Domain Enumeration Cheatsheet

In this post, I am going to share a cheatsheet which you can use while doing domain enumeration in active directory environment. Let's begin. 

Always Enumerate following things first:
  1. Users
  2. Computers
  3. Domain Administrators
  4. Enterprise Administrators
  5. Shares

[*] Import Powerview
 

[*] Get current domain

 
1. Get-NetDomain   
 
 
[*] Get object of another domain

1. Get-NetDomain -Domain test.dc.com

 

[*] Get domain SID for the current domain

1. Get-DomainSID

 

[*] Get domain policy for the current domain


1. Get-DomainPolicy
2. Get-DomainPolicy."system access"

 

[*] Get Domain Controllers for the current domain

1. Get-NetDomainController

 

[*] Get a list of users in the current domain

1.  Get-NetUser


[*] Get list of all properties for users in the current domain


1.  Get-UserProperty
2.  Get-UserProperty -properties pwdlastset
3.  Get-UserProperty -Properties logoncount
4.  Get-UserProperty -Properties badpwdcount

 

[*] Search for a particular string in a user's attributes:

1. Find-UserField -SearchField Description -SearchTerm "built"

 

[*] Get a list of computers in the current domain


1. Get-NetComputer
2. Get-NetComputer -Ping
3. Get-NetComputer -OperatingSystem "*Server 2012*"
4. Get-NetComputer -FullData

 

[*] Get a list of groups in the current domain


1. Get-NetGroup
2. Get-NetGroup -FullData
3. Get-NetGroup 'Domain Admins' -FullData
4. Get-NetGroup *admin*

 

[*] Get all the members of the Domain Admins group

1. Get-NetGroupMember  -GroupName "Domain Admins" -Recurse

 

[*] Get the group membership for a user

1. Get-NetGroup -Username "Thanos"

 

[*] List all the local groups on the machine

1. Get-NetLocalGroup -ComputerName WIN-8542F7P0C5H.dc.com -ListGroups

 

[*] Find shares on hosts in current domain

1. Invoke-ShareFinder -Verbose

 

[*] Find sensitive files on computers in the doman

1. Invoke-FileFinder -Verbose

 

[*] Get all fileservers of the domain

1. Get-NetFileServer

 

[*] Get list of GPO in the current domain

1. Get-NetGPO
2. Get-NetGPO | select displayname
3. Get-NetGPO -ComputerName test.dc.com


[*] Get list of OU in the current domain

 1. Get-NetOU
 2. Get_NetOU -FullData


[*] Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU

1. Get-NetGPO -GPOname '{6AC1786C-016F-11D2-945F-00C04fB984F9}'


[*] Get a list of all domain trust for the current domain

1. Get-NetDomainTrust
2. Get-NetDomainTrust -Domain child.dc.com
  

[*] Get details about the current forest

1. Get-NetForest
2. Get-Forest -Forest dc1.com
    

[*] Get all domains in the current forest

 1. Get-NetForestDomain
 2. Get-NetForestDomain -Forest dc1.com


[*] Map trusts of a forest

1. Get-NetForestTrust
2. Get-NetForestTrust -Forest dc1.com


[*] Find all machines on the current domain where the current user has local admin access

1. Find-LocalAdminAccess -Verbose


[*] Find local admins on all machines of the domain

1. Invoke-EnumerateLocalAdmin -Verbose


[*] Find computers where a domain admin has sessions

1. Invoke-UserHunter
2. Invoke-UserHunter -GroupName "RDPUsers"

 

Do share if you like the post. Happy Hacking! 😊

 

 






Comments

Popular posts from this blog

API Testing Checklist

THE PLANETS: MERCURY Walkthrough - VulnHub

OSCP - Personal Notes