Red Teaming Experiments
linkedin
github
@kondencuotas
About /?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
From Domain Admin to Enterprise Admin
T1208: Kerberoasting
Kerberos: Golden Tickets
Kerberos: Silver Tickets
AS-REP Roasting
Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled
Domain Compromise via Unrestricted Kerberos Delegation
Domain Compromise via DC Print Server and Kerberos Delegation
T1207: DCShadow - Becoming a Rogue Domain Controller
DCSync: Dump Password Hashes from Domain Controller
PowerView: Active Directory Enumeration
Abusing Active Directory ACLs/ACEs
Privileged Accounts and Token Privileges
From DnsAdmins to SYSTEM to Domain Compromise
Pass the Hash with Machine$ Accounts
BloodHound with Kali Linux: 101
Backdooring AdminSDHolder for Persistence
Active Directory Enumeration with AD Module without RSAT or Admin Privileges
Enumerating AD Object Permissions with dsacls
Active Directory Password Spraying
AD Computer Object Take Over and Privileged Code Execution
Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
miscellaneous
Process Environment Block
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
Reversing Password Checking Routine
Powered by GitBook

PowerView: Active Directory Enumeration

This lab explores a couple of common cmdlets of PowerView that allows for Active Directory/Domain enumeration.

Get-NetDomain

Get current user's domain:

Get-NetForest

Get information about the forest the current user's domain is in:

Get-NetForestDomain

Get all domains of the forest the current user is in:

Get-NetDomainController

Get info about the DC of the domain the current user belongs to:

Get-NetGroupMember

Get a list of domain members that belong to a given group:

Get-NetLoggedon

Get users that are logged on to a given computer:

Get-NetDomainTrust

Enumerate domain trust relationships of the current user's domain:

Get-NetForestTrust

Enumerate forest trusts from the current domain's perspective:

Get-NetProcess

Get running processes for a given remote machine:

Get-NetProcess -ComputerName dc01 -RemoteUserName offense\administrator -RemotePassword 123456 | ft

Invoke-MapDomainTrust

Enumerate and map all domain trusts:

Invoke-ShareFinder

Enumerate shares on a given PC - could be easily combines with other scripts to enumerate all machines in the domain:

Invoke-UserHunter

Find machines on a domain or users on a given machine that are logged on:

References

Previous
DCSync: Dump Password Hashes from Domain Controller
Next
Abusing Active Directory ACLs/ACEs
Last updated 7 months ago
Contents
Get-NetDomain
Get-NetForest
Get-NetForestDomain
Get-NetDomainController
Get-NetGroupMember
Get-NetLoggedon
Get-NetDomainTrust
Get-NetForestTrust
Get-NetProcess
Invoke-MapDomainTrust
Invoke-ShareFinder
Invoke-UserHunter
References