Enumeration PowerHuntShares
PingCastle
Copy pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password <PASSWORD> --advanced-live --nullsession
pingcastle.exe --healthcheck --server domain.local
pingcastle.exe --graph --server domain.local
pingcastle.exe --scanner scanner_name --server domain.local
available scanners are:aclcheck,antivirus,computerversion,foreignusers,laps_bitlocker,localadmin,nullsession,nullsession-trust,oxidbindings,remote,share,smb,smb3querynetwork,spooler,startup,zerologon,computers,users ADcheck
Powershell Script
ActiveDirectory PowerShell Module
Copy PS C:\htb> Import-Module ActiveDirectory
Copy PS C:\htb> Get-ADDomain
Copy Import-Module C:\AD\Tools\ADModule - master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule - master\ActiveDirectory\ActiveDirectory.psd1 Current domain
Object of another domain
Copy Get-ADDomain - Identity domain.local SID of the current domain
Copy ( Get-ADDomain ).DomainSID DC for the current domain
Copy Get-ADDomainController DC for another domain
Copy Get-ADDomainController - DomainName domain.local - Discovery Users
Copy PS C:\htb> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Copy Get-ADUser - Filter * - Properties *
Get-ADUser - Identity username - Properties *
Get-ADUser - Filter * - Properties * | select - First 1 | Get-Member - MemberType * Property | selet Name
Get-ADUser - Filter * - Properties * | select name , logoncount ,@ {expression = {[ datetime ]::fromFileTime( $_.pwdlastset )}} Search for a particular string in a user's attribute
Copy Get-ADUser - Filter 'Descritpion -like "*built*"' - Properties Description | select name , Description Group membership for a user
Copy Get-ADPrincipalGroupMembership - Identity username Computers
Copy Get-ADComputer - Filter * | select Name
Get-ADComputer - Filter * - Properties *
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer - Filter * - Properties DNSHostName | % { Test-Connection -- Count 1 - ComputerName $_.DNSHostName } OU
Copy Get-ADOrganizationalUnit - Filter * - Properties * ACL
Copy ( Get-Acl 'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local' ).Access Trusts
Trusts
Copy Get-ADTrust
Get-ADTrust - Identity aaa.bbbb.domain.local
Get-ADForest
Get-ADForest - Identity domain.local
( Get-ADForest ).Domains
Get-ADForest | select - ExpandProperty GlobalCatalogs
Get-ADTrust - Filter 'msDS-TrustForestTrustInfo -ne "$null"'
Get-ADTrust - Filter 'intraForest -ne $True' - Server ( Get-ADForest ).Name
Copy PS C:\htb> Get-ADTrust -Filter *
Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=LOGISTICS.INLANEFREIGHT.LOCAL,CN=System,DC=INLANEFREIGHT,DC=LOCAL
ForestTransitive : False
IntraForest : True
IsTreeParent : False
IsTreeRoot : False
Name : LOGISTICS.INLANEFREIGHT.LOCAL
ObjectClass : trustedDomain
ObjectGUID : f48a1169-2e58-42c1-ba32-a6ccb10057ec
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=INLANEFREIGHT,DC=LOCAL
Target : LOGISTICS.INLANEFREIGHT.LOCAL
TGTDelegation : False
TrustAttributes : 32
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False Groups
Copy Get-ADGroup - Filter * | select Name
Get-ADGroup - Filter * - Properties *
Copy PS C:\htb> Get-ADGroup -Filter * | select name
name
----
Administrators
Users
Guests
Print Operators
Backup Operators
Replicator
Remote Desktop Users Backup Operators
Copy PS C:\htb> Get-ADGroup -Identity "Backup Operators"
DistinguishedName : CN=Backup Operators,CN=Builtin,DC=INLANEFREIGHT,DC=LOCAL
GroupCategory : Security
GroupScope : DomainLocal
Name : Backup Operators
ObjectClass : group
ObjectGUID : 6276d85d-9c39-4b7c-8449-cad37e8abc38
SamAccountName : Backup Operators
SID : S-1-5-32-551
Copy PS C:\htb> Get-ADGroupMember -Identity "Backup Operators"
