Domain Enumeration

PowerView is an enumeration script included in PowerSploit toolkit

Get-NetDomain ## Gather information for the current users domain.
Get-NetDomain -Domain myhackingblog.local  ##Gather information on myhackingblog.local
Get-DomainSID  ## Get the current domain's SID.
Get-NetDomainController -Domain myhackingblog.local
Get-NetUser -Domain myhackingblog.local ## Get AD information for all users
Get-NetUser -UserName thecorrectjames  ## Get information for a specific user.
Get-NetGroup *admin*
Get-NetComputer -FullData
Find-LocalAdminAccess -Verbose  ##Find all computers the current user has local adminaccess
Get-NetSession -ComputerName myhackingblog-dc ##List sessions on a computer
Invoke-UserHunter -CheckAccess
Get-NetDomainTrust
Get-DomainTrust -API ## Enumerate domain trusts with the DsEnumerateDomainTrusts API
Get-DomainTrust ## Enumerate domain trusts with LDAP
Get-NetForest
Get-NetForestDomain

ActiveDirectory Modules are written and provided by Microsoft, less likely to trigger alerts as they have a legitimate business use. They are now part of RSAT and for Windows 10 it can be downloaded here.

Get-ADDomain
Get-ADDomain -Identity myhackingblog.local
(Get-ADDomain).DOMAINSID.Value
Get-ADDomainController -Discover -DomainName myhackingblog.local
Get-ADUser -Filter * -Properties * ## Get AD information for all users
Get-ADUser -Server dc.myhackingblog.local get user information from specific domain controller.
Get-ADUser -Identity thecorrectjames ## Get information for a specific user.
Get-ADGroup -Filter * | select Name  ##Get all the group names
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
Get-ADcComputer -Filter * -Properties *
Invoke-EnumerateLocalAdmin -Verbose
Get-ADTrust -Filter *
Get-ADForest
(Get-ADForest).Domains

LOLBins

nltest /trusted_domains

Powershell / .NET

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

PreviousBloodHound NextLateral Movement

Last updated 3 years ago