Enumeration

Just a cheatsheet

Living off the land

Powershell

# Get history
Get-Content $env:APPDATA\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
# Check WinDef
Get-MpComputerStatus

WMI

# Domain and domain controller infor
wmic ntdomain list /format:list	
# Local and domain account logon device
wmic useraccount list /format:list

Net

Command

Description

net accounts /domain

Password và lockout policy

net group "<GROUP_NAME>" /domain

Infor về domain group

net group "domain computers" /domain

List PC trong domain

net group "Domain Controllers" /domain

List DC trong domain

net groups /domain

List tất cả group trong domain

net share

Check current shares

net user <ACCOUNT_NAME> /domain

Lấy infor của một user trong domain

net user /domain

List tất cả user trong domain

net view /all /domain[:domainname]

Shares on the domains

net view \computer /ALL

List shares trên máy

net view /domain

List PC trong domain

Windows Tools

ActiveDirectory PowerShell Module

# Check module
Get-Module
# Load module 
Import-Module ActiveDirectory
# Get domain infor
Get-ADDomain
# Get all user in container
Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM"
# Filter 
Get-ADUser -Filter 'Name -like "*SvcAccount"' | Format-Table Name,SamAccountName -A
# Get all properties of user
Get-ADUser -Identity ChewDavid -Properties *
# Get ADTrust
Get-ADTrust -Filter *
# Get ADGroup
Get-ADGroup -Filter * | select name
# Group details
Get-ADGroup -Identity "Backup Operators"
# Group member
Get-ADGroupMember -Identity "Backup Operators"

PowerView

Quá lười nên mình copy y chang từ HTB

Command

Description

Export-PowerViewCSV

Append results to a CSV file

ConvertTo-SID

Convert a User or group name to its SID value

Get-DomainSPNTicket

Requests the Kerberos ticket for a specified Service Principal Name (SPN) account

Domain/LDAP Functions:

Get-Domain

Will return the AD object for the current (or specified) domain

Get-DomainController

Return a list of the Domain Controllers for the specified domain

Get-DomainUser

Will return all users or specific user objects in AD

Get-DomainComputer

Will return all computers or specific computer objects in AD

Get-DomainGroup

Will return all groups or specific group objects in AD

Get-DomainOU

Search for all or specific OU objects in AD

Find-InterestingDomainAcl

Finds object ACLs in the domain with modification rights set to non-built in objects

Get-DomainGroupMember

Will return the members of a specific domain group

Get-DomainFileServer

Returns a list of servers likely functioning as file servers

Get-DomainDFSShare

Returns a list of all distributed file systems for the current (or specified) domain

GPO Functions:

Get-DomainGPO

Will return all GPOs or specific GPO objects in AD

Get-DomainPolicy

Returns the default domain policy or the domain controller policy for the current domain

Computer Enumeration Functions:

Get-NetLocalGroup

Enumerates local groups on the local or a remote machine

Get-NetLocalGroupMember

Enumerates members of a specific local group

Get-NetShare

Returns open shares on the local (or a remote) machine

Get-NetSession

Will return session information for the local (or a remote) machine

Test-AdminAccess

Tests if the current user has administrative access to the local (or a remote) machine

Threaded 'Meta'-Functions:

Find-DomainUserLocation

Finds machines where specific users are logged in

Find-DomainShare

Finds reachable shares on domain machines

Find-InterestingDomainShareFile

Searches for files matching specific criteria on readable shares in the domain

Find-LocalAdminAccess

Find machines on the local domain where the current user has local administrator access

Domain Trust Functions:

Get-DomainTrust

Returns domain trusts for the current domain or a specified domain

Get-ForestTrust

Returns all forest trusts for the current forest or a specified forest

Get-DomainForeignUser

Enumerates users who are in groups outside of the user's domain

Get-DomainForeignGroupMember

Enumerates groups with users outside of the group's domain and returns each foreign member

Get-DomainTrustMapping

Will enumerate all trusts for the current domain and any others seen.

SharpView

Tương tự PowerView nhưng là .NET

SharpHound

.\SharpHound.exe -c All --zipfilename <filename>

ADRecon

GitHub - adrecon/ADRecon: ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.GitHub

Linux Tools

bloddhound-python

sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all

PreviousActive Directory NextCredentials Access

Last updated 1 year ago

hashtagLiving off the land

hashtagPowershell

hashtagWMI

hashtagNet

hashtagWindows Tools

hashtagActiveDirectory PowerShell Module

hashtagPowerView

hashtagSharpView

hashtagSharpHound

hashtagADRecon

hashtagLinux Tools

hashtagbloddhound-python