In this tutorial, we will learn steps to start our journey on Active Directory enumeration, first step is to enumerate information about the Domain. Then we will extract information about the Users, Computers, Domain Administrators, Enterprise Administrators, and network shares.
Understand how to start enumerating a Domain Controller and escalate your privileges inside the network.
Preparation
Importing PowerView
https://github.com/PowerShellMafia/PowerSploitEnumerate Domain Information
Get current Domain
Get-DomainGet an object from another domain
Get-NetDomain -Domain popdev.localGet domain SID from the current domain
Get-DomainSIDGet-NetDomainControllerDomain Passwords policies
(Get-DomainPolicy)."system access"Kerberos Policies
(Get-DomainPolicy)."Kerberos Policy"Domain Users Enumeration
Get a list of all usernames inside the domain and their properties
Get-NetUserGet-NetUser - Username rfsGet-UserPropertyCheck if there is any password on the description field
Find-UserField -SearchFieldId Description -SearchTerm "pass"Network Information Enumeration
Computer Information
Get-NetComputerGet-NetComputer -FullDataGet-NetComputer -PingGroups Information
What groups exist in the system?
Get-NetGroupGet-NetGroup -Domain dc01.poplabsec.localGet-NetGroup -FullDataGet-NetGroup 'Domain Admins ' -FullDataGet-NetGroup -GroupName'*admin*' Get-NetGroup -GroupName'*admin*' -Domain poplasec.localWho is inside the Group?
Remember can be usernames or other groups
Get-NetGroupMember -GroupName'Domain Admins' Get-NetGroupMember -GroupName'Domain Admins' -RecurseGet-NetLocalGroup -ComputerName dc01.polabsec.local -RecurseGet-NetLoggedon -ComputerName <pc name>Get-NetLoggedon -ComputerName <pc name>Get-NetLoggedonLocal -ComputerName <pc name>Get-LastLoggedonOn -ComputerName <pc name>Find network shares in the current Domain
Invoke-ShareFinder -VerboseInvoke-FileFinder -VerboseGet all file servers inside the current domain
Get-NetFileServer
