more vulnerable and they lack security mechanisms. Leverage the predictable nature of REST APIs to find old versions. Saw a call to 'api/v3/login'? Check if 'api/v1/login' exists as well. It might be more vulnerable. 2. Never assume there’s only one way to authenticate to an API! Modern apps have many API endpoints for AuthN: `/api/mobile/login` | `/api/v3/login` | `/api/magic_link`; etc. Find and test all of them for AuthN problems. 3. Remember how SQL Injections used to be extremely common 5-10 years ago, and you could break into almost every company? BOLA (IDOR) is the new epidemic of API security. 4. Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL? Developers sometimes use "Kernel#open" function to access URLs == Game Over. Just send a pipe as the first character and then a shell command (Command Injection by design) Reference Link: https://apidock.com/ruby/Kernel/open 5. Found SSR...
Read more

THE PLANETS: MERCURY Walkthrough - VulnHub

By -
Image
Introduction Getting back to CTF solving after a looong break, is a difficult task. So, I decided to proceed with an EASY challenge, and  VulnHub  was the obvious choice to find the one. In few searches, I found a perfect machine to start with -  'The Planets: Mercury' .   This boot2root machine had 2 flags: USER & ROOT. The USER flag can be obtained by  SQLi  ==>  Creds  ==>  SSH  ==>  FLAG . The ROOT flag is were an interesting PrivEsc lie in. Hope you find this writeup interesting & useful! Information Gathering Port Scan: Nmap To begin with reconnaissance, let's find out open ports with Nmap, with service version enumerations: Port 8080 So this looks like a simple page with no secrete or hint. Let's try accessing some common directories: Visiting ' admin ' directory, we got the error page. This happened as the site is built on  Django  with  Debug  set to  True . Luckily for us, the URL ...
Read more

OSCP - Personal Notes

By -
Image
  Hey Guys, in this post I am just going to copy paste my notes which I collected during my OSCP journey from different sources. Feel free to collaborate. 💀 [*] SSH - 22 Tunneling ssh -L 8443:127.0.0.1:8443 user@x.x.x.x Credentials Spraying ncrack -U users.txt -P pass.txt ssh://x.x.x.x [*] DNS - 53 Perform DNS Zone Transfer check dig axfr x.x.x.x dig axfr vhost.com @x.x.x.x  [*] TCPDUMP tcpdump -i eth0 icmp [*] SMB 1. SMB Protocol enumeration: nmap -p445 --script smb-protocols x.x.x.x 2. Check for SMB Vulnerability nmap --script smb-vuln* x.x.x.x 3. Get a list of shares available on a host smbclient -L x.x.x.x 4. Connect to the share smbclient //x.x.x.x/Share_Name 5. SMBMap for checking access on fileshares smbmap -H x.x.x.x -u Username -p Password or smbmap -u '' -p '' -d 'htb.local' -H x.x.x.x 6. Download all files in shares: smbget -R smb://x.x.x.x/Share -U Username 7. Use crackmapexec for spraying crackmapexec smb 10.10.10.175 -u Users.txt -p Pass.txt --co...
Read more