.NET Classes

Domain Enumeration

Current domain name:

PS C:> [System.Net.Dns]::GetHostByName(($env:computerName))
PS C:> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Domain Forest Trusts

PS C:> ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
PS C:> ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest())
PS C:> ([ADSISearcher]"(objectClass=trustedDomain)").FindAll()
PS C:> ([ADSISearcher]"(objectClass=trustedDomain)").FindAll() | %{$a=$_.Properties["trustattributes"]; $d=$_.Properties["trustdirection"]; $t=$_.Properties["trusttype"] ; write-Host $_.Properties["distinguishedname"] $a $d $t}

Get Password Policy

PS C:> Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser

Get a Domain Computer

PS C:> ([ADSISearcher]"(&(objectClass=computer)(name=SV-*))").FindAll()

The above one-liner we searched for a computer name starting with “SV-”, that can possibly be a server appellation. Similarly, it is possible to enumerate a specific computer with the exact name.

PS C:> ([ADSISearcher]"(&(objectClass=computer)(name=<COMPUTERNAME>))").FindAll()

Get All Domain Computers

PS C:> ([ADSISearcher]"ObjectClass=computer").FindAll()

Enumerate Single User

PS C:> ([ADSISearcher]"(&(objectClass=user)(samAccountType=805306368)(samaccountname=<USERNAME>))").FindAll().Properties

Enumerate All Domain Controllers

PS C:> ([ADSISearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll()

Enumerate All Users

PS C:> ([ADSISearcher]"(&(objectClass=user (samAccountType=805306368))").FindAll()|ft

Enumerate All Users With Specific Properties

Filter by property, this code will just display “samaccountname” as a result for all users.

PS C:> ([ADSISearcher]"(&(objectClass=user)(samAccountType=805306368))").FindAll() | %{ $_.Properties["samaccountname"] }

Enumerate all users with a SPN

A service instance’s service principal name (SPN) is a unique identifier. Kerberos authentication uses SPNs to link a service instance to a service login account. This enables a client application to ask the service to authenticate an account even if it doesn’t know the account name. If we want to display all users with SPN then we can use below code:

PS C:> ([ADSISearcher]"(&(objectClass=user)(servicePrincipalName=*)(samAccountType=805306368))").FindAll()

Enumerate a Domain Group

PS C:> ([ADSISearcher]"(&(ObjectClass=group)(samaccountname=Domain Admins))").FindOne()

Enumerate All Domain Groups

PS C:> ([ADSISearcher]"ObjectClass=group").FindAll()

Enumerate domain group members

PS C:> ([ADSISearcher]"(distinguishedname=CN=AB ACCESS,CN=Users,DC=corp,DC=manmeetdc,DC=local)").FindOne().Properties.member

References:

PreviousPowerview NextLateral movement

Last updated 1 year ago

Was this helpful?

PS C:> ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() PS C:> ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()) PS C:> ([ADSISearcher]"(objectClass=trustedDomain)").FindAll() PS C:> ([ADSISearcher]"(objectClass=trustedDomain)").FindAll() | %{$a=$_.Properties["trustattributes"]; $d=$_.Properties["trustdirection"]; $t=$_.Properties["trusttype"] ; write-Host $_.Properties["distinguishedname"] $a $d $t}