search
githubEdit

AD Manual Enumeration

hashtag
Users / Groups / Computers

  • Look for users with high-privs across the domain e.g. Domain Admins or Derivative Local Admins

  • Look for custom groups.

# get a list of all users in the domain
cmd> net user /domain
PS > Get-NetUser | select cn # Using PowerView.ps1

# get details about a specific user 
cmd> net user [username] /domain # more than 10 group memberships, cmd will fail
PS > Get-ADUser -Identity <username> -Server asd.domain.com -Properties * # Powershell

# get list of all groups in the domain
cmd> net group /domain
PS > Get-ADUser -Filter 'Name -like "*lorenzo"' -Server asd.domain.com | Format-Table Name,SamAccountName -A
PS > Get-NetGroup -GroupName * # Using PowerView.ps1

# enumerate AD groups
PS > Get-ADGroup -Identity Administrators -Server asd.domain.com

# get details such as membership to a group
cmd> net group [groupname] /domain
PS > Get-ADGroupMember -Identity Administrators -Server domain.com # Powershell

# get the password policy of the domain
cmd> net accounts /domain

# get all AD objects that were changed after a specific date
PS > $ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
PS > Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server asd.domain.com

# enumerate accounts that have a badPwdCount that is greater than 0
# useful to avoid these accounts in our bruteforce attacks
PS > Get-ADObject -Filter 'badPwdCount -gt 0' -Server domain.com

# get additional information about the specific domain
PS> Get-ADDomain -Server asd.domain.com

# get all computers in domain
cmd> net view
cmd> net view /domain

# get resources/shares of specified computer
cmd> net view \\[computer_name] /domain

# get a list of all operating systems on the domain 
PS > Get-NetComputer -fulldata | select operatingsystem # Using PowerView.ps1

Domain Controller hostname (PdcRoleOwner)**

This PowerShell script will collect all users along with their attributes:

In the filter property, we can set any attribute of the object type we desire. For example, we can use the name property to create a filter for the Jeff_Admin user as shown below:

hashtag
Nested Groups

Locate all groups in the domain and print their names:

List the members of a group by setting an appropriate filter on the name property. In addition, we will only display the member attribute to obtain the group members.

hashtag
Logged-in users and active user sessions

hashtag
Service Principal Names (AD Service Accounts)

  • A SPN is a unique name for a service on a host, used to associate with an Active Directory service account.

  • Enum SPNs to obtain the IP address and port number of apps running on servers integrated with Active Directory.

  • Query the Domain Controller in search of SPNs.

  • SPN Examples

    • CIFS/MYCOMPUTER$ - file share access.

    • LDAP/MYCOMPUTER$ - querying AD info via. LDAP.

    • HTTP/MYCOMPUTER$ - Web services such as IIS.

    • MSSQLSvc/MYCOMPUTER$ - MSSQL.

For example, let's update our PowerShell enumeration script to filter the serviceprincipalname property for the string *http*, indicating the presence of a registered web server:

  • Perform nslookup of the service hostname -> see if there is an entrypoint here.

  • Automated SPN enum scripts:

PreviousActive DirectoryNextAD Automatic Enumeration

Last updated