distinguishedName : CN=BACKUPAGENT,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
name : BACKUPAGENT
objectClass : user
objectGUID : 2ec53e98-3a64-4706-be23-1d824ff61bed
SamAccountName : backupagent
SID : S-1-5-21-3842939050-3880317879-2865463114-5220 "admin" in name
Copy Get-ADGroup - Filter 'Name -like "*admin*"' | select Name Domain Admins
Copy Get-ADGroupMember - Identity "Domain Admins" - Recursive PowerView
Append results to a CSV file
Convert a User or group name to its SID value
Requests the Kerberos ticket for a specified Service Principal Name (SPN) account
Will return the AD object for the current (or specified) domain
Return a list of the Domain Controllers for the specified domain
Will return all users or specific user objects in AD
Will return all computers or specific computer objects in AD
Will return all groups or specific group objects in AD
Search for all or specific OU objects in AD
Find-InterestingDomainAcl
Finds object ACLs in the domain with modification rights set to non-built in objects
Will return the members of a specific domain group
Returns a list of servers likely functioning as file servers
Returns a list of all distributed file systems for the current (or specified) domain
Will return all GPOs or specific GPO objects in AD
Returns the default domain policy or the domain controller policy for the current domain
Computer Enumeration Functions:
Enumerates local groups on the local or a remote machine
Enumerates members of a specific local group
Returns open shares on the local (or a remote) machine
Will return session information for the local (or a remote) machine
Tests if the current user has administrative access to the local (or a remote) machine
Threaded 'Meta'-Functions:
Finds machines where specific users are logged in
Finds reachable shares on domain machines
Find-InterestingDomainShareFile
Searches for files matching specific criteria on readable shares in the domain
Find machines on the local domain where the current user has local administrator access
Returns domain trusts for the current domain or a specified domain
Returns all forest trusts for the current forest or a specified forest
Enumerates users who are in groups outside of the user's domain
Get-DomainForeignGroupMember
Enumerates groups with users outside of the group's domain and returns each foreign member
Will enumerate all trusts for the current domain and any others seen.
Current domain
Object of another domain
Copy Get-Domain - Domain domain.local SID of the current domain
Domain policy of the current domain
Copy Get-DomainPolicyData
( Get-DomainPolicyData ).systemaccess Domain policy of another domain
Copy ( Get-DomainPolicyData - domain domain.local).systemaccess DC for the current domain
DC for another domain
Copy Get-DomainController - Domain domain.local Users
Copy Get-DomainUser
Get-DomainUser - Identity username
Get-DomainUser - Identity username - Properties *
Get-DomainUser - Properties samaccountname , logoncount
Copy PS C:\htb> Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
name : Matthew Morgan
samaccountname : mmorgan
description :
memberof : {CN=VPN Users,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=Shared Calendar
Read,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=Printer Access,OU=Security
Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=File Share H Drive,OU=Security
Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL...}
whencreated : 10/27/2021 5:37:06 PM
pwdlastset : 11/18/2021 10:02:57 AM
lastlogontimestamp : 2/27/2022 6:34:25 PM
accountexpires : NEVER
admincount : 1
userprincipalname : mmorgan@inlanefreight.local
serviceprincipalname :
mail :
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH Search for a particular string in a user's attribute
