Domain-Recon
To carry a successfull attack in Active Directory Environment, one should need to enumerate the Domain. We will use Powerview.ps1 module to enumerate the Domain.
Reconnaissance
First Import the Powerview.ps1 module.
import-module Powerview.ps1
. .\Powerview.ps1
- Get-Domain Useful information includes the domain name, the forest name and the domain controllers.
Get-Domain
- Get-DomainController Returns the domain controllers for the current or specified domain.
Get-DomainController | select Forest, Name, OSVersion | fl
- Get-ForestDomain Returns all domains for the current forest or the forest specified by -Forest
Get-ForestDomain
- Get-DomainPolicyData Useful for finding information such as the domain password policy.
Get-DomainPolicyData | select -ExpandProperty SystemAccess
- Get-DomainUser Return all (or specific) user(s).
Get-DomainUser -Identity john -Properties DisplayName, MemberOf | fl
- Get-DomainComputer Return all computers or specific computer objects.
Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
- Get-DomainOU Search for all organization units (OUs) or specific OU objects.
Get-DomainOU -Properties Name | sort -Property Name
- Get-DomainGroup Return all groups or specific group objects.
Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName
- Get-DomainGroupMember Return the members of a specific domain group.
Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName
- Get-DomainGPO Return all Group Policy Objects (GPOs) or specific GPO objects.
Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
(To enumerate all GPOs that are applied to a particular machine, use -ComputerIdentity.)
Get-DomainGPO -ComputerIdentity wkstn-1 -Properties DisplayName | sort -Property DisplayName
- Get-DomainGPOLocalGroup Returns all GPOs that modify local group membership.
Get-DomainGPOLocalGroup | select GPODisplayName, GroupName
- Get-DomainGPOUserLocalGroupMapping Enumerates the machines where a specific domain user/group is a member of a specific local group.
Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName
- Find-DomainUserLocation finds domain machines where those users are logged in (default domain admin)
Find-DomainUserLocation | select UserName, SessionFromName
- Get-NetSession Returns session information for the local (or a remote) machine (where CName is the source IP).
Get-NetSession -ComputerName dc01 | select CName, UserName
- Get-DomainTrust Return all domain trusts for the current or specified domain.
Get-DomainTrust
- Find-DomainShare will find SMB shares in a domain and -CheckShareAccess will only display those that the executing principal has access to.
Find-DomainShare -ComputerDomain hackershell.io -CheckShareAccess
(To Get The Writable Share In a Domain)
Find-DomainShare -CheckShareAccess