In this tutorial, we will learn steps to start our journey on Active Directory enumeration, first step is to enumerate information about the Domain.
Then we will extract information about the Users, Computers, Domain Administrators, Enterprise Administrators, and network shares.
Understand how to start enumerating a Domain Controller and escalate your privileges inside the network.
Preparation
Importing PowerView
github.com/PowerShellMafia/PowerSploit
Enumerate Domain Information
Get current Domain
Get-Domain
Get an object from another domain
Get-NetDomain -Domain popdev.local
Get domain SID from the current domain
Get-DomainSID
Get-NetDomainController
Domain Passwords policies
(Get-DomainPolicy)."system access"
Kerberos Policies
(Get-DomainPolicy)."Kerberos Policy"
Domain Users Enumeration
Get a list of all usernames inside the domain and their properties
Get-NetUser
Get-NetUser - Username rfs
Get-UserProperty
Check if there is any password on the description field
Find-UserField -SearchFieldId Description -SearchTerm "pass"
Network Information Enumeration
Computer Information
Get-NetComputer
Get-NetComputer -FullData
Get-NetComputer -Ping
Groups Information
What groups exist in the system?
Get-NetGroup
Get-NetGroup -Domain dc01.poplabsec.local
Get-NetGroup -FullData
Get-NetGroup 'Domain Admins ' -FullData
Get-NetGroup -GroupName'admin'
Get-NetGroup -GroupName'admin' -Domain poplasec.local
Who is inside the Group?
Remember can be usernames or other groups
Get-NetGroupMember -GroupName'Domain Admins'
Get-NetGroupMember -GroupName'Domain Admins' -Recurse
Get-NetLocalGroup -ComputerName dc01.polabsec.local -Recurse
Get-NetLoggedon -ComputerName
Get-NetLoggedon -ComputerName
Get-NetLoggedonLocal -ComputerName
Get-LastLoggedonOn -ComputerName
Find network shares in the current Domain
Invoke-ShareFinder -Verbose
Invoke-FileFinder -Verbose
Get all file servers inside the current domain
Get-NetFileServer