Copy Get-DomainUser - LDAPFilter "Description=*built*" | Select name , Description Group membership for a user
Copy Get-DomainGroup - Username "username" Local Admins
Copy Get-NetLocalGroupMember - ComputerName hostname - GroupName Administrators Logged users
Copy Get-NetLoggedon - ComputerName hostname
Get-LoggedonLocal - ComputerName hostname
Get-LastLoggedon - ComputerName hostname Check for Fake Potato or LeakedWallpaper
Enumeration Other methods: LoggedOn Users
Users with SPN - Kerberoast
Copy PS C:\htb> Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
serviceprincipalname samaccountname
-------------------- --------------
adfsconnect/azure01.inlanefreight.local adfs
backupjob/veam001.inlanefreight.local backupagent
d0wngrade/kerberoast.inlanefreight.local d0wngrade
kadmin/changepw krbtgt
MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433 sqldev
MSSQLSvc/SPSJDB.inlanefreight.local:1433 sqlprod
MSSQLSvc/SQL-CL01-01inlanefreight.local:49351 sqlqa
sts/inlanefreight.local solarwindsmonitor
testspn/kerberoast.inlanefreight.local testspn
testspn2/kerberoast.inlanefreight.local testspn2 Kerberoast Computers
Copy Get-DomainComputer | select name
Get-DomainComputer - OperatingSystem "*Server 2022*"
Get-DomainComputer - Ping Groups
Copy Get-DomainGroup | select Name
Get-DomainGroup - Domain domain.local "admin" in name
Copy Get-DomainGroup * admin * Domain Admins members
Copy PS C:\htb> Get-DomainGroupMember -Identity "Domain Admins" -Recurse
GroupDomain : INLANEFREIGHT.LOCAL
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : svc_qualys
MemberDistinguishedName : CN=svc_qualys,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-3842939050-3880317879-2865463114-5613
GroupDomain : INLANEFREIGHT.LOCAL
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : sp-admin
MemberDistinguishedName : CN=Sharepoint Admin,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-3842939050-3880317879-2865463114-5228
GroupDomain : INLANEFREIGHT.LOCAL
GroupName : Secadmins
GroupDistinguishedName : CN=Secadmins,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : spong1990
MemberDistinguishedName : CN=Maggie
Jablonski,OU=Operations,OU=Logistics-HK,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-3842939050-3880317879-2865463114-1965
<SNIP> Local Groups
Copy Get-NetLocalGroup - ComputerName hostname Shares and sensitive files
Copy Invoke-ShareFinder - Verbose
Invoke-FileFinder - Verbose
Get-NetFileServer GPO
Copy Get-DomainGPO
Get-DomainGPO - ComputerIdentity hostname Users which are in a local group of a machine
Copy Get-DomainGPOComputerLocalGroupMapping - ComputerIdentity hostname Machines where the given user is member of a specific group
Copy Get-DomainGPOUserLocalGroupMapping - Identity username - Verbose Misconfiguration OU
GPO applied on an OU - Read GPOname from gplink attribute for GET-DomainOU
Copy Get-DomainGPO - Identity "{gpo-name}" Users which are in a local group of a machine in any OU using GPO
Copy (Get-DomainOU).distinguishedname | %{Get-DomainComputer -SearchBase $_} | Get-DomainGPOComputerLocalGroupMapping
(Get-DomainOU -Identity 'OU=Mgmt,DC=domain,DC=local').distinguishedname | %{Get-DomainComputer -SearchBase $_} | Get-DomainGPOComputerLocalGroupMapping
Get-DomainGPOComputerLocalGroupMapping -OUIdentity 'OU=Mgmt,DC=domain,DC=local' ACL
Copy Get-DomainObjectAcl -SamAccountName username -ResolveGUIDs
Get-DomainObjectAcl -SearchBase "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose
Find-InterstingDomainAcl -ResolveGUIDs
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol" ACL Trusts
Trusts
Copy Get-DomainTrust
Get-DomainTrust -Domain aaa.bbbb.domain.local
Get-Forest
