🖌️
AD-RED-TEAM
  • Active Directory Red Team
  • PowerShell Basics
    • Tips And Tricks
  • I. Active Directory Enumeration
    • User Hunting Domain Enumeration
    • Forest and Domains
    • User Enumeration
    • Groups Enumeration
    • Computers/Server Enumeration
    • Shares Enumeration
    • GP And OU Enumeration
    • ACL Domain Enumeration
    • Trust Domain Enumeration
  • II. Local Privilege Escalation
    • Lateral Movement
    • PowerUp Exploits
  • III. Domain Privilege Escalation
    • Forest Persistence – DCShadow
    • Trust Abuse - MSSQL Servers
    • Priv Esc – Across Forest using krbtgt Ticket
    • Priv Esc - Across Trusts using Trust Tickets
    • Priv Esc – DNSAdmins
    • Priv Esc - Constrained Delegation
    • Priv Esc – Unconstrained Delegation
    • Priv Esc - Targeted Kerberoasting - Set SPN
    • Targeted Kerberoasting - AS-REPs
    • Priv Esc - Kerberoast
  • IV. Domain Persistence and Dominance
    • Persistence ACLs - Security Descriptors
    • Persistence ACLs- Rights Abuse
    • Persistence ACL - AdminSDHolder
    • Persistence – Custom SSP
    • Persistence - DSRM
    • Persistence - Skeleton Key
    • Persistence - Silver Ticket
    • Persistence - Golden Ticket
  • V. Cross Trust Attacks
  • VI. Forest Persistence and Dominance
  • VII. Defenses – Monitoring
  • VIII. Defenses and bypass – Architecture and Work Culture Changes
  • IX. Defenses and Bypass – Deception
  • X. Defenses and Bypass – PowerShell
  • New Server
    • Move Lat-AppLocker
    • Move Lat-Invoke-Command
Powered by GitBook
On this page
  • Domain Enumeration Manual
  • Domain Enumeration Tools
  • PowerView
  • The ActiveDirectoryPowerShell module

Was this helpful?

  1. I. Active Directory Enumeration

Forest and Domains

Forest, SSID, Domains

Domain Enumeration Manual

#The enumeration can be done by using Native executables and .NET classes

Whoami /priv

$ADClass=[System.DirectoryServices.ActiveDirectory.Domain]

$ADClass::GetCurrentDomain()

Domain Enumeration Tools

PowerView

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1


#Import
..\PowerView.ps1


#Get Domain Info
Get-NetDomain


#Specify Domain Name
Get-NetDomain -Domain moneycorp.local


#Get Domain SID
Get-DomainSID


#Get domain policy for the current domain
Get-DomainPolicy
(Get-DomainPolicy)."system access"
(Get-DomainPolicy)."Kerberos Policy"
(Get-DomainPolicy)."Version"
(Get-DomainPolicy)."Registry Values"


#Get domain policy for another domain
(Get-DomainPolicy–domainmoneycorp.local)."system access" 
(Get-DomainPolicy–domainmoneycorp.local)."Kerberos Policy" 


#Get domain controllers for the current domain
Get-NetDomainController


#Get domain controllers for another domain
Get-NetDomainController –Domain moneycorp.local

The ActiveDirectoryPowerShell module

#To use ActiveDirectorymodule without installing RSAT, we can use Import-Module 
for the valid ActiveDirectorymodule DLL
https://docs.microsoft.com/en-us/powershell/module/addsadministration/?view=win10-ps

#import Module: We need to import both the .dll and psd1
Import-Module .\Microsoft.ActiveDirectory.Management.dll
Import-Module .\ActiveDirectory\ActiveDirectory.psd1


#Get Domain info after importing .dll and .psd1
GetADDomain


#Get object of another Domain
Get-ADDomain-Identity moneycorp.local

#Get domain SID for the current domain
(Get-ADDomain).DomainSID


#Get domain controllers for the current domain
Get-ADDomainController


#Get domain controllers for another domain
Get-ADDomainController -DomainName moneycorp.local -Discover

samratashok

#To use ActiveDirectorymodule without installing RSAT, we can use Import-Module 
for the valid ActiveDirectorymodule DLL

https://github.com/samratashok/ADModule
PreviousUser Hunting Domain EnumerationNextUser Enumeration

Last updated 4 years ago

Was this helpful?