Bebzounette
  • Bebzounettes
  • Active Directory
    • Recon
      • TCP/UDP
      • DNS
      • NetBIOS
      • RPC
      • LDAP
      • HTTP
      • Responder
      • ADRecon
      • BloodHound
      • Network Shares
      • Password Policy
      • Enumeration
        • Domain
        • Powerview
        • .NET Classes
    • Lateral movement
      • Code execution
        • PSExec
        • SMBExec
        • WMIexec / WMI
        • ATExec / SchTaskExec
        • 🚧DCOMExec / DCOM
        • Powershell Remoting - WinRM
        • Crackmapexec
        • Service Control (SC)
      • Credentials
        • Finding
          • Guessing
          • Bruteforce
          • Spraying
        • Dumping
          • SAM Base
          • LSA Secrets
          • LSASS Process
          • DPAPI secrets
          • NTDS.DIT
          • Group Policy Preferences
          • User description
        • Impersonnification
        • Cracking
      • Coercition
        • MS-RPRN (PrinterBug)
        • MS-EFSR (PetitPotam)
        • MS-DFSNM (DFSCoerce)
        • MS-FSRVP (ShadowCoerce)
        • WebClient (WebDAV)
      • Relay
      • Kerberos
        • Kerberoasting
        • AS-REP Roasting
        • 🚧Pass the Hash/Ticket
        • 🚧MSSQL Trusted Links
        • Forged Tickets
        • 🚧Delegations
          • Unconstrained Delegation
          • Constrained Delegation
          • (RBCD) Resource-Based Constrained
      • GPOs
      • DACL
      • Certificates Service (AD-CS)
      • Privileged Groups
        • DNS Admin
        • Backup Operator
      • Built-in Misconfigurations
        • PASSWD_NOTREQD
        • DONT_EXPIRE_PASSWORD
        • MachineAccountQuota
        • LAPS
      • CVEs
        • EternalBlue | MS17-010
        • Zerologon (CVE-2020-1472)
        • SamTheAdmin (CVE-2021-42278)
        • Certifried: (CVE-2022–26923)
    • 🚧Persistance & Exfiltration
      • Golden Ticket
      • Silver Ticket
      • Skeleton Key
      • DSRM
      • Custom SSP
      • AdminSDHolder
    • 🚧Cross Trust Attack
      • Across Domain
      • Across Forest
    • References
  • Systems
    • 🚧Windows
      • Informations d'identifications
      • Configuration des services
    • 🚧Linux
    • 🚧Mobile & IOT
  • Web
    • CheckList & Méthodologie
    • 🚧Pentest API
    • 🚧Wordpress
    • 🚧Jenkins
    • 🚧IIS Server
  • Applicatives vulnerabilities
    • Buffer-Overflow
  • Thick Client
    • Thick Client Methodology
  • Wireless Security
    • WIFI
    • 🚧ZIGBEE
    • 🚧ZWAVE
    • GNU-RADIO
  • Network
    • Modèle OSI & Adressage IPV4
    • 🚧DOS & DDOS
    • VOIP
  • Physical Access
    • 🚧Lock Picking
    • Matériels
    • Accès physique à un ordinateur
  • Forensic
    • Outils de Forensic
  • Information gathering
    • Scans
  • Services
    • Echo - 7
    • FTP - 21
    • SSH - 22
    • Telnet - 23
    • SMTP - 25/465/587
    • Whois - 43
    • Finger - 79
    • POP3 - 110
    • NTP - 123
    • MSRPC - 135/593
    • IMAP - 143
    • SMB - 445
    • RDP -3389
    • References
  • Github Repos
    • Repos Github
      • Windows
      • Pivoting
      • SQL Server
      • Web
      • Active Directory
  • Blog
    • Guide to NTLMv1 attacks
    • Local Privilege Escalation through ShadowCredentials
    • Resource Based Constrained Delegation in Active Directory
  • Contact
Powered by GitBook
On this page
  • Domain Enumeration
  • Domain Forest Trusts
  • Get Password Policy
  • Get a Domain Computer
  • Get All Domain Computers
  • Enumerate Single User
  • Enumerate All Domain Controllers
  • Enumerate All Users
  • Enumerate All Users With Specific Properties
  • Enumerate all users with a SPN
  • Enumerate a Domain Group
  • Enumerate All Domain Groups
  • Enumerate domain group members
  • References:

Was this helpful?

  1. Active Directory
  2. Recon
  3. Enumeration

.NET Classes

Domain Enumeration

Current domain name:

PS C:> [System.Net.Dns]::GetHostByName(($env:computerName))
PS C:> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Domain Forest Trusts

PS C:> ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
PS C:> ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest())
PS C:> ([ADSISearcher]"(objectClass=trustedDomain)").FindAll()
PS C:> ([ADSISearcher]"(objectClass=trustedDomain)").FindAll() | %{$a=$_.Properties["trustattributes"]; $d=$_.Properties["trustdirection"]; $t=$_.Properties["trusttype"] ; write-Host $_.Properties["distinguishedname"] $a $d $t}

Get Password Policy

PS C:> Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser

Get a Domain Computer

PS C:> ([ADSISearcher]"(&(objectClass=computer)(name=SV-*))").FindAll()

The above one-liner we searched for a computer name starting with “SV-”, that can possibly be a server appellation. Similarly, it is possible to enumerate a specific computer with the exact name.

PS C:> ([ADSISearcher]"(&(objectClass=computer)(name=<COMPUTERNAME>))").FindAll()

Get All Domain Computers

PS C:> ([ADSISearcher]"ObjectClass=computer").FindAll()

Enumerate Single User

PS C:> ([ADSISearcher]"(&(objectClass=user)(samAccountType=805306368)(samaccountname=<USERNAME>))").FindAll().Properties

Enumerate All Domain Controllers

PS C:> ([ADSISearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll()

Enumerate All Users

PS C:> ([ADSISearcher]"(&(objectClass=user (samAccountType=805306368))").FindAll()|ft

Enumerate All Users With Specific Properties

Filter by property, this code will just display “samaccountname” as a result for all users.

PS C:> ([ADSISearcher]"(&(objectClass=user)(samAccountType=805306368))").FindAll() | %{ $_.Properties["samaccountname"] }

Enumerate all users with a SPN

A service instance’s service principal name (SPN) is a unique identifier. Kerberos authentication uses SPNs to link a service instance to a service login account. This enables a client application to ask the service to authenticate an account even if it doesn’t know the account name. If we want to display all users with SPN then we can use below code:

PS C:> ([ADSISearcher]"(&(objectClass=user)(servicePrincipalName=*)(samAccountType=805306368))").FindAll()

Enumerate a Domain Group

PS C:> ([ADSISearcher]"(&(ObjectClass=group)(samaccountname=Domain Admins))").FindOne()

Enumerate All Domain Groups

PS C:> ([ADSISearcher]"ObjectClass=group").FindAll()

Enumerate domain group members

PS C:> ([ADSISearcher]"(distinguishedname=CN=AB ACCESS,CN=Users,DC=corp,DC=manmeetdc,DC=local)").FindOne().Properties.member

References:

PreviousPowerviewNextLateral movement

Last updated 1 year ago

Was this helpful?

AD Enumeration Without External Scripts - PayatuPayatu
Logo