Get-Forest -Forest domain.local
Get-ForestDomain
Get-ForestDomain -Forest domain.local
Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest domain.local
Get-ForestTrust
Get-ForestTrust -Forest domain.local
Copy PS C:\htb> Get-DomainTrustMapping
SourceName : INLANEFREIGHT.LOCAL
TargetName : LOGISTICS.INLANEFREIGHT.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 11/1/2021 6:20:22 PM
WhenChanged : 2/26/2022 11:55:55 PM
SourceName : INLANEFREIGHT.LOCAL
TargetName : FREIGHTLOGISTICS.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 11/1/2021 8:07:09 PM
WhenChanged : 2/27/2022 12:02:39 AM
SourceName : LOGISTICS.INLANEFREIGHT.LOCAL
TargetName : INLANEFREIGHT.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 11/1/2021 6:20:22 PM
WhenChanged : 2/26/2022 11:55:55 PM Local Admin Access
Copy PS C:\htb> Test-AdminAccess -ComputerName ACADEMY-EA-MS01
ComputerName IsAdmin
------------ -------
ACADEMY-EA-MS01 True Machines in the current domain where the current user has local admin access
Copy Find-LocalAdminAccess -Verbose Domain Admin Sessions
Copy Find-DomainUserLocation -Verbose # Domain Admins by default
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"
# Domain admin session is available and current user has admin access
Find-DomainUserLocation -CheckAccess
# Domain admin session is available
Find-DomainUserLocation -Stealth
# Or with Invoke-SessionHunter - See LoggedOn Users part
# Invoke-SessionHunter -NoPortScan -RawResults | select Hostname,UserSession,Access SharpView
User
Copy PS C:\htb> .\SharpView.exe Get-DomainUser -Identity forend
[Get-DomainSearcher] search base: LDAP://ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL
[Get-DomainUser] filter string: (&(samAccountType=805306368)(|(samAccountName=forend)))
objectsid : {S-1-5-21-3842939050-3880317879-2865463114-5614}
samaccounttype : USER_OBJECT
objectguid : 53264142-082a-4cb8-8714-8158b4974f3b
useraccountcontrol : NORMAL_ACCOUNT
accountexpires : 12/31/1600 4:00:00 PM
lastlogon : 4/18/2022 1:01:21 PM
lastlogontimestamp : 4/9/2022 1:33:21 PM
pwdlastset : 2/28/2022 12:03:45 PM
lastlogoff : 12/31/1600 4:00:00 PM
badPasswordTime : 4/5/2022 7:09:07 AM
name : forend
distinguishedname : CN=forend,OU=IT Admins,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
whencreated : 2/28/2022 8:03:45 PM
whenchanged : 4/9/2022 8:33:21 PM
samaccountname : forend
memberof : {CN=VPN Users,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=Shared Calendar Read,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=Printer Access,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=File Share H Drive,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=File Share G Drive,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL}
cn : {forend}
objectclass : {top, person, organizationalPerson, user}
badpwdcount : 0
countrycode : 0
usnchanged : 3259288
logoncount : 26618
primarygroupid : 513
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
dscorepropagationdata : {3/24/2022 3:58:07 PM, 3/24/2022 3:57:44 PM, 3/24/2022 3:52:58 PM, 3/24/2022 3:49:31 PM, 7/14/1601 10:36:49 PM}
usncreated : 3054181
instancetype : 4
codepage : 0 Cable
.NET post-exploitation toolkit for Active Directory reconnaissance and exploitation
ADAPE
Copy powershell.exe -ExecutionPolicy Bypass ./ADAPE.ps1 SharpADWS
LoggedOn Users
Check for Fake Potato or LeakedWallpaper
Enumeration Windows
Copy Invoke-SessionHunter -FailSafe
# Check if DA users have session
Invoke-SessionHunter -NoPortScan -RawResults | select Hostname,UserSession,Access
# Opsec friendly
Invoke-SessionHunter -NoPortScan -Targets C:\path\to\servers.txt Or with PowerView
Linux
NXC or:
Source: https://x.com/Geiseric4/status/1719764121111908510?t=sf2jp5riEIGPwaWIQKbHgg&s=09
