Active Directory methodology

Enumerating Active Directory

This section assume you have a valid session on a valid domain account.

ActiveDirectory module enumeration

Import-Module ActiveDirectory
. .\ActiveDirectory

#Enumerates basic information about the Domain
Get-ADDomain | Select-Object NetBIOSName, DNSRoot, InfrastructureMaster

#Lists the domain within a Forest
Get-ADForest | Select-Object Domains    

#Shows the Trust and the way they flow within the AD domain
Get-ADTrust -Filter * | Select-Object Direction,Source,Target

PowerView enumeration

#Start a powershell shell and launch PowerView in memory
powershell -ep bypass && . .PowerView.ps1

#Enumerates basic Domain info (less cluttered version of Get-ADDomain)
Get-NetDomain

#Enumerates Domain Controllers
Get-NetDomainController

#Enumerates associated Domains and the root Domain
Get-NetForest

#Enumerates trust (similar to Get-ADTrust but without the need for filtering)
Get-NetDomainTrust

#Enumerates Domain Users
Get-NetUser | select cn

#Enumerates Domain Groups
Get-NetGroup

#Enumerates domain computers
Get-NetComputer (v2.0) or Get-DomainComputer (v3.0) -FullData

More can be found at https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 or https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-powerview

PreviousCronjobs / Crontab NextRun outdated python scripts that require equally outdated modules

Last updated 4 years ago

Was this helpful?