Domain-Recon

Active Directory Domain Enumeration

View on GitHub

Domain-Recon

To carry a successfull attack in Active Directory Environment, one should need to enumerate the Domain. We will use Powerview.ps1 module to enumerate the Domain.

Reconnaissance

First Import the Powerview.ps1 module.

import-module Powerview.ps1

. .\Powerview.ps1
  1. Get-Domain Useful information includes the domain name, the forest name and the domain controllers. 
    Get-Domain
  2. Get-DomainController Returns the domain controllers for the current or specified domain. 
    Get-DomainController | select Forest, Name, OSVersion | fl
  3. Get-ForestDomain Returns all domains for the current forest or the forest specified by -Forest 
    Get-ForestDomain
  4. Get-DomainPolicyData Useful for finding information such as the domain password policy. 
    Get-DomainPolicyData | select -ExpandProperty SystemAccess
  5. Get-DomainUser Return all (or specific) user(s). 
    Get-DomainUser -Identity john -Properties DisplayName, MemberOf | fl
  6. Get-DomainComputer Return all computers or specific computer objects. 
    Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
  7. Get-DomainOU Search for all organization units (OUs) or specific OU objects. 
    Get-DomainOU -Properties Name | sort -Property Name
  8. Get-DomainGroup Return all groups or specific group objects. 
    Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName
  9. Get-DomainGroupMember Return the members of a specific domain group. 
    Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName
  10. Get-DomainGPO Return all Group Policy Objects (GPOs) or specific GPO objects. 
    Get-DomainGPO -Properties DisplayName | sort -Property DisplayName

    (To enumerate all GPOs that are applied to a particular machine, use -ComputerIdentity.)

    Get-DomainGPO -ComputerIdentity wkstn-1 -Properties DisplayName | sort -Property DisplayName
  11. Get-DomainGPOLocalGroup Returns all GPOs that modify local group membership. 
    Get-DomainGPOLocalGroup | select GPODisplayName, GroupName
  12. Get-DomainGPOUserLocalGroupMapping Enumerates the machines where a specific domain user/group is a member of a specific local group. 
    Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName
  13. Find-DomainUserLocation finds domain machines where those users are logged in (default domain admin) 
    Find-DomainUserLocation | select UserName, SessionFromName
  14. Get-NetSession Returns session information for the local (or a remote) machine (where CName is the source IP). 
    Get-NetSession -ComputerName dc01 | select CName, UserName
  15. Get-DomainTrust Return all domain trusts for the current or specified domain. 
    Get-DomainTrust
  16. Find-DomainShare will find SMB shares in a domain and -CheckShareAccess will only display those that the executing principal has access to. 
    Find-DomainShare -ComputerDomain hackershell.io -CheckShareAccess

(To Get The Writable Share In a Domain)

Find-DomainShare -CheckShareAccess