.NET Classes

Domain Enumeration

Current domain name:

PS C:> [System.Net.Dns]::GetHostByName(($env:computerName))
PS C:> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Domain Forest Trusts

PS C:> ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
PS C:> ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest())
PS C:> ([ADSISearcher]"(objectClass=trustedDomain)").FindAll()
PS C:> ([ADSISearcher]"(objectClass=trustedDomain)").FindAll() | %{$a=$_.Properties["trustattributes"]; $d=$_.Properties["trustdirection"]; $t=$_.Properties["trusttype"] ; write-Host $_.Properties["distinguishedname"] $a $d $t}

Get Password Policy

PS C:> Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser

Get a Domain Computer

PS C:> ([ADSISearcher]"(&(objectClass=computer)(name=SV-*))").FindAll()

The above one-liner we searched for a computer name starting with “SV-”, that can possibly be a server appellation. Similarly, it is possible to enumerate a specific computer with the exact name.

PS C:> ([ADSISearcher]"(&(objectClass=computer)(name=<COMPUTERNAME>))").FindAll()

Get All Domain Computers

Enumerate Single User

Enumerate All Domain Controllers

Enumerate All Users

Enumerate All Users With Specific Properties

Filter by property, this code will just display “samaccountname” as a result for all users.

Enumerate all users with a SPN

A service instance’s service principal name (SPN) is a unique identifier. Kerberos authentication uses SPNs to link a service instance to a service login account. This enables a client application to ask the service to authenticate an account even if it doesn’t know the account name. If we want to display all users with SPN then we can use below code:

Enumerate a Domain Group

Enumerate All Domain Groups

Enumerate domain group members

References:

AD Enumeration Without External Scripts - PayatuPayatu